In order to help our clients navigate some of data protection challenges which they may face as a result of the COVID-19 outbreak, here are some of the most commonly asked questions.
Our COVID-19 Pandemic Planning Team have asked the HR team if they can access our employees health information to enable them to identify those at risk. Is this ok?
It’s sensible to have a plan in place to support your workforce, should your organisation be affected by COVID-19. Health information is defined as special category data under GDPR and should always be protected and treated sensitively. Rather than allow the Pandemic Team access to employee health information, you should consult with your workforce and ask employees to voluntarily disclose relevant health conditions which may put them at risk. The organisation should clearly advise employees about how and why their health data will be processed and only use it for the purpose it is collected. You should limit the amount of information collected to only that which is necessary and relevant and store this securely, limiting access to it. Lastly, this information shouldn’t be kept forever and should be destroyed once it is no longer required.
Our employees will need to work offsite and to do so, they may need to take some of our IT equipment and client information away from our office? What steps should we take to protect our clients’ personal data?
Issue employees with secure IT equipment that allows them to work remotely. Laptops and USBs should be encrypted and clear guidance should be given to employees on agile working and how to protect personal data when offsite. Where possible, limit the amount of physical records removed from your office. Instead, scan paper records and save as secure electronic files that can be accessed remotely. If you must remove physical records containing personal data from your office, keep a record of what is being taken offsite and ensure that these are stored securely at your home.
We have received a SAR from a customer. We have copies of the customer’s personal data in our office which we can’t access. We will miss the response deadline. What should we do? Will we be fined?
Deal with the request as quickly and efficiently as possible and let the customer know that there will be a delay or that you may only be able to provide part of the information at this time. Communication is key. The Information Commissioner will not take action against organisations that are unable to meet the 1-month response if they are impacted by the COVID-19 outbreak.
We will all soon be working from home and are concerned about how we practically manage a data breach? What should we do?
When working from home it is more difficult to convene your incident management team and investigate a security incident. You should develop an agile incident management plan identifying key people in your organisation who can be on call should an incident occur. Set up a conference line and share the information with your incident management team so you can meet quickly if needed. If the incident is reportable to the Information Commissioner you should report this within 72-hours of discovery. If you miss the deadline, report as soon as possible and explain the reason for the delay to the Information Commissioner.
We are concerned about visitors coming into our office who may have COVID-19 or been in contact with someone who has COVID-19. What practical steps can we take to protect our staff?
Practical steps your organisation can implement is to reduce face to face meetings wherever possible and conduct meetings at a distance using telephone, video conferencing, Skype etc. If it is necessary to keep your reception area open and/or have some face to face meetings, you may wish to deliver a Welfare Notice to visitors prior to the meeting encouraging those who have symptoms, however minor, or have been in the company of someone with symptoms to not enter. We recommend these are also displayed in the entry points and reception areas in your buildings. Hand sanitiser can be placed at entry points and meeting rooms can be laid out so that individuals are not sitting close together.
Our employees conduct services at our client’s office and some of them have informed us they now need to self-isolate. Can we tell our client it is because they need to self-isolate and if so, what should we tell our clients?
Client’s will naturally wonder why your employee will no longer be able to attend their office. In our view, it will be important for the client relationship to inform them that that the employee cannot attend as he/she requires to self-isolate. The sharing of health information should always be limited to what is absolutely necessary, and while we are of the view that there is substantial public interest grounds to inform clients that the relevant employee requires to self-isolate, you should limit the amount of information shared where possible. In some situations, clients may request further information about the reasons for self isolation e.g. if it is because they have returned from Italy recently but are not showing symptoms. This will allow the client to risk assess the situation and identify the steps it should take as an employer to protect its own staff, particularly those that came into close contact with your employee. The Information Commissioner has stated that it recognises that it may be necessary to share such personal data to cope with COVID-19, therefore it is expected that no regulatory action will be taken in this regard unless excessive sharing can be demonstrated.
The Information Commissioner has also issued guidance on Data Protection for organisations in light of the COVID-19 pandemic which can be found at www.ico.org.uk
Loretta Maxfield is a Partner and Morgan O’Neill is Director of Data Protection Services in our specialist Data Protection team. If you have any further queries, please contact Loretta or Morgan on 03330 430350, or by emailing lmaxfield@thorntons-law.co.uk or moneill@thorntons-law.co.uk.