The current COVID-19 pandemic has thrown up a number of legal issues which should be considered by organisations who are processing personal data.
The Data Protection Commission has issued recent guidance on the topics below:
Protecting Personal Data When Working Remotely
Measures to control and prevent the spread of COVID-19 will involve more people working remotely than usual. Below are some tips to keep personal data safe when working away from the office.
- Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced.
- Make sure any device has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates.
- Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimise who else can view the screen, particularly if working with sensitive personal data.
- Lock your device if you do have to leave it unattended for any reason.
- Make sure your devices are turned off, locked, or stored carefully when not in use.
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
- When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.
- Follow any applicable policies in your organisation around the use of email.
- Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.
Cloud and Network Access
- Where possible only use your organisation’s trusted networks or cloud services, and complying with any organisational rules and procedures about cloud or network access, login and, data sharing.
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
Processing of personal data (including data related to health) in the context of the Data COVID-19 Pandemic
Governments, as well as public, private, and voluntary organisations are taking necessary steps to contain the spread and mitigate the effects of COVID-19. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).
Data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.
Measures taken in response to COVID-19 involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities.
Organisations should also have regard to the following obligations:
There are a number of legal bases for the processing of personal data under Article 6 GDPR, and conditions permitting the processing of Special Categories of personal data, such as health data, under Article 9 that may be applicable in this context. Among these, the following may be relevant.
In circumstances where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary. A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent. This will typically apply only in emergency situations, where no other legal basis can be identified.
Organisations processing personal data must be transparent regarding the measures they implement in this context, including the purpose of collecting the personal data and how long it will be retained for. They must provide individuals with information regarding the processing of their personal data in a format that is concise, easily accessible, easy to understand, and in clear and plain language.
Any data processing in the context of preventing the spread of COVID-19 must be carried out in a manner that ensures security of the data, in particular where health data is concerned. The identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.
As with any data processing, only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
Controllers should also ensure they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.