As the coronavirus pandemic has swept the globe, news reports have understandably tended to focus on the potential impact on the population both at home and at work, as well as the government’s response. However, as organisations grapple with how best to maintain their business operations while protecting their workforce, questions related to data protection continue to arise.
The UK data protection regulator, the Information Commissioner’s Office (“ICO”), is issuing guidance via its data protection and coronavirus information hub . It has also updated its regulatory strategy to reflect the changed environment, saying, “We recognise that the current reduction in organisations’ resources could impact their ability to comply with aspects of the law. We are committed to an empathetic and pragmatic approach, and will demonstrate this through our actions.” So, if you find that you need to redirect your usual efforts due to the current working constraints, this is a great time to get your house in order and tick off some of those data protection compliance jobs you’ve been saving for a rainy day.
As data protection experts, we thought it might be helpful to share our expertise and answer some common questions that we’ve encountered from our clients.
Q: We want to follow the government guidance for minimising the spread of coronavirus by enabling our staff to work from home. What data protection issues should we be aware of?
The security principle of the General Data Protection Regulation (“GDPR”) requires you to establish and maintain appropriate security measures to protect the personal data you hold. With information moving off-site, away from the security established at the workplace, these measures need careful review.
If you don’t already have a policy to cover remote working, some items to consider are:
- Is the device that will be used remotely and/or the data encrypted? If so, this is good news because the data should not be accessible without the encryption code.
- If encryption isn’t an option, is the data pseudonymised, i.e. has information been replaced/removed so that it no longer identifies an individual?
- Has access to personal email been blocked from work devices?
- Will the worker be using a secure private network rather than a public network on the remote device?
- Will the remote device and any accessories be stored securely when not in use, e.g. in a locked room or in a locked bag?
For more information, see the guidance from the National Cyber Security Centre and the ICO’s advice on working from home.
We have worked with many clients on creating various data protection policies including home-working, so please contact us if you would like our help with this.
Q: A major part of my job is responding to subject access requests and other individual rights requests. However, coronavirus has really disrupted our business, so I’ll struggle to meet the response times set out in the GDPR. Will my organisation get fined for non-compliance?
The ICO is the data protection body with the power to issue fines. It has reassured people that it won’t penalise organisations that need to prioritise other areas during these unprecedented times.
The timescales set out in the GDPR are enshrined in law, so they cannot be extended, but the ICO has committed to warning people that they may experience “understandable delays” in the progress of any information rights requests during the pandemic. Its updated regulatory strategy states, “Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.”
Q: Some of our employees have informed us that they will be self-isolating because they are experiencing some symptoms of coronavirus. Are we allowed to pass on this info to other staff? How can we do this in a GDPR-compliant way?
Yes, as part of your duty of care to your staff, you should keep them informed about cases (whether possible or confirmed) of coronavirus in the organisation.
To do so in a GDPR-compliant way, there are three main elements of the GDPR to bear in mind:
- The purpose limitation principle requires you to have specified the purposes that the data would be put to when you collected it and not process the data further in a way that is incompatible with those purposes.
- The data minimisation principle requires you to identify the minimum amount of personal data that you need to fulfil your purpose. In this example, think hard about whether you need to name the affected individuals and make sure that you don’t provide more information than is strictly necessary.
- Health data is one of the special categories of personal data, which means that there are more stringent conditions in place for processing it. As with standard data, you must identify a lawful basis for processing under Article 6 of the GDPR, but you must also identify a separate condition for processing under Article 9.
Think carefully. Do you need to name the affected individuals? It’s unlikely. How much information do you need to provide? It’s probably less than you think. Be sensitive to the fact that, even if you do not name the person, it might be obvious who the individual is, given their role and/or the size of your organisation.
Q: We want to tell our customers how coronavirus will affect our business and their dealings with us. Are we allowed to do this, or will we be breaching marketing laws?
It depends on the thrust of your message. If you confine your communication to routine information about service interruptions, delivery arrangements, etc. brought on by the impact of the coronavirus pandemic on your business, this is unlikely to count as direct marketing and you could rely on legitimate interests as your basis for communicating.
However, if you include promotional material that, for example, is aimed at getting customers to buy extra products or services, the message would be classed as direct marketing and other rules would apply, in particular where you are sending emails or other electronic direct marketing messages. The ICO states, “You can still rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.” (The Privacy and Electronic Communications Regulations (“PECR”) sit alongside the GDPR and give people specific privacy rights in relation to electronic communications.) For more information, see the ICO’s Guide to PECR.
To be fully GDPR-compliant, don’t forget to document your decisions on legitimate interests. You still need to do this to meet the requirements of the GDPR’s accountability principle in terms of demonstrating compliance.
Q: Data protection is just one of our many worries, how on earth should I prioritise everything?
Here at Pritchetts, we’ve created a whizzy spreadsheet that helps organisations to track risks, prioritise them and document next steps. If you’d like a copy, please get in touch.
Q: With schools closed, I’m trying to work from home at the same time as looking after my kids. Any tips?!
You’ll be needing a tip-top Internet connection, buckets of patience and coffee. Lots of coffee! Also, a space to retreat to when you just need a few minutes to yourself. Fortunately, there’s a wealth of online resources out there to help those of us in this brave new world:
Plus, dance , drawing , Minecraft and a whole lot more – all available for free! Best of luck!
If you have a question that you’d like us to include here, please get in touch and we’ll update the blog as soon as possible.