Practical, Technical and Legal hints and tips for processing employee health data
Morgan O'Neill, Director of Data Protection Services, and Phil Telfer, ClearSky Logic provide a number of hints and tips on how organisations should approach the processing of employee health data during the COVID-19 pandemic.
Since the COVID-19 pandemic struck many organisations have been put in a position where they need to collect additional health information about their employees. The data processed may relate to COVID-19 symptoms, diagnosis or exposure to other individuals with the virus. As we continue to navigate our way through the health crisis, this trend is set to continue. We see businesses drafting and issuing staff health questionnaires to assess their employee’s physical and mental health and wellbeing and even family circumstances prior to inviting them to return to the workplace. Other businesses have begun carrying out manual contact tracing activities to monitor staff and visitors as they enter and exit their premises, and some have introduced temperature and thermal imaging tests to help reduce the spread of COVID-19. All of the data being captured is particularly sensitive and, for the majority, goes way beyond what employers would have collected prior to the pandemic.
Data protection law doesn’t prevent businesses from collecting this type of health data during a public health crisis. It is necessary for employers to process this data to ensure that they can monitor and protect the health of their workforce and both private and public sector organisations have a lawful basis to process this type of information within the law. For private organisations and some private employers, they will process this information because they have a legitimate interest and an obligation as an employer to ensure the safety and wellbeing of their employees. For public authorities carrying out their function, they process the data on the basis that they are carrying out a public task which is in the public interest. Other public or private organisations will process this information because they have a legitimate interest to do so and an obligation as an employer to ensure the safety and wellbeing of their employees. However, identifying a basis to process the information under data protection law is merely the first step. With the processing of this sensitive information comes the added responsibility of making sure that this data is processed in accordance with all of the requirements of data protection law.
In summary, this means making sure that employers are transparent about the processing of COVID-19 related health data, only process the minimum amount of data needed to achieve a defined purpose, make sure the data is accurate and secure, and only store the data for as long as necessary. This type of data is defined as special category data under data protection law and requires enhanced protection. Consequently, one of the biggest considerations for businesses at this time is how best to protect this kind of data to prevent loss and unauthorised access. In many cases, time constraints have led to the hasty introduction of procedures to collect this information without seeking advice on how best to approach this from a data protection and security perspective. Some businesses may be confident that the processes it has in place meet all the necessary requirements. However, as with all new data processing activities that present a risk to the privacy of individuals, businesses shouldn’t be complacent and should document their approach to this activity in a data protection impact assessment to assess any new or untreated risks which may arise in the context of processing this type of information for a new purpose.
In a practical business sense, employers need to ensure the information collected can be easily identified and analysed as a specific data set in order to respond quickly to risk-assess situations where staff have been diagnosed with COVID-19, manage resource levels and assess the financial impact of the crisis. Any business requirements need to be reviewed alongside the risks of non-compliance with data protection law and the potential for investigation by the regulator should something go wrong. The ICO is unlikely to be sympathetic if you lose or put at risk the sensitive special category data your employees trust you with.
Tips for keeping COVID-19 Health Data Safe
Individual Access permissions
From a technology point of view, Health Data is another example of personal data which needs to be secured appropriately. This is private data which an organisation is likely to have access to, as far as their employees are concerned. It needs to be stored and distributed appropriately and any access to that data needs to be recorded.
The Principle of Least Privilege (POLP)
Often organisations have perhaps, one, two or three different levels of security access to data. This is normally not sufficient to implement The Principle of Least Privilege (POLP). POLP starts from the standpoint that a user should have zero access to data, and they should only have read / write access to data if required as part of their job. So, read access and write access permissions are considered separately. Using this approach, Users have no access to any data and then a case needs to be made to grant them read or write access to any data. Not on a case by case basis but on a role by role basis. Clearly some individuals will need access to more data than others.
- Are you able to demonstrate POLP being implemented in your organisation?
Considerations for new data types
If an organisation starts to store a new type of data, such as health data of their employees then the default position for an organisation that has implemented The Principle of Least Privilege, is that no individual has access to that data. Only those individuals that require access to that data (e.g. HR, Legal) should have access granted to that data. Health data is an example of a new kind of data which should be carefully controlled and not treated in the same way as everything else. If you haven’t already implemented a strict access approach to the data you are holding as an organisation, health data can increase the need for this.
- Are you treating new data types appropriately?
The Audit Trail
An Audit Trail is invaluable if and when an organisation needs to track which User has accessed what data. An audit trail can seem like just a way of building up reams of unused data but when you do come to need it, it is extremely useful! The way that data is often accessed maliciously is via User’s credentials being compromised and used to access the data available. Going back to the Principle of Least Privilege (POLP) if that User has access to everything, the malicious actor who has taken control of that credential now also has access to everything in your organisation. If you have limited the data access on a Principle of Least Privilege basis, you can be more certain of the limitations of the access gained.
If you do not have an audit trail in this situation you cannot be sure of which data has or has not been accessed by that User.
- Would you be aware if data has been accessed maliciously in your organisation?
Passwords and Two Factor Authentication
Strong Passwords
Some of the best defences are the authentication processes in place in almost every system you use. Passwords are notoriously risky as people tend to choose easy-to-guess passwords so that they find them easy to remember. A Password Manager (such as LastPass, KeePass, DashLane, 1Password) will help you maintain strong and unique passwords across all systems used. No more using your favourite football team’s name or the name of your dog as your frontline security strategy!
- Can you be sure your system passwords are strong?
Two Factor Authentication
Two Factor Authentication (2FA) is where a secondary action is required to authenticate you. Usually this involves having access to a mobile device or a specific email account. Having access to the login details is no longer sufficient to gain access to the system.
- Can you be sure nobody is logging on behalf of your genuine Users?
Informal Data Sharing
Outside of formal systems, Email is probably the biggest culprit of individuals inadvertently broadcasting sensitive information. Instead of documents and data being stored and shared on a system that has security built-in, documents that are shared via email can easily find their way into the hands of a wider audience. Additionally, Email should be considered akin to sending a postcard – anyone who intercepts it in transit can read it, so it is not a suitable platform for transmission of sensitive or private data.
- Are your staff sharing sensitive data via email?
Security: a combination of issues
A Security strategy and risks can be considered as a combination of factors.
Weak passwords, blanket data access privileges, lack of audit trail – all combine to create a perfect storm.
Strong Passwords, Two Factor Authentication, Principle of Least Privilege data access controls, comprehensive audit trail – all combine to put you in the most favourable position to prevent, mitigate and report upon any unauthorised data access.
- Where does your organisation fit between these two extremes and how could you improve this position?
For support or advice on data protection or data security matters, please contact Morgan O’Neill, moneill@thorntons-law.co.uk or Phil Telfer, phil.telfer@clearskylogic.com for a further conversation.