Data protection and coronavirus: what you need to know
It has undoubtedly been difficult for organisations to manage data protection and privacy risks while also responding to the threats posed by Covid-19. However, organisations handling personal data should be reassured that data protection law will not prevent them from responding to the continued challenges brought by Covid-19.
As restrictions are lifted and vaccinations continue, businesses are returning to 'business as usual'. However, it is important that organisations do not let the relaxation of restrictions change their approach to personal data. In particular, the protection afforded to employees, customers and third parties should not be reduced. The rights and obligations conferred by data protection laws are fundamental and, what's more, they are entirely consistent with responding to Covid-19.
Throughout the pandemic, international data protection regulators have published significant amounts of guidance on how to deal with Covid-19 while still respecting data protection law. Guidance that will remain of particular interest to our UK clients, has been produced by the UK data protection regulator, the Information Commissioner's Office ("ICO") and the The National Cyber Security Centre ("NCSC").
The key takeaways for UK organisations are as follows:
Disclosing to staff that a colleague may have contracted Covid-19:
Data protection law does not prevent organisations from keeping their staff informed about any confirmed or potential cases of Covid-19 within the organisation. This is because businesses have an obligation to ensure the health and safety of their employees, which may provide the legal basis for employers' processing of certain health data. Other grounds may also apply to this disclosure, such as vital interests or the public interest in public health by protecting against cross-border threats. Consent is unlikely to be an appropriate or necessary legal basis.
In accordance with the principles of data minimisation and proportionality, only necessary information should be collected and disclosed to other staff members. It will not usually be necessary to disclose the names of infected colleagues to other staff members.
However, it may be necessary to inform immediate team members of their colleague's diagnosis, for example, for contact tracing purposes. If this is the case, we would suggest that this is done on a "need to know" basis and that the affected employee be warned in advance. Notification should be carried out in confidence and verbally, rather than in writing. This will minimise the unnecessary recording of health information, which carries additional risks. Verbal disclosure may even take the disclosure out of the ambit of data protection legislation entirely, as it does not cover purely verbal communications, and it may help to make the disclosure less intrusive.
Organisations may be within their rights to collect data about the vaccination status of their employees. The ICO's guidance encourages organisations to only collect information about their employees’ vaccine status if there is good reason to do so. In practice, organisations should not seek this information unless it is necessary and proportionate and, in any event, should only collect and retain the minimum amount of information needed to fulfil the purpose in collecting the data. A Data Protection Impact Assessment ("DPIA") might be a sensible way to assess whether collecting information about the vaccination status of employees is necessary and proportionate in all the circumstances.
Organisations should also ensure they have a proper legal basis for processing this data which, for the majority of public and private organisations, is likely to be legitimate interests. Vaccination status is health data and, therefore, ‘special category data’ under data protection law. This means that it requires an additional justification for processing, such as the employment or public health condition in Article 9 of the UK GDPR (as recommended by the ICO). If organisations do intend to rely on the public health condition, they must ensure that a qualified health professional carries out the processing or that individuals are notified that this information will remain confidential except in limited circumstances.
Organisations should note that consent is unlikely to be a suitable legal basis for processing in an employment setting, given the imbalance of power between the employer and employee.
Contact tracing and surveillance:
Some businesses have continued to collect personal data for contact tracing purposes. Where businesses are not under a legal obligation to collect data for contact tracing purposes, they are likely to rely on legitimate interests as the legal basis for the processing. Businesses are advised to comply with the following five steps when collecting personal data for contact tracing purposes:
(1) ask only for what's needed (e.g. name, contact details and date/time of arrival);
(2) be transparent about why you are collecting the data (this information is generally contained in a privacy notice);
(3) securely store the data;
(4) don't use the data for any other purposes such as direct marketing, profiling or data analytics; and
(5) permanently erase it in line with government guidance, usually recommended to be 21 days from the date of collection.
