COVID-19: What are the implications for data protection?
As governments work to contain the COVID-19 pandemic and companies implement emergency measures to comply with public health initiatives, it is important that any steps taken are consistent with the EU General Data Protection Regulation (“GDPR”). We set out below the basic data protection questions you may have from a UK perspective.
Will action be taken against us if, given the circumstances, our company’s data protection isn’t up to our usual standard?
No. Whilst it is clear that there is no general waiver for compliance in a public health emergency, the Information Commissioner’s Office (“ICO”) has said that it understands companies may have to divert resources from usual compliance and governance work to deal with other matters and it will not seek to penalise such behaviour during these crisis.
Do more lenient security measures apply with staff working remotely?
No. You will need to put in place the same types of measures that would apply in the workplace, particularly as staff may be using their own device or communications equipment. For example companies should be:
- reminding staff to use secure WIFI networks
- reminding staff that data needs to be held securely in your IT network or other approved environments within your company’s control and security framework
- cautioning staff of the increased risk of hackers during the transition to homeworking
- arranging IT training to remind staff what they should and should not be doing
- updating data breach plans
We’ve been told by a member of staff that they have contracted COVID-19. Should we tell our staff?
Yes. You have a duty of care to your staff, which means should keep them informed about cases in your company. That said, you should be careful not to disclose more information than is strictly necessary to protect their health and safety (e.g. you may not need to name specific individuals). If you do decide to name individuals, the specific member of staff should be informed of the communication in advance and their dignity and integrity should be protected.
We want to contact our staff to let them know what’s happening in the office?
Yes you can. Though you should obtain the specific and informed consent of your staff to process their private contact details in order to make contact with them at short notice in relation to COVID-19 (you should not for example then use these details to contact them outside working hours once things have returned to normal).
Can we ask our staff if they have travelled to a high-risk country or whether they have been in contact with people who have COVID-19?
You can ask staff reasonable questions for the purpose of protecting your workforce’s health. These might include asking whether they have visited a particular country or are experiencing COVID-19 symptoms, etc. Ideally all such measures would be supervised and signed off by a health care professional / occupational health professional, in particular if health data are being processed. It is important you ask only reasonable questions. E.g. the nationality of the individual or the identity of those friends or family with whom they have had contact is not data you need to obtain.
If we are asked by the authorities or the NHS to share staff health information, can we share it?
Yes. Although it is unlikely that your organisation will need to share information with authorities pertaining to specific individuals. Wherever possible avoid processing specific health related information which can be linked back to an individual.
What else should we bear in mind when sharing/using personal data?
Remember to:
- Maintain a record of any consents and lawful bases for processing
- Clearly explain what data is being collected, by whom and for what purpose and use it for that purpose only
- Store data securely (e.g. encryption, anonymisation, pseudonymisation, etc.)
- Keep personal data up to date
- Comply with the other relevant GDPR principles (e.g. retention)
ICO Guidance
The ICO has recently published helpful guidance on these issues. For further information see the following articles on the ICO website: Data protection and coronavirus: what you need to know, Data protection and coronavirus and ICO's blog on its information rights work.
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of COVID-19. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.