Coronavirus: what new steps should I be taking to comply with data protection?
This article was created by the Business Law Department. ICAEW Business Law is the professional and public interest voice of business law matters for ICAEW and is a leading authority in its field. Widely recognised as a source of expertise, the Department is responsible for submissions to regulators and standard setters and provides a range of resources to professionals, providing practical assistance in dealing with business law issues affecting ICAEW's members.
Whilst coping with all the challenges that the Coronavirus pandemic has thrown up, data protection may be a low priority for organisations. The crisis is, however, presenting a number of new challenges for data controllers and many may be wondering if new practices should be put in place. In most circumstances new practices will not be necessary as the data protection regime has not changed but you may need to consider new factors and circumstances when assessing how to process personal data and compliance with the regulations.
The Information Commissioner’s Office (ICO)has published some guidance for organisations and individuals and may issue more. ICAEW’s guidance will be updated accordingly and will be available on the Coronavirus Hub (under Employer Advice – Data Protection)In the meantime, we address below some of the questions and issues facing data controllers now.
Compliance with UK's data protection regime
Does the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 18) still apply?
Yes, is the short answer, as do the Privacy and Electronic Communications Regulations (PECR) and the Freedom of Information Act (FOI). The ICO has confirmed that it favours a proportionate response, but data protection and privacy are still important and so you must continue to comply with them as before.
The Information Commissioner has stated that the ICO will consider the compelling public interest in the current health emergency when assessing compliance with data protection. Other supervisory authorities in the EU are, broadly, taking the same stance.
- Don’t overlook data protection.
- If your data protection policies and practices have to change because of, say, staff shortages or homeworking, then you should document the reasons for the change and explain how the new practices comply with the legislation (the principle of accountability).
- You may want to contact your clients to explain how you are responding to the crisis but make sure this is in accordance with PECR.
Do I still have to respond to a data subject access request (DSARs) within one month?
Yes, if possible. The ICO recognises that staff shortages may make this difficult, but they cannot change the statutory requirement to report within a month. They have said, however, that they understand that this may not be possible and will advise data subjects that they cannot necessarily expect a response within this timeframe. See the ICO’s advice to individuals
- Still make every effort to respond within a month.
- Do not ignore any requests.
- Tell the requester that there may be a delay and explain why.
- Document the reasons for any delay. This should include the specific circumstances of any request and not just a general statement that COVID 19 has made it impossible to respond within a month.
Do I still have to report data breaches?
Yes, and again, the same rules will still apply. This means data controllers must still report relevant personal data breaches to the ICO and affected individuals (if required) within the statutory timeframe of 72 hours. Data processors must still report breaches to their data controller.
- Don’t ignore any potential data breaches.
- Still record all breaches even if notification to the ICO is not required
- If you do have a data breach that requires notification to the ICO remember you don’t have to report that it has been resolved within the 72 hour timeframe, you just have to notify the ICO that it has occurred and what you are doing about it.
- Review your data breach action plan (or devise one) to ensure that it is up to date particularly with regard to reporting lines and alternates to report to if say the Data Protection Officer of Head of IT is off due to COVID 19
For more advice on what to do if a data breach occurs see the ICAEW’s Know How Guide: Personal Data Breaches.
Can I still transfer personal data?
Yes, but the same rules will still apply as before. Some organisation facing staff shortages, for example, may transfer certain processes to other locations but if this involves the transfer of personal data out of the EEA then you must follow the GDPR requirements and have in place appropriate safeguards.
Will individuals still have the same rights?
Yes, is the short answer. Some individuals may however be confused about what rights they have or concerned that an organisation is holding information, particularly with regard to their health, that they are not entitled to process.
- If an individual disputes your right to process their personal data in any way refer them to the ICO’s guidance for individuals
- Make sure your staff are aware that nothing has changed and that individuals still have the same rights over their personal data.
- The ICAEW’s Know-How Guide: The Right to Erasure has some useful advice on this topic.
