The Information Commissioner’s Office ('ICO') has recently published its guidance in relation to organisations’ data protection compliance obligations under the current pandemic. In this article we look at the implications of the ICO’s guidance and practical steps organisations can take to ensure data protection compliance and cyber security whilst they fulfil their obligations to protect the health and safety of employees.
Collecting and sharing health data from your employees and visitors
To monitor staff wellbeing during this challenging time, organisations may need to collect information from employees or visitors. As health data falls under the special categories of personal data, organisations must take additional precautions when collecting and processing such data. This is necessary, even when the processing is intended to protect employees.
Practical steps and tips include:
- Response team and confidentiality – Organisations should set up designated hotlines, email addresses as well as a designated response team. All COVID-19 related health data collected and processed should only be accessible by very limited numbers of senior staff who have a need to know the information and are subject to confidentiality obligations. Such personal data must be stored securely as other health data.
- Keep data subjects informed – Organisations should strongly encourage self-reporting of relevant travel history and suspected COVID-19 symptoms. Unless already set out in your privacy notice, organisations should explain to staff how such personal data will be used and for how long they may be retained. Where visitors are requested to voluntarily provide such personal data, organisations should consider providing hard copies of privacy notice.
- Only process data 'necessary' for the purposes – Organisations are permitted to collect and process COVID-19 related health data that is necessary to (i) support employees in connection with their sick leave, sick pay, and other statutory employment rights and (ii) to ensure the health and safety of the workforce as required by law. What is 'necessary' is interpreted restrictively under the General Data Protection Regulations ('GDPR') – the data collection must be a targeted and proportionate way of achieving the purpose. Guidance from the UK government and the Foreign & Commonwealth Office ('FCO') can be a useful tool to assess what types of personal data are relevant for assessing risks. For example, organisations can ask employees and visitors to self-report whether they have recently visited the affected areas as indicated by the FCO and/or displaying symptoms as published by the NHS. Organisations are also justified in recording medical diagnosis of COVID-19 for health and safety purpose but should ensure any records are factual rather than speculative.
- Only share information that is necessary for the intended purpose – For example, to contain the spread of COVID-19, organisations may need to conduct contact tracing and inform some of its staff to self-isolate because of close contact with a suspected/confirmed case. In these cases, it will not always be necessary to share the name of the staff with suspected or confirmed COVID-19.
- Documentation – Whilst the development of the pandemic could raise challenges, any decision-making process should still be documented as usual.
Data protection compliance
Whilst the ICO cannot change the statutory timeframes laid out in GDPR, the ICO acknowledged that resources may need to be diverted away from day-to-day compliance work. The ICO will send out communications to data subjects so that they are aware of the potential delay in receiving responses to data subject rights requests. Under GDPR, organisations may also extend the period for responding to data subject requests where the relevant conditions are met.
For further information on what actions Data Protection Officers can take to help organisations ensure data protection compliance during this challenging time, please see our guidance note here
Cyber security and homeworking
- Necessary updates – Organisations should ensure that their devices (and where relevant, employees’ own devices) are fully updated with the latest operating system and key software updates.
- Use work devices if possible – In general, allowing employees to bring their own devices ('BYOD') could pose challenges to personal data and IT security. If possible, organisations should request employees to only use work devices when working from home. Documents and data should be stored on the organisation’s trusted networks or cloud services. If such services and solutions are not available, employees should be required to back up locally saved documents regularly on the employer’s device.
- BYOD – If employees will have to use their own devices to carry out work, organisations should issue relevant BYOD policies and if possible provide remote training sessions. Organisations should ensure that employees only use work email accounts rather than personal accounts and update passwords regularly. Where a secure cloud solution is available, documents should be saved in this secure environment rather than locally on employees’ own devices. Once organisations resume working from their usual offices, it is recommended that employees are asked to delete any work-related data saved on their own devices.
- Paper documents – Organisations should remind employees that paper documents can still be confidential and could be personal data if it is intended as part of a filing system. Employees should be asked to keep such hard copy documents secure and keep a register of the documents they have taken home.
If you would like assistance with your data protection matters in this challenging time, our data protection team is ready to help. Please contact David Varney in our Data Protection team.
This article was written by Yunzhe Zhang.