Debbie Brett and Jennifer Scott, in our Corporate & Commercial team, offer a reminder for businesses of the need to consider their data protection obligations in light of increased homeworking and the COVID-19 pandemic.
During this time of uncertainty, data protection may not be the first topic on your agenda and the Information Commissioner's Office (ICO) has stated in recently published guidance that they “understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work”.
However, it is still important for businesses to give due consideration to their data protection obligations.
The ICO has stated that data protection should not be a “barrier” to those who should be working from home. The practical approach is to consider the best practice that should be implemented to ensure that you and your business are able to be versatile in overcoming new challenges faced by COVID-19 whilst remaining compliant with data protection laws.
Practical considerations
With the swift rise in employees and workers now needing to work from home, businesses should carry out a data protection risk assessment to target any vulnerable spots that may give rise to data protection breaches and non-compliant practices.
1. Are your data protection policy and data protection standards up to date?
At this time, it is highly recommended that your data protection policies are updated to deal with any changes in how your company operates. Whether this is in relation to:
- employees now working remotely;
- how information should be shared internally and externally; and
- any changes that should be communicated to consumers and customers about how their data is processed.
2. Are your employees and workers complying with data protection practices?
If you have not done so already, it would be good practice to issue a reminder to employees and workers about your data protection standards and duties of confidentiality. This can provide the simplest reminders for staff (e.g. to ensure that sensitive information is properly destroyed rather than disposed of together with general domestic waste.) If employees and workers are no longer able to contact data protection officers or their line managers in the usual way, do they have a clear and accessible modes of communication to express any issues or queries they may have relating to data protection? Thought should also be given to logging how employees and workers are transferring and storing personal data – is customer data being stored on personal laptops and what security measures are in place?
3. Are your methods of communication secure?
With a high proportion of workforces now working from home for the foreseeable future, electronic means of communication have also seen a sharp rise in use, as we have recently seen demonstrated by the Prime Minister use of the Zoom app for Cabinet meetings. Privacy-conscious users should therefore consider whether they are using appropriate means of communication for their business. Tech companies that provide these communication services have often been criticised for their data protection practices. Facebook, the owner of Whatsapp, currently awaits the European Courts’ final decision over whether its transfer of EU citizens’ data was in violation of their privacy, whilst a decision of the Chamber Court in Berlin found Facebook had recently violated consumer and data protection law, resulting in a significant fine. Zoom has also experienced criticism for its lack of transparency on how data is shared with third parties and its function allowing a “host” to make a recording of the conference involving automatic transcribing. This therefore raises the question of how you can you effectively manage data recorded and shared using these platforms.
4. Are you complying with the data protection duties owed to your employees and workers?
Some organisations (primarily those employing keyworkers) have begun to systematically take individuals’ temperatures in the workplace or introduced other practices that involve recording health data about their employees and workers which can constitute special category data, therefore carrying more burdensome obligations.
Although such measures may be required in compliance with a duty of care and health and safety provisions, thought should be given to how such data is being recorded and stored and what retention policies are appropriate. The ICO has stated that businesses should keep staff updated about COVID-19 cases in the workplace but should ensure that the individuals’ personal data is not be shared beyond what is required.
If you have any concerns about how your business is complying with data protecting during this period, please get in touch and we can provide you with specialist regulatory advice about your practices to include reviewing data protection policies of any third parties you may be engaging with.
For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.