A GDPR & Data Protection Advisory Note
Published: 31/03/2020 Last Updated: 15/04/2020
Warning! Dull data protection update below*
With the outbreak of COVID-19 almost all organisations are facing a completely new landscape when it comes to the handling of personal data as the results of their employees now working from home.
In this Note we offer some ‘Top Tips’ for dealing with some key data protection issues that many organisations will be facing for the first time.
Some of the following ‘Top Tips’, which are derived from a number of sources including the ICO, may overlap with one another.
- Data protection law is not a barrier to home-working, but adequate security measures must be implemented and documented.
- The underlying principles of data protection still apply – any processing of personal data must still be proportionate and necessary.
- Carry out DPIAs re any new working arrangements.
- Ensure that those responsible for implementing new/homeworking arrangements works closely with your DPO.
- Consider lawful grounds for your processing. The GDPR and the UK Data Protection Act 2018 both provide grounds for processing where necessary in the context of containing and managing the response to a pandemic. Assess whether the proposed collection and intended use of personal data is necessary on the basis of the grounds relied on.
- Don’t be pressured into simply complying with a sharing request because of its source without understanding the purpose of the requested disclosure and the necessity of the data to that request.
- Collect and use the minimum data needed for your purposes. Only collect information necessary to manage containment and protect your employees and others. For example, it would be reasonable to ask employees or visitors to inform you if they have tested positive or been exposed where you then process that information only in order to protect the workforce and enable containment of the risk posed to others.
- Do not engage in the systematic and broad collection of large amounts of information on employees or others – for example, by requiring the completion of detailed health questionnaires about themselves, their family or their situation or requiring the provision of health declarations in the absence of any legal obligation.
- Remind staff about the need to maintain high data protection standards whilst homeworking and the importance of reporting any data breaches immediately.
- Remind staff of your relevant policies and provide guidance and training. Matters that may require particular attention include:
- How to use secure remote working solutions.
- How to deal with problems and receive support, including providing escalation points, contact details, hours of service and emergency procedures.
- Handling off-site hard-copy documents that contain personal data and their secure disposal.
- The risks associated with portable storage devices (such as memory sticks) and their safekeeping and disposal.
- Avoiding confidential work calls in a shared space (e.g. video conferences/Team meetings in the proximity of family/flatmates/friends).
- COVID-specific cybersecurity threats, such as phishing emails, fraudulent websites and malicious apps.
- Using and accessing data over potentially unsafe and untrusted Wi-Fi networks.
- How and when to report and deal with data breaches and phishing emails, (especially if they have clicked on any links).
- Keep employees generally informed of the containment and protective measures you are taking, and the numbers of cases within the workforce without disclosing more information than necessary.
- Do not disclose information to employees revealing the identity of colleagues who have tested positive to COVID-19. The only exception to this may be where a disclosure is to a specific employee(s) who may themselves have been exposed to the affected colleague and where disclosure is a necessary containment and protective measure.
- Don’t create a climate of fear that has an unintended consequence of making employees reluctant to identify and report up any issues and concerns relating to security and data breaches that you need to be aware and act on.
- Create/review/refresh your Remote Working, Bring Your Own Device (BYOD), Acceptable Use (AUP) and Data Breach Management Policies.
- Ensure these (and any changes or updates made) are brought to the attention of staff (and, where appropriate, external stakeholders). Key changes to the documents should be flagged in and you should ensure that staff review, acknowledge and agree to the updated policies (e.g. via click and accept buttons).
- Consider the merits of a Temporary Homeworking policy.
Key /executive members of staff
- Ensure you have up-to-date personal contact details for all key/executive members of staff and named alternates for them, in the unfortunate event that any are affected by COVID-19 and therefore unavailable if your organisation suffers a personal data breach or any other security incident.
- Check all key/executive team members are confident that they know what to do in the event of a data breach arising from an employee home working.
- Make sure that, before being delivered to employees, new laptops go through an ‘onboarding process’, including being encrypted at appropriate levels.
- Ensure you fully understand risks of relying on any employee-owned devices.
- Seek assurance from business partners/suppliers concerning about their altered data protection/privacy and cybersecurity arrangements to get comfort that your organisation can continue to work with them and that they have the ability to continue to provide their service to you.
- If you need to engage new service providers and share with them personal data, carry out any appropriate additional due diligence to take into consideration the potential impact of COVID-19.
- Make sure you have support from specialist cybersecurity providers, e.g. regarding fraudulent COVID-themed websites.
- Don’t skip doing security diligence or implementing appropriate contractual processing safeguards for vendors you bring in to provide COVID-19 related support. It’s important to have a clear picture of their security strengths and weaknesses and put robust terms in place, even if there is pressure to complete on-boarding.
- Monitoring employees whilst they are homeworking needs to be considered carefully. Home IP addresses will be considered as personal data and therefore it is difficult to monitor employees on an anonymised basis. You should undertake a data protection impact assessment (DPIA) to help you identify any data protection risks from monitoring employees from home.
Communicating with customers
- Organisations will want to keep in touch with their customers during this time. However, to avoid any potential complaints, or accidental breaches of the Privacy in Electronic Communications Regulations (PECR) you should be careful about sending marketing information along with COVID-19 updates in your communications with customers. It may be reasonable to contact all customers to let them know that your business has closed or has different trading hours, but make sure that email or telephone call does not include an anything that may be seen as a marketing offer.
- Going forward, many organisations will be forced to look at new opportunities in a more digital environment to generate cashflow. This should be carefully managed by new policies and risk assessed by Data Protection Impact Assessments (DPIAs).
- Consider if your incident response communications protocols and collaborative working infrastructure remain fit for purpose in the light of new working arrangements.
- Assess your ability to continue with large-scale remote working for a prolonged period of time.
- Consider the capacity and resilience of your IT infrastructure to identify, address and mitigate the possible increases in cyber-attacks, security incidents and data breaches.
This note, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.
*We’re not sure if the above is interesting, but it’s definitely not legal advice.