With the outbreak of COVID-19, businesses are facing a completely new landscape when it comes to the handling of personal data.
The safety of staff and customers need to be managed in unprecedented ways, resulting in personal data being collected and handled in a manner not previously contemplated. Organisations mapping out their road ahead, accommodating home working and exploring alternative business services will inevitably rely on personal data. Difficult strategic decisions are necessary but that inadvertently could impact personal data in a negative way.
The Information Commissioner's Office (ICO) and European Data Protection Board (EDPB) have in the recent week stressed the importance of measures taken by organisations to combat COVID-19 and the ICO has said that they won't penalise businesses where data handling practices are not in line with their usual approach and the requisite timescales.
While the full scope of this lenience has not be spelled out, it would appear to apply to all types of compliance, including the duty to report a data breach, mitigating data breaches, dealing with data subject access requests, and others. In relation to handling data subject access requests, the ICO has acknowledged that both staff and financial resources may be diverted as a result of COVID19. The ICO has gone so far to say they will not be taking regulatory action in the event of non-compliance.
In this article, we highlight some of the key data protection issues that businesses may be facing during the COVID-19 outbreak and consider the best practices to ensure continued compliance in accordance with the recent ICO and EDPB guidance.
Many organisations will find themselves handling personal data (including special category data such as health data) on a much larger scale. Where their services are essential, businesses may be processing personal data of staff and visitors in ways not previously considered.
During these times, businesses can justify use of personal data including health data since this is a performance of a task carried out in the public interest. In practice, this may include:
- monitoring the health status of its staff and requesting information from its staff about any countries they may have visited recently and/or symptoms they may be experiencing;
- sharing its staffs' health information with the NHS; and
- informing its other staff that a colleague may have contracted COVID-19.
Notwithstanding the above, the underlying principles of data protection still apply - any processing of personal data must still be proportionate and necessary. For example, in relation to (a) above, it may be reasonable to ask staff to advise if and when they have visited a particular country or are experiencing COVID-19 symptoms. This would not necessarily allow an employer to gather and maintain a database of health data. If such a database was to be required, further GDPR protective measures should be considered such as in relation to limited access, retention and a secure data erasure process would be advisable. For (c), good practice could be to inform the colleagues that a member of the team has contracted COVID-19, but to keep that person's identity anonymous.
Working from home
One of the biggest day to day changes being currently experienced is the widespread working from home practice necessitated by COVID-19. The ICO has recently clarified that data protection laws are not a barrier to increased and different types of home-working. However, businesses will be working at pace to ensure that the majority of their staff can work from home in a manner not previously contemplated or tested.
Businesses will be more vulnerable by the fact that the system has not been previously subjected to this volume of individuals working from my home. On top of this, we are seeing third parties fraudsters taking advantage of this where normal processes are not potentially being followed.
Organisations need to be confident that they can maintain a high standard of security and consider additional measures needed to ensure staff are aware of increased risks resulting from home-working. A quick email reminder or even short 5 minute YouTube video to remind staff of the risks could be a good way to increase awareness.
Going forward, many organisations will be forced to look at new opportunities in a more digital environment including greater reliance on social media platforms and online sites to generate cashflow. During this time, use of personal data in marketing campaigns should still be carefully managed and policies followed. Privacy Impact Assessments should be deployed – but in a time where quick decisions are essential – try and focus on the key issues such as minimising the data you use, being transparent about what is happening, ensuring a lawful basis for processing and having adequate technical and organisational measures in place to protect against unlawful use.
Organisations should take comfort in the recent guidance issued by the ICO and EDPB - data protection law does not prevent the processing of personal data to be undertaken, provided that the processing is proportionate and necessary and the rights of the data subjects are considered at all times. For any further support or if you have any questions, please do not hesitate to contact the AG data team.