helping charities helping people


You are not signed in. What would you like to do?


Manage your account

Hello ! You are signed in. What would you like to do?

Your Account
Data Protection - Data Protection

Data protection in the time of coronavirus

Debbie Ashenhurst, Partner at Wilsons Solicitors LLP

As I write, we are three days into the UK's coronavirus lockdown and the possibility of it being lifted within three weeks seems remote.  My remit for this article was to write about data sharing by organisations with their related charities but first let me offer a little guidance and reassurance about how data protection law will impact upon the challenges that ACO members might face as a result of the current pandemic.  


The Information Commissioner's Office (the ICO) has acknowledged that during the pandemic organisations may be unable to meet their usual standard of GDPR compliance or respond to information rights requests within the statutory timescales.  The benevolent regulator that it is, the ICO has confirmed that:

We won't penalise organisations that we know need to prioritise other areas or adapt their usual approach to this extraordinary period.

This is not an invitation to ignore all data protection requirements, however, and the ICO reminds us that:

  • Where staff are working from home, they should still be subject to similar security measures as in normal circumstances, even if they are using their own devices and communications equipment;
  • If you need to inform staff about cases of Covid-19 in your organisation, you should minimise the information you share and anonymise it wherever possible.

The fundamentals of the GDPR remain unchanged.  You still need to:

  • comply with the six data protection principles;
  • identify a lawful basis for your processing of personal data; and
  • identify a condition for your processing of health data.

Now would be a good time to review your privacy notices, policies and procedures including by undertaking data protection impact assessments where necessary and ensuring your records are up to date and accurate.

Data sharing

Many ACO members are charities created by parent institutions to benefit the parents' members.  Whatever legal form such a charity takes, unless its activities are conducted entirely within the parent organisation, the charity will likely be regarded by the ICO as a separate entity undertaking its own data processing activities.  Each charity needs to consider two questions before it can establish what the GDPR requires of it.

  1. Is it a data processor (purely processing data on behalf of the parent organisation) or is it a data controller (which processes data on its own behalf and determines - alone or jointly with the parent organisation - the purposes and the means of the processing)?
  2. If the charity is a controller, is it a joint controller with the parent organisation (where the parent exerts influence over the processing for its own purposes) or an entirely separate controller?

The answers to these questions will determine the obligations of the charity and the documentation that should govern its relationship with the parent organisation for data protection purposes.

A charity which is a mere processor will need a written agreement with the parent organisation containing specified 'processor terms' but its data protection obligations will be fairly limited.

A charity which is a controller will have more extensive data protection obligations.  In addition, if it is a joint controller with the parent organisation it will need to come to an arrangement regarding their respective responsibilities for complying with the GDPR, particularly in relation to the provision of privacy information to data subjects (most commonly in the form of a privacy notice) and responding to information rights requests.

A charity which is a separate controller does not strictly need a data sharing agreement with its parent organisation but it may be prudent to have one.

In practice, most charities will be controllers in their own right of which only some will be joint controllers and fewer still being processors.  As ever, this determination will require close consideration of the types of personal data being shared, the purposes of the sharing and the respective roles of charity and parent organisation in deciding why and how the processing takes place.

If any of you find that you have time on your hands due to the government lockdown, now is the perfect time to think about tricky issues like these that are festering in your inbox.  Good luck and stay well!