by Laura Fannin , John Deignan March-27-2020 in Commercial & Business, Data Protection, COVID-19

The Data Protection Commission (“DPC”) recently published two guidance notes in relation to (1) Data Protection and COVID-19 and (2) Protection of personal data when working remotely. Below, we summarise the main points which emerge from the two DPC guidance notes. In these uncertain times, it is worthwhile for businesses to take stock of the areas where public health and data protection overlap, as part of their contingency planning and actions.


1. DPC Guidance Note: Data Protection and COVID-19

This guidance note is available here.



The guidance note acknowledges that organisations are taking necessary steps “to contain the spread and mitigate the effects of COVID-19...”,  and it states in unequivocal terms that “data protection law does not stand in the way of the provision of healthcare and the management of public health issues”.

Notwithstanding the above, the guidance note goes on to reiterate that there are important considerations which organisations ought to take into account when handling personal data in these contexts, particularly in the context of personal data relating to health and other sensitive data. In this context, the DPC issues a reminder to organisations handling personal data that “measures taken in response to COVID-19 involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities.”

The DPC is highlighting that organisations must continue to adhere to the principles of data protection by adopting the appropriate measures; and that such measures should be necessary and proportionate.


Processing of Personal Data

The guidance note explains that where organisations are acting on the guidance or directions of public health authorities, it is likely that Article 9(2)(i) GDPR (Section 53 of the Data Protection Act 2018) will be engaged. Article 9(2) (i) permits the processing of special category/health data by organisations where it is “necessary for reasons of public interest in the area of public health”.  However, the guidance note goes on to caution that organisations need to ensure that suitable safeguards are implemented in tandem with such processing. Such safeguards include organisations:

  • Acting in a transparent manner vis-à-vis the personal data they collect in the COVID-19 context, to include the purpose of such personal data collection and how long the personal data will be retained.
  • Adhering to the principle of confidentiality in a way that ensures the security of the personal data, in particular where health data is concerned. Further, the DPC warns that the identity of affected individuals should not be disclosed to third parties or to their colleagues without a clear justification.
  • Ensuring that only the minimum amount of necessary data is processed to achieve the objective of taking adequate measures to combat the propagation of COVID-19.
  • Documenting any decision-making process which concerns implementing measures dealing with COVID-19 and which involves the processing of personal data.

The guidance note also draws organisations’ attention to the fact that employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.

Finally, the guidance note goes on to provide responses to queries which have been raised with the DPC by organisations. Organisations may find it instructive to review this “Q&A” section of the article as they may find that they are dealing with similar issues.



The overriding message from the DPC’s guidance note is that data protection does not stand in the way of the provision of healthcare and management of public health issues. Organisations need to be cognizant of this, but also of the issues which arise in the context of dealing with sensitive personal data. The Q & A section of the DPC’s guidance note should prove particularly helpful to organisations, particularly where they are dealing with suspected and/or confirmed cases of COVID-19 among their cohort of employees or other staff.


2. DPC Guidance Note: Protecting Personal Data when Working Remotely

The guidance note is available here.



This guidance note provides practical advice on measures to be considered in the context of remote working.

The most salient issue contained in the guidance note is that organisations should adopt appropriate measures to ensure that personal data is kept safe and secure. In order to achieve this, the DPC provides practical advice which includes the following recommendations and warnings:



  • That all devices used for the purposes of working remotely are installed with the relevant updates and protections as would be expected in an office setting.
  • That effective access controls (such as multi-factor authentication and strong passwords), and where possible, encryption be adopted to reduce risk.



  • That applicable policies regarding the use of email should be followed when working remotely, and that work email accounts ought to be used for work-related emails containing personal data.


Cloud and Network Access

  • That remote workers should only avail of their organisation’s trusted or cloud services and to ensure that locally stored data is backed up in a secure and safe manner.


Paper Files

  • That data protection applies not only to electronically stored or processed data, but also to personal data in manual form (such as paper records) where it is, or is intended to be, part of filing system. In this regard, where staff are working remotely using paper records and/or files, the DPC recommends the following:
    • To ensure the safety and confidentiality of such records, for example by keeping them in a locked filing cabinet when not being used.
    • When dealing with records that contain special categories of data, only to remove such records from a secure location when strictly necessary.



Organisations may find this guidance useful as working remotely becomes more embedded, both in the context of COVID-19 and beyond, in conjunction with the ongoing measures that they have taken over the last number of weeks.


For further information, please contact Laura Fannin:  or John Deignan:





Back to Full News