COVID-19 is putting a unique strain on businesses and forcing new ways of working, which may have an impact on data protection compliance. The Information Commissioner’s Office (ICO) has shown that it is not ignorant of this. A recent statement from the Information Commissioner has stressed that data protection law should not stop organisations from being able to work together to respond to the pandemic.
The ICO website contains several guides to help businesses and different public bodies, with answers to some of the most common data protection questions. You can find those at https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/.
In this article, we consider some of the most significant issues for businesses:
The ICO has stressed that data protection law does not prevent home or other remote working arrangements. However, the laws do apply to the access and use of personal data from remote computers in the same way that they apply at the office.
Therefore, it would be advisable to review how data can be accessed and used remotely and consider if any additional safeguards are required to meet your legal obligation to have “appropriate technical and organisational measures” in place to protect the data.
Homeworking potentially increases the risk of data breaches, whether by an intentional attack or misuse of data, or via accidental breaches. If you haven’t already, now would be the time to put a formal IT security and homeworking policy in place, to incentivise best practice amongst employees and reduce your data protection risk.
The ICO also recommends the National Cyber Security Centre (NCSC) guidance on IT security in homeworking, which includes tips on reducing the risk of cyber-attacks on homeworking devices. You can find this guidance at https://www.ncsc.gov.uk/news/home-working-increases-in-response-to-covid-19.
The ICO has acknowledged that the pressures of dealing with COVID-19 may have an impact on the ability of organisations to respond to subject access requests and freedom of information requests.
Whilst the ICO cannot change the statutory deadlines for responding to these requests, it has said it will not take regulatory action against organisations which are not able to meet the normal statutory deadlines.
If you are impacted by COVID-19 and not able to respond to requests as quickly as normal, for example because you don’t have full access to your post or the relevant personnel are not able to work at full capacity, it would be advisable to keep a record of the circumstances affecting you. That way, if the ICO does receive a complaint and enquire with you, you are able to provide an explanation for your non-compliance.
As always, your collection of personal data must be proportionate, so whilst it may be reasonable to ask employees about whether they’ve visited particular countries, or experienced any symptoms associated with COVID-19, it may not be reasonable to collect more specific health data than that. If it is, you would need to justify collecting that data and ensure that it is treated with the appropriate safeguards.
It is reasonable to disclose to employees any cases of COVID-19 within your organisation but you should do so on an anonymous basis wherever possible and only share as much information as necessary to meet your duty of care to employees.
If you’re asked to share information with authorities for public health purposes, the law does not prevent you from doing so.
Please email carl.spencer@roxburghmilkins.com or call 0117 929 5122 with any queries.
To download this guidance note as a PDF, click here.