Data protection and Coronavirus
The ICO has recently released updated guidance for businesses who are grappling with concerns around data protection compliance during the ongoing Covid-19 (Coronavirus) pandemic
Please note: the information contained in our legal updates are correct as of the original date of publication
The ICO has recently released updated guidance for businesses who are grappling with concerns around data protection compliance during the ongoing Covid-19 (Coronavirus) pandemic.
Businesses are facing challenges in two main areas: (1) compliantly collecting and sharing personal data relating to Coronavirus; and (2) data compliance issues due to staff working from home, or off due to illness. Whilst the first of these issues is specific to the pandemic, the data issues related to working from home in particular are likely to endure well beyond the end of the pandemic, so is causing some businesses to look again at their processes.
The key message from the Information Commissioner’s Office (ICO) is to be proportionate in your approach – if something feels excessive from the public’s point of view, then it probably is. The ICO reassures businesses that it is a “pragmatic and reasonable regulator, one that does not operate in isolation from matters of serious public concern”. Data protection compliance should not stand in the way of you protecting the health of your staff and others, or the ability for you to run your business, but you must ensure that you adhere to the key principles of data minimisation and fairness to data subjects.
1. Collecting and sharing personal data related to Coronavirus
In order to protect the health of your staff and others at this time, you may need to collect and share more personal data than usual. For example, you may need to collect information about whether your staff, supplier staff, or visitors to your premises are experiencing symptoms of Coronavirus, or have come into contact with anyone experiencing symptoms of Coronavirus. You may also need to share some of that information internally with key decision makers, or third parties including your suppliers and clients. Here are some key steps you should take to ensure compliance.
- Only process personal data that is necessary and proportionate in the circumstances. For example, if you have been informed by an employee that they have Coronavirus, you may inform certain other employees that they have been in contact with someone who has Coronavirus, however it is unlikely to be necessary to share the name of the relevant individual.
- Ensure that you have a legal basis to process personal data (as required under Article 6 of the GDPR). Personal data is any information that identifies an individual such as names, contact details, job roles, and location data. You must ensure you have an applicable legal basis for each different purpose for which you are processing the data. For example, where you are processing personal data relating to employee sickness, the appropriate legal basis under Article 6 is likely to be that such processing is necessary for the performance of the employment contract.
- Ensure you have a condition for processing “special categories of personal data” (e.g. health data) (as required under Article 9 of the GDPR). There is a general prohibition on processing special categories of personal data unless one of the conditions in Article 9 applies. The most relevant conditions for these purposes are likely to be that the:
1)“processing is necessary for the purposes of carrying out or exercising specific rights of the controller or the data subject in the field of employment”; or
2)“processing is necessary in order to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”.
However, any processing will be subject to the principle of necessity (as set out above) – do not collect or share personal data unless strictly necessary for a particular purpose. For example, you may require health data from your team relating to requests for work from home kits. It is likely to be necessary to share that data with HR and the relevant person’s line manager, although it is unlikely that that information would need to be shared with any other individuals.
- Ensure that any correspondence or documents containing personal data are kept secure. Keep any personal data (particularly sensitive data) on a secure drive with access restricted to only those who need to see the information. Consider password protecting documents where appropriate. The level of security required will depend on the sensitivity of the data in question - stricter measures should be in place for health data and other special categories of personal data, as these pose a higher risk.
2. Ongoing data protection compliance
With a large proportion of the UK workforce now working from home and many businesses’ resources strained due to staff illness, complying with ongoing data protection obligations is likely to become more challenging. We have set out below some key areas of ongoing data protection compliance which may be affected.
- Responding to rights requests (including the right of subject access and the right to be forgotten). The statutory deadline to respond to such requests is one calendar month. Inevitably, with limited resources and key staff working from home, businesses may struggle to comply with those deadlines. The ICO has said, “we can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic”, which is comforting to controllers who will struggle to deal with rights requests because of these unprecedented challenges. However, you must still respond to and deal with rights requests as best you can given the circumstances, so that you can show that you have acted reasonably. Maintaining a dialogue with the data subject is key. If you are unable to comply within the statutory deadline, consider seeking to invoke the 2 month extension.
- Security concerns arising from staff working from home. Consider your current working from home and information security policies. Do these need to be updated in light of the current circumstances? Do you have adequate security measures in place to protect personal data (particularly special categories of personal data) that is processed by staff working from home? If it is necessary that staff have copies of personal data outside of their usual working environment (for instance on their own laptop), consider how this will be disposed of in a secure and timely manner. How will you ensure that meetings carried out by video conference are secure? What software will you permit people to use in your business and what controls are in place?
- Privacy notices. Do you need to update your privacy notices/policies to inform individuals of any new processing activities, or provide a short form notice in respect of specific processing activities? For example, you may not previously have collected health data about visitors to your premises. In those circumstances, it may be appropriate to draft a short paragraph setting out why you are collecting that data, and for how long it will be stored (referring out to your main privacy notice/ policy).
