Data Protection considerations under the Covid-19 pandemic
The current lockdown throws up some potential issues around data protection, both in respect of general customer data but also around employee information.
As both a business advisor and a GDPR practitioner and Data Protection officer I have tried to outline a few tips that will hopefully be useful in dealing with the current situation from a data protection point of view, as well as from a business perspective. With large numbers of people working from home businesses need to be aware that this inevitably increases the risk of tripping over the regulations or causing a data breach. In either case such events can not only be expensive but could lead to serious reputational damage.
Broadly I would divide this into three areas:
Employee data & return to work
Compliance – The ICO has made it clear that they are going to take a pragmatic approach to compliance during the current lockdown. They understand that many businesses have furloughed staff as well as staff absent due to sickness, and thus resources are significantly reduced. For this reason, the ICO are prepared to be more flexible particularly around timescales, for example for Subject Access Requests (SAR), breach reporting etc.
Having said that, they do expect businesses to do their very best to hit deadlines or at least get as close to them as possible. So for example, if you simply can’t get a SAR out to the data subject within 30 days, then you must try to get as close to this timeline as you can. It’s always a good idea to keep data subjects informed, ideally in writing in advance, of any delays.
Ideally if you have staff working from home you should produce a Data Protection Impact Assessment (DPIA) which will compel you to look at any potential risks, and any opportunities to mitigate. You should also consider updating your Article 30 Record of Processing Activities, and if you have a Home Working Policy you may need to review it to make sure it is relevant to the current situation. If you don’t have such a policy, you should consider writing one.
Generally the basic principles associated with the legislation still apply i.e. around transparency, fairness & lawfulness, so compliance under Covid-19 shouldn’t be too cumbersome provided you are already compliant with the legislation– it’s simply a matter of ensuring that any changes in working practices are considered in respect of data privacy.
We can help you with your GDPR compliance so feel free to get in touch if you need any assistance
Data Security – with so many people working from home, the likelihood of a data breach is clearly increased. There has been a significant increase in phishing emails using the subject of Covid-19 and often looking very plausible so please be aware, and ideally only open emails that come from a known and trusted source.
During the lockdown it’s very important to consider any steps that can be taken to ensure that any personal data is protected. Here are a few simple actions you could take:
Where possible ensure home-workers are using company laptops rather than their own
Make sure that anti-virus software, firewalls etc. are up to date
Try to avoid storing data on local hard drives – use secure cloud technology where possible, ideally ensuring data is held in UK/EU datacentres
Try to ensure laptops can be remotely wiped should the need arise, if any data is stored on them
Home-workers should avoid printing documents where possible, and if any hard copy documents need to be held at home, make sure they are locked away when not in use, and destroyed when no longer required, ideally by shredding
Family members and members of your household should not be able to see any confidential information on laptop screens or paper documents
Always use meeting ID’s for online meetings to minimise the risk of your Zoom (or similar) calls being gatecrashed by third parties
Be aware when engaging in phone calls or online meetings that other people may be able to hear you. Many people are working outside in fine weather, so if you do so, ensure that neighbours are not able to overhear your conversations
Ideally you should get your IT infrastructure checked by professionals to ensure there are no potential vulnerabilities – this can easily be organised remotely
These are general hints and tips but we recommend using the services of qualified experts who can ensure that your data is secure from external threats. Our friends at Right Cue Assurance can not only help to protect your data but can also offer remote monitoring and vulnerability assessments. They are always happy to have an initial chat to see how they can help. Click here to visit their website -
Employee data and return to work -
The Covid-19 pandemic has thrown up some sensitive issues around health data of employees. Under the GDPR/Data Protection Act health data comes under what is known as ‘special categories of data’, and as such requires special consideration. Where you have staff on furlough for example, you may want some reassurance before they return, that they are not exhibiting symptoms. This is one of several questions that could arise from the current situation, such as:
Are we permitted to ask furloughed staff to confirm that they are not exhibiting symptoms before thy return to work?
Are we able to test employees when they return from furlough to see if they have the virus?
Staff continuing to work in the office may begin to exhibit symptoms – can we ask them about this and if you feel they may have the virus are we able to ask them to go home?
Can we ask office-based or furloughed staff if anyone in their household has symptoms or indeed the virus?
If we do obtain such information are we permitted to share the information with others?
Are we able to test staff to see if they have contracted Covid-19?
In all cases so long as you can demonstrate that you have treated any sensitive data with care, followed the rules and taken the required precautions, the answer is in principle yes, you can.
In order to process personal data, we must identify a lawful basis under Article 6 of the GDPR. For the above purpose we could use ‘legitimate interests’ as our lawful basis. However, in this case as we are processing special category data, we need to identify a lawful basis under Article 9 in additional to that under Article 6. Article 9 (2) (b) states that such data may be processed where “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. This is further supplemented by Schedule 1 of the Data Protection Act 2018.
Employers have a duty to protect the health and safety of their staff and it is thus reasonable for you to ask questions of staff that could avoid putting others at risk. Having said that, it’s really important that you only collect sensitive information that is necessary, that you share it only with those who need to see it (e.g. HR manager), that you record all data collected, and that you destroy data once it’s no longer needed. If for example you ask a staff member whether anyone in their household has the virus or is showing symptoms, you do not need to know the person’s name as this is not necessary information.
If you plan to collect health data and especially if you are proposing to test staff for the virus, then you should conduct a Data Protection Impact Assessment DPIA given that there will be new areas of risk to consider. The ICO recommends that your DPIA should set out the following:
the activity being proposed;
the data protection risks;
whether the proposed activity is necessary and proportionate;
the mitigating actions that can be put in place to counter the risks; and
a plan or confirmation that mitigation has been effective.
Employers with 5 or more employees should conduct a risk assessment, which must be in writing, and if you have 50 or more employees the government expects you to publish your risk assessment. This must include what measures you are taking to mitigate any risks of transmission within the workplace, such as social distancing, staggering hours to keep staff numbers to a minimum, office signage etc.
In summary I would emphasise that it is really important to ensure that you are compliant with the regulations and not putting yourself in a situation where you might later face a claim, or putting your employees at risk. Furthermore, many companies are having to make redundancies, and special care needs to be taken when undergoing such a process in the current circumstances.
If you are in any doubt, we strongly suggest seeking professional legal advice. Clarkslegal specialise in employment law and are always happy to have a chat about how they can help. Click here to visit their website