The Information Commissioner’s Office (ICO) has recently released guidance on the unprecedented challenges being faced by organisations during the Coronavirus (COVID-19) pandemic (available at https://ico.org.uk/for-organisations/data-protection-and-coronavirus/). The ICO has confirmed that it will not take regulatory action against organisations that need to prioritise areas other than data protection, or where organisations need to adapt their usual approach during the COVID-19 pandemic. However, organisations must still be mindful of their data protection obligations as the ICO’s more lenient approach will only extend to those organisations and circumstances that are legitimately affected by the COVID-19 pandemic.
Key points from the ICO guidance:
Data protection will not stop organisations from doing so, but organisations must be proportionate in their approach.
However, the ICO will be notifying individuals through its own channels that they are likely to experience delays when making information rights requests during this pandemic.
However, organisations must consider the same security measures for homeworking that they would use ordinarily. Such security measures may include the appropriate and safe disposal of confidential information and accessing work systems through a remote server.
Organisations can therefore inform employees that a colleague may have contracted COVID-19, but should not provide more information than necessary, for example, it may not be necessary to name the individual.
It is reasonable to ask employees if they are experiencing symptoms, or if they have visited a particular country recently. However, organisations should not collect more specific health data than they need and any information that is collected should be protected with the appropriate safeguards.
Practical steps you can take now:
All staff who handle personal data should receive initial and refresher GDPR training. As we begin to approach the 2 year anniversary of the GDPR, now is a good time to check whether your GDPR training programme is up to date. Even if your staff have all received appropriate training, in light of the current situation, many employees are working from home - it may be worth reminding employees of their data protection obligations and offering them some practical training tips on how they can comply when working remotely. Knights can support with all aspects of GDPR training (including virtual training), which can be tailored to your business and any particular concerns you may have.
As many organisations tackle working remotely for the first time, systems and servers are likely to be vulnerable - hackers and fraudsters may unfortunately take advantage of this situation. Ensure that you have a data breach policy in place so that your staff know how to spot personal data breaches and escalate them appropriately. If your organisation is hit with a breach, engage legal advice at the earliest opportunity to ensure that you take the right steps in containing the breach and complying with your breach reporting obligations.
if your organisation is pre-occupied dealing with issues caused by the ongoing COVID-19 situation, it can be easy to miss a deadline for a SAR. In the circumstances, the ICO may be more forgiving of any such delay, but has confirmed that the one month timescale will still apply. Further, delay is likely to cause animosity with the data subject which may lead to a complaint. Best practice is of course to respond to the SAR as soon as possible, but this is an exercise which should not be rushed. Responding to a SAR often involves reviewing and redacting a great deal of information. If you lack the time or resource, Knights can offer support, either by way of ad hoc advice or a fully outsourced service.