- Record of processing activities (ROPA). Do you need to update your ROPA to add any new purposes for processing personal data or new third party software providers?
Co-authored by Loren Hodgetts and Ella Greenwood
Related expertise
You may be interested in...
Online Event
Shared Insights: Data and Information Governance Issues
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Legal Update
Government to expand network and Information systems regulations
Opinion
New provisions for higher-risk residential buildings now in force
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
UK Government publishes the Online Safety Bill: an overview
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update - Public matters newsletter
Public matters - January 2023
Press Release
Browne Jacobson advises Natural England on investigation of ‘first in its kind’ sentenced Devon farmer
Legal Update
Biodiversity Net Gain: positive for nature and an opportunity for landowners
Published Article
Consumer duty part 3 - 'The drill-down' into the 'cross-cutting' rules
Legal Update
Protecting children and their data in the online environment
Opinion
Logistics firm fined for multiple failings leading to asbestos exposure
Logistics company Eddie Stobart has been fined £133,000, after a series of failures which took place whilst excavation work was carried out, exposing its staff to asbestos.
Published Article
Consumer duty part 2 - 'The drill-down' into the 'cross-cutting' rules
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Opinion
Directors fined for unsafe removal of asbestos
Two directors of a construction company were fined after failing to ensure the safe removal of asbestos from a plot of land. On 14 and 15 November 2021, Directors Anthony Sumner and Neil Brown, of Waterbarn Limited were involved in the uncontrolled removal of asbestos material from a plot of land in Grasscroft, Oldham.
Opinion
Don't look down
An engineering company in Tyne and Wear was fined £20,000 after a worker fractured his pelvis and suffered internal injuries after falling through a petrol station forecourt canopy, whilst he was replacing the guttering.
Legal Update
DSA approved: Targeted Advertising Rules explained
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Opinion
HSE inspection of asbestos in schools
The Health and Safety Executive (HSE) have announced they will be carrying out a programme of inspections to primary and secondary school establishments from September 2022. The inspections will assess how schools are managing the risks from asbestos and meeting the Duty to Manage requirements, set out in Regulation 4 of the Control of Asbestos Regulations 2012.
Published Article
Consumer duty part 1 - 'The drill-down' into the 'cross-cutting' rules
This article is the first in a series aimed to help firms get to grips on a practical basis with the ‘cross-cutting rules’ within the new ‘Consumer Duty’ framework.
Opinion
“Red tape” reform and no-fault dismissals
The Government has announced a change to the categorisation of “small” businesses to reduce the amount of regulatory compliance (or “red tape”) required. Currently, SMEs (those with fewer than 250 employees) are exempt from certain regulations – such as the obligation to comply with gender pay reporting. With effect from 3 October, these exemptions will be widened to apply to businesses with fewer than 500 employees.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
U-turn on DEI regulatory reporting
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Opinion
Is it hot in here, or is it just me?
Whilst the weather conditions are predicted to be cooling down this week, the Health and Safety Executive (HSE) is asking employers and businesses to consider adapting to recurrent warmer weather conditions for the safety and benefit of their staff. It asks employers to ensure that extreme heat becomes a firm part of longer term risk management. Climate change in any event is something all businesses will need to consider as the warmer weather becomes more frequent - extreme heat is something that will impact employers on a day to day basis.
Legal Update - Shared Insights
Shared Insights: The Fitness to Practise Regime
In this session, our speakers discussed the Fitness to Practise Regime and how we can help.
Published Article
The Building Safety Act 2022: Navigating building liability orders
Opinion
Compliance - small businesses and new regulation
The Federation of Small Businesses (FSB) has released a report setting out the impact of new and changing regulations arising from the pandemic on small businesses across the UK.
Legal Update
Construction: Gold Standard Framework – seven months on
We have created a summary of the recommendations and consistent themes which we are now starting to see becoming more embedded in public sector procurement practices.
Legal Update
A new Modern Slavery Bill
Public sector and private sector organisations, particularly those who meet the £36 million threshold, are encouraged to review their approach to combating modern slavery in their organisation and its supply chains before the Modern Slavery Bill becomes law.
On-Demand
Building Safety Bill – what’s coming and how will it affect you?
In anticipation of the adoption of the Building Safety Bill, our specialist compliance and regulatory team will give an overview of the measures proposed in the Bill.
Opinion
Building Safety Bill receives Royal Assent
The new regime introduced by the Act will take shape over the next 18 months, but those who design, build or manage high rise buildings are being urged to get ready for the changes to be introduced through the act.
Legal Update
Don’t let the lights go out – dealing with an insolvent energy supplier
There are a number of factors which have contributed to the crisis including the huge increase in wholesale natural gas prices, which have risen some 250% since the start of 2021. Since the start of last year, over 30 energy firms have gone bust in the UK alone.
Legal Update
Fraud – why it pays to be vigilant
Financial crime is an increasing threat to all organisations. The modes of facilitating fraud have become easier. Being a victim of fraud as an organisation risks significant financial consequences, but also serious reputational harm and loss of stakeholder confidence.