Data protection checklist during Covid-19 Corona Virus13th May 2020
COVID-19 has changed the way businesses work – possibly forever, and in an effort to alleviate the impact of coronavirus many companies have allowed their employees the opportunity to work from home, many of them for the first time.
With staff working from home; accessing cloud-based software and systems via household internet and personal devices, the risk of a data breach has skyrocketed. Unfortunately, regardless of these unprecedented times, fines for data breaches will still apply.
However, the Information Commissioner’s Office (ICO), the UK’s data privacy regulator, is working hard to provide reasonable flexibility, given the severity of the situation. Using pragmatism and empathy; the organisation has stipulated that its efforts will be focused on the most significant threats. While acknowledging the importance of people’s information rights, the ICO is adjusting their regulatory approach accordingly. Elizabeth Denham, Information Commissioner, stated:
“Our UK data protection law is not an obstacle to such flexibility. It explicitly sets out the importance of my office taking regard of the general public interest and allows for people’s health and safety to be prioritised without the need for legislative amendment. A principle underpinning data protection law is that the processing of personal data should be designed to serve mankind. Right now, that means the regulator reflecting these exceptional times, and showing the flexibility that the law allows.”
Despite the reassuring words from the Information Commissioner the General Data Protection Regulation (GDPR) provides strict guidelines for businesses processing personally identifiable information about individuals, which cannot be ignored.
With the above in mind, here is our checklist of reasonable things you should especially consider at the current time:
· Health – remember health is special category data under GDPR so therefore requires even more careful handling than other personal data. It is essential that you can prove necessity when handling this kind of data (health screening), relying on consent from the employee may not be enough. Carry out a very careful Data Processing Impact Assessment before you introduce any new health screening practices.
· Remote working – The shift to almost everybody working from home has of course changed the profile of the risk for remote working. Due to the scale of the remote working, it may be that you should judge that this now falls into the ‘high risk’ category and necessitates the need for a Data Protection Impact Assessment (DPIA). Even if you don’t think you legally need to do one, we recommend that you do anyway, as it is a useful way to identify and mitigate risks.
You must have appropriate technical and organisational measures in place.
Considerations for remote working include:
o Update remote working policies.
o Use a VPN which is a Virtual Private Network which is more secure than simply logging in over the internet.
o Force password changes regularly.
o Staff can use their own computers, but we suggest that you don’t allow them to save anything on their local drives.
o Train your remote team on data protection and cyber-crime / email phishing awareness (this can be done remotely).
o Video conferencing – many of us are now utilising video conferencing in lieu of face to face meetings. Use appropriate due diligence to ensure your chosen platform is secure.
o Paperwork – hard copy files and documents also need to be kept safe. They should be shredded when not needed.
· Monitoring – this is tricky because home IP addresses will be considered as personal data. Once again we recommend you carry out a DPIA as you will need to prove necessity. A Controller will have a legitimate interest to monitor their networks for security purposes and prevent abuse or fraud, however there is a fine-line between reasonable and proportionate monitoring and excessive privacy intrusion. We suggest you take proper advice if you are considering monitoring your employees working from home.
· Data Breaches – Ensure that you have trained your employees about your data protection strategies and remind them on an ongoing basis. Secondly, ensure they are aware of the action to take and procedure to follow, should a breach occur.
· Can I tell my staff if one of our staff has the virus? is a question often asked in the recent crisis to which the answer is ‘Yes you can – but carefully.’
The ICO says that:
“You should keep staff informed about cases in your organisation. Remember you probably don’t need to name individuals and you shouldn’t provide more information than necessary.
You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you from doing this.”
Take each case individually and make sensible and sensitive decisions about whether other people NEED to know. If everyone is working from home already for example, then ‘do they NEED to know?’ Probably not.
One way to give you and your organisation peace of mind is to register for our Data Protection Helpline, this means that one of our specialists will be available to help you navigate through the current Covid-19 crisis as and when the need arises.
Due to the pandemic we our offering our ‘ad-hoc’ advice service for just £95.00+VAT for up to a 30 minute enquiry.
To register for the data protection helpline, please email [email protected]
Additionally, all of our other services, including data protection training are available remotely and virtually. Get in touch with us at Griffin House Consultancy.
Here when you need us.
Call: +44 (0)1673 88 55 33
Email: [email protected]