Although Covid-19 has caused a great deal of unprecedented disruption for businesses, the General Data Protection Regulation (GDPR) [and the UK equivalent, the Data Protection Act 2018 (DPA2018)] still applies.
The Information Commissioner’s Office (ICO) has acknowledged that personal information might need to be shared quickly or that your ways of working may need to be adapted to reflect less staff being available.
Data protection legislation will not stop you from doing that, it’s just about continuing to do things in a manner that respects an individual’s personal information and safeguards it from inappropriate disclosure.
There are two key aspects to the current situation:
- Collecting and processing health information
- Securely working remotely from home
Fundamental is that health information is Special Category Information and has additional safeguards and consent requirements that still apply.
For processing health information, you need a secondary condition for processing in place. The usual one for health information is explicit consent where the individual allows you to record their current health situation.
Although because of the importance of legally obtaining health information to fight this pandemic, you are likely to rely on vital interests or public health, depending on the type of organisation you are, for example, care homes would look to use vital interests in order to protect the vulnerable residents. If the individual has already made the information publicly available, this could also be your secondary condition.
Anonymised sharing of information
Although a member of staff has provided you with health information if you need to share it the information can be anonymised. For instance, you can tell your staff that a colleague may have potentially contracted Covid-19 and are self-isolating, however, you probably don’t need to name the individual and you shouldn’t provide more information than necessary.
You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them. It’s reasonable to ask people to tell you if they have visited a particular country or are experiencing Covid-19 symptoms, however, to minimise the information you need to collect you can merely advise staff to call 111 and comply with Government advice. This approach should help you to minimise the information you collect.
With one of the key measures to prevent the spread of Covid-19 being social distancing, huge numbers of people are now working remotely. This does, however, offer some information security risks with potentially less secure access to your systems and the potential use of non-organisational devices.
Staff should be aware that they still need to ensure the security of the information that they have access to and use it appropriately.
Remote working essentials – Employees
- Secure Wi-fi connection
- Fully updated anti-virus/malware protection
- Updated operating system and the latest software updates
- Use the computer, laptop or device so as to minimise the risk of anyone else in the household seeing what’s displayed on the screen. This is especially important when working with Special Category Information
- Do not allow other members of the household to use the same device wherever possible. They may inadvertently compromise the integrity or security of the data you’re working with
- Lock your screen before moving away from your device
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up periodically in a secure manner
Remote working essentials – Employers
- Provide initial and then updated information on how to react in case of problems e.g. who to contact
- Set out in a policy your expectations about security whilst working from home – it will ensure everyone knows what they need to do
- Reiterate the need to recognise and report information about data incidents
- Ensure adequate support is available
- Consider restricting access more than usual e.g. to sensitive business information
- Keep in touch with your team as isolation can have a negative effect on their mental health. Video conferencing can be a very useful tool to do this
Remote working enhancements – Employers
- Provide access via a VPN with multifactor authentication to allow ‘normal access’ to your network and avoid the need for the employees to store your data on their own device
- Consider providing devices to employees. This will allow you to ‘lock down’ the device to only software you’ve approved and authorised. In the event the device is lost or stolen it will also allow you to remote memory wipe, where possible, to safeguard your data
- If you’re likely to consider increased working from home in the future ensure that devices like new laptops are encrypted to enhance the security of your data
- Wherever possible, use work email accounts rather than personal ones for work related emails
- If you need to temporarily use a personal email account, ensure that you keep the contents professional and appropriately worded by complying with your organisation’s email guidelines. Once you return to ‘working normally’, these emails should be removed from your personal email account and added to the organisations data. They are disclosable if the individual receiving or sending them makes a Subject Access Request and they contain personal information
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or special category information. When sending large amounts of special category data, the data should be password protected or ideally encrypted (with the password provided by a completely different medium e.g. text message, telephone call)
Don’t forget that GDPR applies not only to electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of a filing system.
If you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
- GDPR and DPA 2018 still apply
- Working from home is most successful when it’s carefully planned and the member of staff receives appropriate support and guidance
- Ensure all work emails are professionally worded
- Unless you’re working on the business network or in the cloud, ensure you periodically back up your work – it’s just as annoying to lose a morning’s work now as when you’re sat at your normal desk!
- Create a remote working policy which sets out the behaviours and practices that staff should be implementing when working from home
- Ensure that data incidents continue to be recognised, recorded and reported to the ICO as appropriate
- Create a Business Continuity Plan using the experience and lessons learned to create a robust plan for the confidentiality, integrity, and accessibility of business information
- There’s lots of free help and advice available to help you e.g. downloadable infographics to help clarify things for your staff
Data protection legislation will not stop you remote working from home, it’s just about continuing to do things in a manner that respects an individual’s personal information and safeguards it from inappropriate disclosure.
- The Information Commissioner’s Office website
- The European Union Agency for Cybersecurity (ENISA) website
- Coronavirus help and information
Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.