Coronavirus and Data Protection - Tips for employers
1. Measures introduced to combat the virus and Privacy Implications
When you are introducing measures for staff, clients and other third parties, you need to take care that you do not breach data protection laws when doing so. For example, if you are informed that a member of staff or his family has visited a region with confirmed cases and that they have or may contract the virus, you will be collecting personal data relating to those individuals as part of this process which will undoubtedly include health data. Things to think about:
Collecting health data from staff and clients
A key issue will be for you to consider whether you have a lawful basis for collecting health data from staff under Article 6 of GDPR. As health data is a “special category of personal data” for the purposes of GDPR (and needs a higher degree of protection), you’ll also need to identify a special category condition for processing health data in compliance with Article 9. Your legal obligation to provide a safe and healthy place of work for your employees (see the Health and Safety at Work Act 1974) is likely to justify the processing of health data to deal with the Coronavirus in accordance with Article 6(c) (i.e. processing is necessary for compliance with a legal obligation to which the controller is subject).
Take care to only collect the data you need in accordance with the principle of data minimisation. Remember, it’s not your role to identify cases of the virus - this is the job of health professionals. Your job is to provide assistance and information where possible in line with the health advice issued to businesses. This stance is reiterated in the guidance recently issued by the UK government for employers and businesses dealing with the Covid-19:
2. Increased numbers of staff working at home
This gives rise to a number of potential problems regarding the security and confidentiality of client information:
Working from Home Policy: Are all staff aware of your Working from Home Policy and how to keep client information confidential and secure at home? Review your Policy to ensure that it captures all likely risks and re-circulate it to all staff. If you don’t have one, put one in place as soon as possible.
It needs to include:
Keeping hard copy data secure: No unauthorised persons (such as family members) should be able to access it or have sight of it. Your Working from Home Policy should address this issue.
Home Wi-Fi connections: Are these secure? Insist that staff put passwords in place if they don’t have them, or where they do, ensure they are changed regularly. Obtain written confirmations from staff that this has been done.
Mobile phones: Same as for Wi-Fi. Remind staff that these must be password protected and passwords are changed regularly. Although some staff will already be aware of security procedures, if you are issuing additional devices, you will need to ensure all staff follow internal policies for their use.
Laptops or other tablets: Again, passwords must be in place, changed regularly, and devices must be kept in a safe, secure place overnight, and not left in vehicles.
3. Potential staff issues – Justify the steps you take
When enforcing any new health and safety rules, you must remain compliant with your data protection obligations – even in exceptional circumstances such as the coronavirus outbreak. Justify your actions by following the health advice issued by your local health authority or other body responsible for doing so. For example, if you decide to use CCTV to monitor staff behaviour during this period (e.g. are they adhering to your “no handshake policy”) – ensure you can justify this on the basis of the most recent health advice issued. In this way you can avoid staff making complaints.
4. Staff communications and Privacy Notices
Keep your staff informed through regular communications so they know what to expect. Ensure you can answer likely coronavirus related questions. However, at the same time, make it clear to individuals why the business is collecting their information, how it is being used and what their rights are in relation to the same. If the business finds that it needs to collect new data types to specifically deal with a coronavirus issue, do not forget to notify your employees about this, as your existing employee privacy notice may not cover it sufficiently. It will need to refer to the possible use of personal contact information for employees (for example, you may need to contact staff by mobile phone to keep them informed about workplace opening arrangements, or use sick notes for a new purpose - rather than for using them to administer sick pay, you may wish to use them to check for history of respiratory illness).
You must strike a balance in terms of your employees’ rights to confidentiality. Do not name individuals who may have contracted the virus in internal communications unless absolutely necessary. You will need to balance confidentiality against your duty of care to other employees in circumstances where they need more specific information to safeguard their own health. Send separate emails to staff or clients if you have identified that they are at risk of infection and ensure that the email is kept confidential.
5. Keep your data accurate
Ensure you continue to comply with the GDPR principle of data accuracy. Make sure that any information you hold relating to coronavirus is kept accurate and up to date, otherwise it could impact the effectiveness of any new policies and procedures that you put in place.
6. Delete data you no longer need
All personal data collected in relation to the coronavirus will need to be deleted once you no longer require it. This is to comply with your obligation under GDPR to delete data once it is no longer required for the purpose for which it was collected. In the case of regulated businesses, this is likely to be a considerably shorter period than for other data you retain such as KYC information - as it’s unlikely that you will need the data once the virus threat has passed. However, remember to consider matters such as complaints received from staff or clients regarding the processing of their data and whether in certain circumstances, you can justify holding the data for longer.
7. Data Security
We’re already seeing the impact that the ongoing global coronavirus outbreak is having on businesses. In addition to ensuring that data is kept secure when staff are working from home, if you outsource any of your IT functions, you should consider speaking with your provider to check whether they have their own business recovery plans in place in the event that they suffer staff shortages – this may impact your data security.
To summarise: Notwithstanding the coronavirus outbreak and its impact on businesses, the position under data protection law has not changed. Ensure your data protection framework enables you to continue complying with your privacy obligations and keep up to date with the latest developments and official guidance or requirements.