Most organisations are now asking employees to work from home, often for the first time. This raises important data protection compliance considerations, particularly around maintaining data security. The Information Commissioner’s Office (ICO) have made it clear that while they may be patient with organisations they expect the same level of security when home working.
What are appropriate technical security measures, for the purpose of the GDPR, when home working?
The GDPR already requires all organisations to take appropriate technical and organisational measures to secure personal data, but you may no longer be able to rely on the same measures in place for an office environment. Some home working appropriate measures include:
- Creating an internal facing data protection policy describing the basics of GDPR compliance for staff. Reinforce this with regular short emails, setting out practical measures for staff to maintain security. For example, not using personal email accounts for work, keeping hard copy data in a safe place and always logging off promptly at the end of the working day.
- Only transfer data over a secure network such as a virtual private network (VPN)
- Audit video conferencing, cloud and software as a service (SaaS) security.
- If possible avoid staff using personal devices. The ICO have imposed fines, when cloud back-ups of personal data were made public online, via a personal device.
A data protection impact assessment (DPIA) can be useful to assess who in the organisation has access to higher volumes of data, more sensitive data or is more exposed to risks of data breach, because of home working. This should be backed up with a data audit report listing the type, location, purpose and lawful basis for data processing.
Can we use our email marketing database to tell customers about how we are affected by coronavirus?
As a business you obviously want to let people know that you are still open. There may be contacts you want to send the email to but you cannot demonstrate consent, or they may have already opted out of receiving direct marketing communications. If consent to receive email marketing cannot be proven these emails risks breaking the law. Anything intended to promote or raise awareness for your business could be a marketing communication, there is no need for a specific offer in the email. This makes any email about coronavirus sent to an unfiltered list a significant risk.
The wise approach is to only send the email to contacts for whom you can prove consent. If you cannot, then exclude promotions, discounts or any invitation to purchase, and limit it to practical considerations such as service interruption or premises opening.
Can we delay responding to data subject access requests or freedom of information requests?
The statutory time limits of 30 days for data subject access request (DSAR) and 20 working days for freedom of information requests remain. These cannot be extended by the ICO but they are likely to be patient where an organisation is facing real problems with compliance because of coronavirus.
The key will be to ensure effective communication with staff remote working, to ensure they know when to spot a request, are able to obtain the data, and then compile a response. This will rely on centralised online file storage and keeping data off individuals’ devices (if that individual suffered symptoms the data could be out of reach). Where delays arise these need to be recorded and the data subject kept informed.
Do we still need to report data breaches to the ICO within 72 hours, and can we delay informing individuals about data breaches?
There has been no change to reporting requirements. Data breaches which are likely to pose a risk to people’s rights and freedoms must be reported to the ICO ‘without undue delay’, and in any event no later than 72 hours after becoming aware of it.
The same applies to reporting a data breach to individuals. Data subjects must be informed without undue delay where there is a high risk to people’s rights and freedoms (note the increased risk required from likely to high).
There are circumstances where discovery of a data breach might be delayed (for example unavailability of staff or a break in at an empty office) and therefore what constitutes ‘undue delay’ in the current circumstances might allow some extra time.
Can we refuse requests for personal data in hard copy?
Probably not, but they could certainly be delayed or alternatives offered. Article 15(4) of the GDPR states that the right to obtain copies of personal data should not adversely affect the rights and freedoms of others. Concerns over transmission of the virus via handling paper, and the need for employees to put themselves at risk by accessing documents or printers located in locked down offices, is likely to be sufficient for Article 15(4). You should ask the data subject to wait until it becomes safe to comply with their request, or offer the data in electronic format.
Can we collect information about employee and visitor health to help us tackle the virus?
Information about an individual’s health is special category data which is subject to additional strict processing requirements. For most organisations collecting this data is best avoided because it creates a greater risk of non-compliance.
Organisations are allowed to ask employees, or visitors to their premises, whether they consider themselves at particular risk. They can also ask if they have experienced symptoms. Rather than require individuals to disclose their specific symptoms, which will mean the organisation obtains sensitive information it does not need, tell the individual to obtain advice via NHS online resources, or if they are unable to do that, call 111.
There is no requirement to disclose knowledge of someone’s symptoms to public authorities, but if they ask this is likely to be acceptable.
When sharing that someone has experienced symptoms with others, if at all possible do not disclose the identity of that individual. Of course not identifying someone may be practically impossible in many situations and in that case the need to protect others is likely to override data protection concerns.
I am the organisation’s Data Protection Officer, or the person responsible for my organisations data protection compliance, what do I need to do?
This may be a challenging time for data protection officers facing an increase in questions from IT and management. Some of your first steps should be:
- Ensure the internal facing data protection policy is up to date and deals with home working, personal devices and IT usage.
- Review the organisations website, and third party facing privacy notice, to ensure it describes how the organisation will use personal data if it is going to change because of remote working. As a consequence of coronavirus you may process health data you did not use before, make sure it describes how that will happen.
- Ask colleagues in IT departments to report on any known security concerns raised from new software or IT services being used to cope with home working.
Consider a data protection impact assessment, backed up by a refresh of any personal data audits to record changes to how data is stored.