There may be situations where organisations wish to rely on surveillance footage for contact tracing and to ensure that employees are observing health and safety measures. Surveillance of an employee must be necessary, justified, and proportionate. Organisations should consider how the technology will help to achieve its objectives and whether this could be achieved by using any other less intrusive means. The existence of any surveillance system, and why it is being used, must also be communicated to employees. This is normally done by way of a privacy notice (considered further below).
Organisations should ensure that clear and accessible privacy notices are available. Privacy notices must have been updated to provide for any data being processed in connection with any measures relating to Covid-19. Privacy notices should include information about the data being collected and the purposes for which it will be used; with whom it will be shared; the length of time for which it will be retained and how people can exercise their rights over it, for example the right to erasure.
Workplace health testing:
As businesses return to workplaces, they may be considering whether to submit staff or visitors to Covid-19 testing. Provided that there is an appropriate basis for the processing, and that the data is processed lawfully, fairly and transparently, it may be possible for organisations to carry out such testing.
As health data is 'special category data' under data protection law, organisations must demonstrate that there is a legal basis under Article 6 and Article 9 of the UK GDPR. Many of the applicable legal bases require the processing to be "necessary"; organisations will therefore need to consider what they are trying to achieve and whether testing is necessary to achieve that purpose.
As with all other processing, a company must notify staff of the testing, and their reasons for it, and be clear, open, and honest about how their personal data will be handled. A DPIA should be conducted prior to the implementation of any testing policy to assess the risks of the testing and the measures that can be taken to mitigate them.
Public health messages and direct marketing:
The government, NHS or health professionals may lawfully send public health messages to people by phone, text or email and these will not constitute direct marketing. It is important that these messages only contain public health messages to ensure that they are not considered direct marketing.
Some companies have also sent 'service updates' as restrictions have evolved. True service messages are not considered to be direct marketing but if they contain promotional content they may be considered direct marketing for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). If the messages qualify as direct marketing, they must be screened against suppression lists and only sent in accordance with PECR's prior consent requirements.
Homeworking and security:Although many businesses are returning to the office, there are still a number of staff working from home. The UK GDPR's security obligations still apply to homeworking and businesses need to consider the same kinds of security measures for homeworking that one would use in normal circumstances. This will be particularly important due to the increased number of cyber-attacks during the pandemic, as hackers attempt to exploit changes to working habits to influence people to take more risks than they normally would online. Organisations may wish to put in place, or update, policies covering how staff members should deal with confidential information and business personal data when at home – for example, locking information away at the end of the day, and limiting the use of devices that can record conversations, such as Alexa or Google Assistant, in the proximity of business calls.
The ICO and the NCSC have both issued guidance on this topic.
The ICO's guidance suggests the following measures:
Putting in place clear policies, procedures and guidance for staff who are remote working (for example, in relation to accessing, handling and disposing of personal data);
Reminding staff to use unique and complex passwords;
Only giving key staff full access to cloud storage areas with other members of staff having read, write, edit or delete permissions where appropriate;
Having account lockouts in place after a certain number of failed logins; and
Reviewing and implementing the NCSC guidance on defending against phishing attacks.
- Authentication – two factor authentication is particularly important to mitigate the risks of remote access. Regular password strength should be maintained.
- Devices – an enhanced risk of device loss makes encryption even more important. Organisations should ensure that their rules on keeping software and malware protection up-to-date are maintained.
- VPNs – these should be implemented in order to minimise the risk of intrusions through home networks.
- ICO regulatory approach:
At the start of the pandemic, the ICO was clear that it would consider the commercial environment for organisations and the UK economy in its approach to data protection regulation. The ICO has continued in its commitment to be flexible in its approach to take into account the challenges faced by organisations as a result of the pandemic, but also emphasises that businesses have had time to adapt, and that Covid-19 should not damage people's rights in relation to their data. For example, the ICO states that businesses should now have plans in place to reduce any data subject request/complaint backlogs. In it's latest guidance, the ICO emphasises that organisations should, where applicable, report data breaches without undue delay (meaning within 72 hours of becoming aware of the breach) but that when issuing fines, the ICO will consider affordability for the organisation in breach.