As we all need to help reduce the transmission of COVID-19 across the UK and the practical measures that we all must all take, organisations are having to rapidly and significantly change how they operate. This brings new processes and approaches to managing data. However, the protection rights and compliance obligations continue. In the UK, the Information Commissioner (“ICO”) has been prompt to issue practical guidance:
The ICO makes a clear point that Data Protection laws will not prevent you from making appropriate adjustments in order to help you deal with the crisis. A key message is that data processing should be proportionate, saying “if something feels excessive from the public’s point of view, then it probably is.” Organisations must weigh up risks to their businesses, people and wider society, against individuals’ rights to privacy on a case by case basis.
The ICO acknowledges that organisations may now have less resource available and has pragmatically advised that they won’t penalise organisations that they know need to prioritise other areas or otherwise adapt. They have said they can’t extend statutory timescales, but they will raise awareness that there may be understandable delays to responses to information rights requests during the pandemic - no change to the law but a clear indication that the ICO is sympathetic to the challenges that businesses face at this extraordinary time.
You have an obligation to protect the health of your employees, in particular where remote working is not an option. But that doesn’t necessarily mean you need to gather lots of information about them. The ICO takes the view that it is reasonable to ask people to tell you if they are experiencing COVID-19 symptoms. This may be all you need to manage the risks. If there is still a need to collect specific health data, you should only collect that which you need.
For their protection, staff should be informed that there are cases but only minimal information should be shared to provide the necessary practical protection. The ICO advises that you probably don’t need to name the individuals with the symptoms. Decisions about such sharing will need to be made quickly. Try to set the criteria in advance. Document the decisions.
Data Protection law is certainly flexible enough to accommodate remote working practices, however, whilst the safety of your people may be at the forefront of your minds, security of personal data is as important now as ever. With the increase in remote working, the pandemic brings increased risks and cyber criminals see a situation that they can exploit. Ensure that systems and equipment are secure and that processes cannot be circumvented. Remind staff of practical steps they can take to protect business and personal data e.g. by keeping equipment and documentation secure, not disposing of confidential data in the domestic waste, not connecting unauthorised personal devices to the network, not sending data to personal email addresses and being alert to phishing and other scams.
Employers may have an increased desire to monitor their workers who are now working remotely (e.g. by tracking their location using GPS-based location data from smartphones). However not only do employees have a legitimate expectation to a degree of privacy in their work environment, but they expect that they can keep their personal lives private. New monitoring activities have to be justified. Undertake a documented privacy impact assessment, identifying a clear purpose and need, and assessing the risks that you need to address against the intrusion to privacy. Should you decide to go ahead, employee expectations must be set appropriately.
Businesses are having to think quickly about adapting their business either to survive or to provide essential relevant services. This may involve previously unforeseen processing or sharing of personal data. It may also involve changes to customer base (e.g. from B2B to B2C) and use of new advertising methods, such as increased use of online advertising and potentially ad tech (an area that is under particular scrutiny from the ICO). Data Protection law still applies even though it does not exist to prevent businesses from taking necessary and proportionate measures. The challenges need to be worked through with careful thought to ensure that businesses find a compliant way forward.