Data protection during the coronavirus crisis – guidance for businesses
30 March 2020
As the coronavirus pandemic escalates we are starting to grapple with the challenges posed by a way of life in which lockdowns, home working and social distancing are the new norm, at least for the immediate future.
During a time when businesses are facing unprecedented organisational challenges and resources are stretched, we recognise that dealing with data protection compliance can become a real headache. We have put together this guidance in the hope that it will provide a quick answer to some of the questions you may have at this time. If you have a question which is not covered in the guidance or you require urgent assistance dealing with a data breach or rights request, please do not hesitate to contact us. Although we are now working from home, it is otherwise business as usual for the Birketts data protection team.
Will we be penalised by the ICO if we cannot maintain our usual standard of compliance during this period? Do the usual timescales for compliance still apply?
The ICO has recognised that compliance and information governance resources might be stretched and has stated that it does not intend to penalise organisations which need to prioritise other areas or adapt their usual approach during this period. When it comes to dealing with statutory timescales (e.g. for data subject rights requests), the ICO has stated that it does not have the power to extend these but it will warn people to expect delays when making information rights requests during the pandemic.
Our advice is to take a pragmatic approach. Do what you can to maintain your usual compliance approach but where this is not practicable make sure you are clear and transparent with people about what they can expect from you. If you have limited resources, try to focus on key risk areas such as ensuring you have implemented appropriate security measures for home working arrangements.
Our staff need to work from home during the lockdown, what do we need to do from a data protection perspective?
Data protection laws should not be seen as a barrier to homeworking or as preventing staff from using their own devices and communication equipment. As a general rule you should follow your usual homeworking and bring-your-own-device procedures as closely as possible. If you need to make changes to cope with new ways (or increased volumes) of home working do consider whether your arrangements give rise to any new security risks and what steps you can take to address them. Communication and support are key during this period. Ensure you communicate with your staff so they know what is expected of them in terms of working arrangements, practices and procedures. Have sufficient technical support to hand whilst your staff adapt to new arrangements to ease the transition and to remove temptation for individuals to develop their own quick fixes and workarounds.
A member of our staff has potentially contracted Coronavirus – can we tell other employees?
Yes, you can tell other staff members that an individual has potentially contracted Coronavirus. This may be a necessary step to ensure that you can protect the health and safety of your wider workforce. However, do be mindful that you are dealing with special category data. You should therefore only tell those staff members who genuinely need to know and only share the minimum information necessary to protect the health and safety of your other employees. Where possible, try not to disclose the identify of the individual who has become poorly to other staff. In smaller organisations this may not be possible but in larger organisations it should be possible to limit any identification of the individual to their immediate team or work group.
Can we ask our employees and any visitors to our site if they have travelled to any restricted countries or displayed symptoms of COVID-19?
You need to ensure you are protecting the health and safety of your workforce and it is reasonable to ask if individuals have recently visited restricted countries or have experienced symptoms to achieve this. However, you should aim to minimise the information you request and only collecting new medical information about people where really necessary. You may be able to limit the amount of information you collect by advising staff and visitors to simply adhere to government guidance. Where you do need to collect information, make sure you only keep it for as long as reasonably needed, have appropriate security in place and only share it with those within your organisation who have a genuine need to know.
What do we do if authorities ask us to share employee data for public health purposes?
It is unlikely that you will be asked to share details of specific individuals but if you do receive a request from an organisation such as Public Health England you should comply with it; you will not be breaching data protection laws by doing so. On a practical note, do remember to ensure that the method you use to share data is secure though.
What lawful basis can we use if we need to process health data when managing our response to the coronavirus pandemic?
The first data protection principle requires that you identify a lawful basis of processing under Article 6 GDPR. As health data is classed as special category personal data, you will also need to ensure you have fulfilled one of the conditions of processing under Article 9 GDPR. The specific grounds and conditions used will always depend upon the individual situation but you may wish to consider the following:
|Article 6 Ground
|May be used with Article 9 Condition…
|9.2(a) Specific consent
|6.1(c) Legal obligation
|9.2(b) Carrying out obligations in the field of employment**
|6.1(d) Vital interests
9.2(c) Vital interests
|6.1(f) Legitimate interests*
|9.2(g), (h) or (i) Public interests**
*If you are using legitimate interests as a lawful ground of processing you should complete a Legitimate Interests Assessment.
**If using this ground you will also need to identify a condition in schedule 1 of the Data Protection Act 2018 and check with you need to have an appropriate policy document in place.
If you have questions or need assistance please contact Mark Gipson.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at March 2020.