By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
Amid the COVID-19 pandemic, what is a business to do when managing business survival operations: financial survival, employee retention and mandated data privacy obligations of data subject rights, such as, data access requests (DAR)? Do they just say to heck with it, pack it up and see you on the other side? The answer to the latter question is – privacy laws still apply; they are not a barrier to appropriate and necessary information sharing.
During the COVID-19 pandemic, businesses may be unsure if their data privacy and data protection obligations are secondary. Many Data Protection Authorities, the European Data Protection Board and the U.S. Equal Employment Opportunity Commission and U.S. Department of Health and Human Services have published, on their respective websites, guidance and answers to questions related to processing of personal information including sensitive personal health information.
GDPR Article 9 (2) (i) allows the processing of special categories of personal data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
According to Andrea Jelinek, Chair of the European Data Protection Board (EDPB), “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
But, what to do about mandated obligations for responding to data access requests? The laws and regulations have already stipulated that there are time frames to respond to data access requests and if needed an extension may be requested. The GDPR provides for an extension of two months to respond to a request where necessary considering the complexity and number of requests.
As stated by Ireland’s Data Protection Commission, “While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, we recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19. Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.”
The United Kingdom’s Information Commissioner’s Office (ICO) stated, they “recognise the unprecedented challenges we are all facing during the Coronavirus (COVID-19) pandemic.” ICO’s response to a concern and question posed by a business, “… we are worried that our data protection practices might not meet our usual standards or our response to information rights requests will be longer. Will the ICO take regulatory action against us?”
“No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
The California Consumer Protection Act (CCPA) under §1798.130 allows a one-time 45-day extension for the right to know and delete “when reasonably necessary” as long as the individual is notified of the extension within the first 45-days of receipt of the request.
As best practices go, continue to adhere to the privacy laws including data subject rights, such as, data access requests. If an extension is needed or you are unable to respond to the access request, then (1) communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding or reasons why you cannot respond and when you will be able to provide a response; (2) provide the individual with contact information where they can ask questions, lodge a complaint, or seek judicial remedy in light of a non-response; and (3) document your reasons for not complying with the timelines and that these reasons have been clearly communicated to the concerned individuals.