‘Data protection’ and ‘GDPR’ are two terms most dreaded to hear at the best of times and are likely to take a backseat for most organisations in the current pandemic. Complying with the obligations set by the GDPR in your usual offices has been a challenge organisations have faced since the regulation came in to force in 2018, and now their compliance is put to the test further, as organisations struggle to ensure adequate processes are in place to survive the potential ramifications of Covid-19.
Despite currently living in unprecedented times, employers must still ensure the protection of personal data and the protection of individuals rights. Covid-19 does not change this. Whilst the ICO recognises the challenges businesses may be facing during this pandemic and vows to take a more flexible approach, they will not accept organisations who are wilfully doing nothing.
Following the outbreak of Covid-19 and employers obligation to protect the health, safety and welfare of its staff, employers are collecting a considerable amount of personal data which will fall within ‘special categories of personal data’ and which is subject to stricter compliance requirements.
The GDPR requires that a Data Processing Assessment (DPIA) should be carried out if an organisation is processing personal data that is likely to result in a high risk to the rights and freedoms of individuals. This means prior to employers collecting health data of its employees, it should consider the level and detail of data necessary to protect their employee health and safety and whether the organisation has adequate internal policies in place to process sensitive data.
Amidst complying with health and safety obligations and duty of care, the systematic and generalised collection of health data is discouraged. Employers may process employee health data in the context of Covid-19 without the need to obtain employee consent if the processing of health data is necessary to protect the vital interest of the employee; if the processing of health data is for reasons of public interest in the area of public health; or when the Employer is complying with another legal obligation.
Employers should only process the minimum amount of data to achieve the purpose of implementing measures to prevent or contain the spread of the virus. It would be reasonable to ask an employee whether they have any symptoms associated with Covid-19 or whether they would consider themselves within the group of individuals at increased risk. This type of information gathering, on a ‘yes’ or ‘no’ basis minimises the detail of sensitive data being collected, whilst still caring for employee health and safety.
The health and safety obligation of employers as well as its duty of care for employees, does not entitle the employer to disclose health data to anyone within the organisation. In the event an employee tests positive for Covid-19, the employer should keep staff informed about cases within the organisation but does not need to name the employees who have the virus. Employers may only share health data of employees to authorities for public health purposes.
Safeguarding different types of information presents varying risks but scaling down the quantity of sensitive information the company collects will help. Additionally, minimising access to certain information and implementing strict timelines for erasure are also suitable methods of reducing risk of non-compliance.
Since lock-down was implemented by the government, most organisations’ workforces are working from home. Covid-19 does not change how staff can work from home, nor do data protection requirements hinder the ability to do so. Businesses should consider the same kinds of security measures for homeworking that they would normally use against any anticipated threats or hazards to the security and integrity of personal data at their office.
Reasonable technical measures will vary depending upon the nature of the business, but businesses should consider the following; Anti-virus and anti-spam software, IT Acceptable Use Policy, Log in ID and password controls, Locking screens when away from laptops or computers, Encrypting the hard drives on company assigned laptops, End-to-end encryption, Two-factor authentication on accounts, Access controls managed according to role, Paperless or no printing policies whilst home working, Obligation for staff to comply with security and data protection policies, Regularly testing and evaluating the effectiveness of technical and organisational measures, Alerting staff of new risks emerging as attackers exploit Covid-19 crisis and Regular staff training.
Whilst organisations stumble through these unprecedented times, it is important for them to remember that the processing of personal data in response to Covid-19 should be necessary and proportionate. Further, as part of an organisation’s accountability obligations, they should ensure all decisions made regarding the collection of sensitive data and the safeguards implemented for home working are documented.