Covid-19, otherwise known as Coronavirus, has shown no signs of slowing down. The pandemic has reached a crisis level and the ICO has given guidance on data protection requirements that may affect data controllers. It is important that employers keep track of the impact of the virus both on their employees and customers.
GDPR and Coronavirus
GDPR limits how personal data is shared with third parties. But there are also obligations on employers to collect data to protect the health and safety of employees. Because of the way Coronavirus is transmitted, employers can ask about recent travel history and underlying health conditions to determine who is more vulnerable to the virus. This would be an appropriate and important move to assess required safeguarding protocols.
This type of data is classified as ‘special category data’ under GDPR. As such, extra measures must be taken to keep it secure. Employers cannot disclose any information about ill individuals in company communications.
GDPR limits what kind, and how much, personal data can be shared with third parties. However, there are obligations on employers to share data to protect the health and safety of their employees in order to appropriately safeguard them. Employers can ask about their employees’ recent travel history as well as asking if they have any underlying health conditions or if they are immunocompromised in order to determine who is more vulnerable to Coronavirus. This would be an appropriate and important move in order to assess the next steps.
Personal data under GDPR is classified as ‘special category data’, meaning there are extra measures that must be taken to keep it secure. Employers cannot disclose any information about the ill individual in company communications including which symptoms they are presenting with.
In a recent statement by the ICO, the regulatory watchdog stated, “public bodies may require additional collection and sharing of personal data to protect against serious threats to public health”. They further stated that they take matters of “serious public concern” into account when deciding a course of action.
Upheaval for businesses?
Under the circumstances, the ICO has given businesses some leniency around data protection. The body has said it will “not take regulatory action against organisations that will not manage to respond to information rights requests (DSARs) within the statutory deadlines.” This allows employers to have some leeway when prioritising tasks during this busy period.
Businesses that have employees frequently travelling must ensure they check and adhere to the Foreign and Commonwealth Office’s travel advice (if they are based in the UK).
The consequences for businesses around data protection at this time have been given some leniency by the ICO. The body has said that it will “not take regulatory action against organisations that will not manage to respond to information rights requests (DSARs) within the statutory deadlines”. This allows employers to have some leeway when prioritising tasks during this busy period.
Businesses that have employees frequently travelling must ensure they check and adhere to FCO travel advice (if they are based in the UK).
What can employers do?
When deciding what information to share, there should be a process of estimating whether the shared information could be used to identify individual employees. If there is a confirmed case of Coronavirus at your workplace, the ICO advises organisations to consider any action they can take to avoid sharing the employee’s personal data. On the whole, it is for each business to determine which measures are taken to protect employees. Specialised assessments of employees who have been in close contact with the infected person is a much more robust step than sending out widespread communication about the case. Businesses have an obligation to protect the health of their employees but this can be done without collecting masses of information about them.
/One way in which many companies are dealing with the pandemic is by allowing employees to work from home and many workers could choose to self-isolate in the coming weeks. With this, there may be an increase of employees using their personal laptops or mobiles to access company files, emails and software. This could prove detrimental for an organisation’s data security if the employee’s own devices are not set up with the same standard of security software. Additionally, organisations may choose to utilise a ‘Bring Your Own Device’ policy (BYOD). This would involve things such as recommending appropriate software or even giving employees a stipend to ensure they are able to have the latest versions. It is important that the policy is robust enough to protect against possible data breaches and that every employee signs up to, and understands the risks of bringing their own device.
What can employees do?
It is important that when you’re working from home you both comply with GDPR requirements in addition to your organisation’s own privacy policies. You should ensure that your devices are used in a safe location so that no one unconnected to the work can view sensitive information and ensure that devices are locked when not being used. The latest updates on your apps and device software will safeguard against virus and attack risks, so conduct daily update checks on your App Store. If you’re unable to access your organisation’s cloud or network system from home then ensure any data you save is saved separately and in a password protected folder.
/Make sure you’re using work email accounts to sign into things like Microsoft Office or Gmail. Our personal accounts are usually set as the default on our home devices so it’s important to check that work ones are being used. As always, double check who you’re sending an email to before you press send – especially if it includes personal information – and if you’re sending to multiple email addresses consider using BCCs.
Advice from the Experts
Jamal Ahmed, Director of Kazient Privacy Experts gave specialist advice for businesses, saying:
“It’s an important time to remember that most data incidents are down to human error.
With this in mind business must take extra care when allowing employees to work from home and especially if they are logging on from their own devices.”
He further stated:
“The last thing an organisation wants to suffer right now is a major data incident. The Covid19 pandemic has created enough challenges for organisations to be able to continue to function and the increase in working remotely makes organisations more vulnerable.”
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.