FAQs - Covid-19 GDPR

The UK's data protection laws are fully in force and have not been suspended or relaxed. Organisations will need to take extra care to ensure that they remain compliant with the GDPR and other data protection regulation in these challenging times. For example, the 72 hour timescale for reporting breaches to the UK's data protection authority, the ICO, and the 1 month timescale for responding to data subject access requests still apply.

It is worth reminding everyone in the organisation of their continuing obligation to report any data protection breaches internally, which is particularly important where people are taking on unfamiliar roles as a result of a reduction in active staff numbers, as undertaking a new role may increase the risk of a breach.

The ICO have agreed to take a pragmatic view of issues in these times and are understanding of the situation in which organisations find themselves. The key is therefore to be practical and realistic about the approach you are able to take in order to fulfil your data protection obligations. If you have to deviate from normal practices or you are unable to comply with time frames due to remote working and reduced staff levels you should document why you took a certain approach and how that has maintained good data protection practices in the circumstances.

A key principle of data protection law is that personal information should only be shared where it is necessary to do so. So, where an individual is symptomatic of Covid-19, it might be necessary to share that information with others in the workplace so that they can keep an eye out for symptoms and self-isolate accordingly. It is unlikely to be necessary to share that person's identity.

Remember, health information, such as the fact of someone displaying symptoms of COVID19 will be special category personal data. The information is therefore subject to the extra protections afforded to that type of information if it is capable of being connected to an identifiable individual. It should only be shared in limited circumstances, e.g. with the explicit consent of the individual.

The answer to this will vary in each organisation, and each organisation should have an appropriate home working policy in place to regulate how employees work from home (which will also cover health and safety aspects as well as the practical steps that should be taken from a data protection perspective). If you do not already have a policy in place now is the time to consider collating your organisation's expectations of employees and guidance into a short policy to circulate to all home workers. 

Use of cloud-based remote working platforms on your own devices may be a good compromise, but care should be taken to ensure that the device you use is secure and your connection to your organisation's platform is unlikely to be compromised. This will include steps such as ensuring up-to-date anti-virus software is installed on the device.

Avoid using personal email accounts and ensure that work is saved into your organisation's software rather than locally to your device where possible.

Policies on the use of personal devices should be in place and up-to-date to help guide employees on the steps they should be taking.

It can be tricky when working from home to keep matters private, particularly where there are multiple members of the family around. Try and give yourself a separate room to work in if possible and, for work conversations and online meetings, make sure you go into a separate room where you cannot be overheard.

Print items as infrequently as possible and follow your organisation's home working policy when destroying paper documents (some employers may require you to shred at home, others may prefer you to hold on to paper documents securely and then shred them centrally).

Finally, remember that criminals will see the current situation as an opportunity to take advantage of organisations in this time, with increasing opportunities for cyber fraud. Scams are already in circulation, for example criminals are posing as HMRC or senior colleagues in an attempt to maliciously obtain financial information and access to computer systems from unsuspecting organisations and individuals. Although we may be working in very different circumstances for a while, proper procedures should be maintained or new procedures established when authorising transfers of money and releasing personal information to ensure that this risk is minimised.

There are a variety of platforms available to help improve the ability for employees to work from home, however each come with their own risks, each of which will require mitigation. It may be that some products are suitable for internal team meetings or social interactions, but not for sensitive discussions or sharing documents.

In each case, you should consider whether to undertake a data protection impact assessment (DPIA). A DPIA is required where the proposal is likely to result in a high risk to individuals, but is good practice for all new software projects. A DPIA assesses and sets out a process for mitigating the risks identified. Documenting this process through a DPIA is helpful in showing compliance with your data protection requirements, even where it is not strictly required by data protection law.

The ICO have produced a template data protection impact assessment for organisations to use and adapt, which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/.

Whilst an office is closed, proper security measures should of course be in place to minimise the risk of any theft or unauthorised disclosure of information. It's also important to ensure that there is some continuing form of monitoring of the office.

Essential maintenance of IT servers may require some physical attendance at the office. Regular checks of any postal communications should also be maintained, not least because service of claims, contractual notices and other documents may still be taking place even where the office is closed.

If only one member of staff is taking on the role of reviewing post, proper procedures should be established to minimise the risk of personal information being inappropriately shared. The individual should take extra care to ensure documents containing sensitive information are only sent to members of staff to whom it relates, thereby minimising the sharing of this information. The individual going into the office should follow lone worker policies (which should be in place to ensure the safety of the member of staff).