The Impact of COVID-19 on Data Protection
The outbreak of COVID-19 has sent shock waves throughout the world, and organisations, irrespective of their business type, sector or size, have found themselves in uncharted water. As organisations try their best to mitigate the effects that their businesses face in the fight against the global pandemic, they may find that they are collecting increased amounts of personal data. While it is important for businesses to collect information to determine whether employees or visitors pose a heightened health risk, the accumulation of personal data – particularly data related to health – poses a number of potential legal challenges.
Collection of additional data
If an organisation seeks to collect additional information about individuals as a result of the COVID-19 outbreak, including details of any pre-existing health or medical conditions that its employees may have, it will be important to ensure that appropriate steps are taken to address the added risk posed by such information gathering.
Health information is special category data under the General Data Protection Regulation (“GDPR”) and it attracts a higher degree of protection. Organisations must therefore take extra steps to ensure that they have an appropriate lawful basis to collect and use this information as well as ensuring that adequate safeguards have been implemented to protect the security and confidentiality of the data.
Organisations should also be mindful of the data minimisation principle of GDPR, which requires that the information you collect is relevant and limited to what is necessary – you must not hold more information that you need. In relation to COVID-19, it could be tempting for organisations to ask for all sorts of information about their employees, however, it’s important to be sensible and only ask for what is genuinely needed. If an organisation receives information from an individual that is not relevant, they should delete it.
Despite the uncertainty of the current situation, the Information Commissioner’s Office (the “ICO”) has recently issued useful guidance to clarify the data protection position in light of the current pandemic, which offers reassurance and support to organisations at a time when staffing levels may be reduced and businesses have new, urgent priorities to contend with. The ICO has stated that proportionality remains key and organisations should adopt a proportionate approach to their data protection practices. Additionally, the Chair of the European Data Protection Board ("EDPB") has recently provided a statement on the processing of personal data in the context of the coronavirus outbreak, which can be found here. In summary, the EDPB confirmed that the GDPR contains legal grounds to enable organisations to process personal data in the context of epidemics for reasons of public interest or to protect vital interests. In such cases, consent of the data subject will not be required.
In the unfortunate event an employee contracts coronavirus, organisations must be careful about how they use and share this information. The temptation will be for organisations to tell its other employees the name of the individual who has contracted the virus in order identify anyone else who may be infected, however, it is important to ensure that the disclosure of this health information does not breach data protection laws. Appropriate processes must be followed to ensure compliance, which will involve balancing the rights and freedoms of the affected individuals, against an organisation’s duty of care to its staff. In any event, organisations should not provide more information than is absolutely necessary, which serves as a further reminder that proportionality is key.
Working from home
Working from home is now the new norm for many organisations and employees alike. However, even if homeworking has been an option for employees prior to the outbreak, there may be a sudden increase in the number of people working from home, including some who have never had this option before. A key principle of GDPR is that controllers must take appropriate steps to protect the confidentiality, integrity and security of the information they hold, but there is a risk that as a result of the increased number of people working from home, an organisation’s data protection practices may not be as secure as they typically would be. Organisations will need to ensure (as best they can) that they have adequate measures in place to protect the security and confidentiality of the information that its employees have access to. These measures will need to ensure that both hard copy personal data and electronic data is securely protected.
One side effect of homeworking is the increased number of cyber-attacks occurring. Experts from the National Cyber Security Centre have revealed a range of attacks being perpetrated online as cyber criminals seek to exploit fears of the coronavirus. Many of these attacks take the form of “phishing” emails that include links claiming to have important updates, which once clicked lead to devices being infected. These attacks can lead to a loss of money and sensitive data that an organisation holds. Organisations should therefore take the time to review their security policies and update them if appropriate, as well as notifying its employees of the increased risk of cyber-attacks and what they can do in order to continue working securely from home. Such advice may include:
- Telling employees to be aware of social media, blogs and suspicious links from unknown sources while using a work device;
- Ensuring that documents are properly destroyed. Documents containing personal data should not be put in the household waste or recycling bins, even if they feel they have been sufficiently torn up. If employees are unable to destroy them at home, the documents should be locked away until employees can enter their usual working premises to make use of shredders and confidential waste bins.
Telling employees that if they become aware of any suspicious emails or unusual activity to notify the appropriate contact in the organisation straight away;
Ensuring that other people cannot hear them on the phone when dealing with work;
Limiting the number of paper documents that can be taken home and remind employees not to allow other members of their household to view work related documents, particularly those that contain personal data;
Taking time to check that emails are being sent to the correct recipient and that the correct documents have been attached. Any attachments should also be password protected, if appropriate
As most organisations are aware, the fines that can be imposed by the ICO in the event of a data breach can be as high as €20,000,000 (or the sterling equivalent) or 4% of turnover. In recent times, many high profile companies have suffered cyber-attacks and most will remember the ICO announcement that it intends to fine British Airways £183 million following a cyber-incident in which the personal data of its customers was comprised. Accordingly, organisations should ensure that they have the appropriate controls and systems in place to deter and deal with breaches if they do occur.
Organisations should also remember that if they do suffer a notifiable data breach, the 72 hour timeframe for notifying the ICO will still apply. The ICO has issued a statement confirming that it does not have the ability to extend the statutory timeframe, but that it recognises it may no longer be feasible for organisations to meet these timescales. The ICO has said it will take a reasonable approach in this regard, however, it has made it clear that businesses should not use coronavirus as an excuse for delays or failures to comply with GDPR and that all businesses should do what they can to comply with the current timescales. Therefore if an organisation suffers a notifiable breach and is unable to report that breach to the ICO within the 72 hour timescale, it should nonetheless contact the ICO within 72 hours to explain there will be a delay and the ICO will provide further advice.
When it’s all over?
Although it is not clear when the crisis will end, organisations will need to determine what to do – or what not to do – with the data they have collected throughout as a result of the pandemic. GDPR requires that personal information is deleted once it is no longer required. As organisations require a persuasive justification for retaining data, the best practice will be to properly dispose of data when it is no longer needed.
If you have any queries please contact the Commercial team at Carson McDowell for further information.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.
*This note reflects the position as at 2 April 2020.