Personal data of employees
Can I disclose the name of an employee who has tested positive for COVID 19?
As before the processing (including disclosing) of personal data is only permitted if there is a lawful basis to do so. The issue is made more complicated because disclosing that someone has COVID19 is disclosing information that falls into the definition of ‘special category ‘data. So, the answer is it depends but in brief:
1. Yes – if requested to by a medical or public health authority
2. No – if requested by fellow employees. You can (and probably should) disclose to your employees that someone has tested positive or has symptoms, but it is unlikely that you need to name them so don’t (but see below).
3. Yes – in some situations it may be necessary to communicate the name to other employees, for example, to find out about other (potentially) infected persons who have been in close contact with the infected person. This will need to be decided on a case by case basis and documented.
- Remind your employees that you and they can disclose, but not name, that someone has been diagnosed with or is displaying symptoms of COVID19.
- If you feel you have to name the person this can be only to protect other workers and before you do you must inform the employee that you are doing so and why.
- Update your privacy notice for employees to inform them what personal data you may need to process to meet your responsibilities during the pandemic.
- If you have offices outside the UK, check the situation there as it may vary.
What about collecting and processing data about an employee’s health?
The collection and processing of special category data, such as information about someone’s current health is only permissible if it is necessary to protect the health, safety and welfare of the individual and other employees. This is in accordance with the employer’s duty to provide a safe working environment. In this instance the collection and processing of information about employees either diagnosed with or showing symptoms of COVID19 will fall within this duty. But care still needs to be taken to protect the personal data rights of the individual.
- Ensure that processing is limited to the extent truly necessary. • Document why you have followed a particular course of action.
- Consider the retention period for any data collected in response to the virus pandemic. required for the specific aim of managing the outbreak of the virus or its effects. It may, for example, be unnecessary or inappropriate to retain this personal data once the virus has been controlled and life returns to normal.
Can I ask employees or visitors if they have been abroad (and where) and/or are experiencing COVID 19 symptoms?
Yes, as you will need this information to assess whether they can come into work or visit your premises.
- Explain to employees and visitors why you need this information
- Put into place processes to delete this information once this information is no longer required to keep your employees safe.
If I am aware that one of my employees has an underlying health condition that may make them more vulnerable can I disclose this to other employees?
Cyber security and home working
Most of my staff are now working from home. Am I still responsible for maintaining cyber security over their equipment and activities?
Yes. Part of complying with the GDPR is the need to ensure that all personal data is kept securely. So as before you need to ensure that all your staff are aware of their responsibilities under GDPR.
- Remind staff and/or offer training to staff, particularly those who are not accustomed to working from home. This should include advice on:
- Spotting and dealing with suspicious emails
- The need for strong passwords
- Procedures for the safekeeping of sensitive/ confidential hard copy documents
- Procedures for the safe destruction/disposal of hard copies and deletion of soft copies.
- Storing and using equipment including laptops, USB devices at home e.g. putting them away at the end of the day, prevention of unauthorised access.
- Make sure that all personal equipment used in your employees’ homes is protected.
- If you are buying new equipment or software test them thoroughly before rolling them out and make sure all staff are trained in their use
ICAEW has prepared the following guides:
ICAEW’s Cyber Security webpage has more advice on cyber security in general and our Coronavirus Hub is constantly being updated with advice on the resources available to help members overcome the challenges posed by the pandemic.
Many software providers are providing free tutorials on home working, tele or video conferencing etc that you may feel helpful to share with your employees or clients.
The UK’s National Cyber Security Centre has also published some advice on cyber security during the pandemic including advice on homeworking.
If you need to know more
Other published guidance from the ICO
The ICO has published COVID 19 related guidance for the following specific groups:
Further advice is available from the following:
- ICO’s Coronavirus hub
- The European Data Protection Board (EDPB) - latest advice (published on 19 March 2020)
- ICAEW’s GDPR hub and Coronavirus hub
All the above are being updated on a regular basis