The use of data is a critical tool in the fight against COVID-19. In some cases, this will necessarily involve the use of personal data, which relates to identified individuals and of course, due to the nature of the current crisis, sensitive health data. The UK data protection regulator, the ICO, has made it clear that data protection laws do not seek to prevent the use of data in order to combat the spread of this dreadful disease, but are intended to work in the public interest and enable health and safety to be prioritised where necessary. However, there remains a need to ensure that personal data is used in a proportionate manner with due respect to privacy rights, wherever possible.
The purpose of this alert is to pull together advice published by the ICO, and advice provided by our Data Privacy & Cybersecurity team to their clients over recent weeks, to help address some of the key privacy issues raised by the measures that have been taken to date, or may need to be taken in the near future, to deal with the Coronavirus pandemic.
We are struggling to respond to data subject access requests on time, due to limited staff/resources. Will the ICO take this into account when dealing with any complaints?
Yes. The ICO has confirmed that it understands that organisations may be working with limited resources, whether in terms of staff or finances during the pandemic and that resources may need to be diverted away from dealing with data privacy compliance. They state that as a pragmatic and empathetic regulator, they will not penalise companies that are in this situation. Nevertheless, privacy rights continue to be important and organisations should still do what they can to comply with their obligations under data protection laws. The statutory deadlines will not be extended.
Most of our workforce is now working from home. How does this affect our data security obligations?
Data protection law is not a barrier to staff working from home. However, the data security obligations imposed under data protection laws apply to homeworking in the same way as when staff are working in the office, namely that appropriate security measures must be taken to protect personal data in light of the risks associated with unauthorised access to that data, or other types of data breach. Unfortunately, hacking attempts and phishing scams have increased during the pandemic, as criminals seek to take advantage of vulnerabilities, including those created by homeworking. The ICO has provided a security checklist that can be used to identify vulnerabilities relating to home-working.
Maintaining awareness of the risks is key and it is important to send regular communications to employees to remind them that they still need to comply with the organisation’s data security policies and procedures whilst working from home. This may need to cover off specific issues, such as the use of personal devices to process company data and it could also include tips on key measures to be taken, such as VPN access, maintenance and security updates, plus contact details for IT and reporting a data breach, in case any issues arise. See the ICO’s top ten tips to provide to employees working from home.
Is there anything we need to be aware of due to the increased use of video-conferencing by our staff during the lockdown to replace face-to-face meetings?
Yes. The use of video-conferencing presents a number of data security issues, especially where confidential business information is involved. Ideally staff should continue to use conferencing services from your existing provider with whom you have a contract (including data protection terms) approved by the business. It is important to check and make full use of privacy and security settings, including setting appropriate access restrictions, using passwords and controlling who can share screens. Beware of lesser-known security risks, such as the ability for hackers to use the ‘live chat’ function to spread malicious messages. Warn employees not to click on unexpected links or attachments. Social communications between employees, such as virtual drinks or quizzes using alternative video-conferencing facilities, may be more relaxed, but employees should still be careful not to breach company rules, especially on confidentiality and privacy.
As an employer of essential ‘key’ workers, how to we access the Government’s new COVID-19 testing portal and does this raise any privacy issues?
An employer of essential workers in England and Scotland can upload the details of its employees (and their family members) who are currently self-isolating due to Coronavirus symptoms to the new testing portal provided by the Department of Health & Social Care, to refer those employees and family members for testing. Access to the portal can be gained by emailing the DHSC. Following the referral, the employee/family member will receive a text inviting them to book an appointment for testing. Alternatively, the employer can inform its employees about how to access testing, to enable the employee/family member to book their own appointment directly.
Use of the portal to refer key workers for testing is not likely to breach data protection laws in the UK, as this is a necessary measure to enable businesses to get key workers back on site as soon as possible, whilst safeguarding their workforce and others. The employer will not receive the employee’s test result or even be notified whether they have taken the test, which is voluntary for the employee, although from an employment law perspective the employer is likely to be entitled to ask the employee for confirmation.
Can I tell my staff that one of their colleagues has tested positive for COVID-19?
The ICO takes the view that you should inform staff about cases of the virus within your organisation, but that you probably don’t need to name individuals and that you should not provide more information than you need to in order to comply with your obligation to protect the health and safety of employees and others.
In practice, this probably means that you should only inform those staff who are likely to have been in close contact with the infected employee recently, rather than all staff, and that those staff may need to know the name of the infected employee in order to determine their infection risk.
Once the new NHSX ‘track and trace’ app goes live, can we require our employees to use it and to tell us if they receive an alert that requires them to self-isolate?
Use of the NHSX COVID-19 track and trace app is likely to be voluntary, although from an employment law perspective, an instruction by an employer that their employee should download and use it is likely to be considered to be reasonable.
If an employee does get the app and receives an alert warning them that they have recently been in contact with someone who has tested positive for the virus, then it’s likely that they will need to inform their employer. This is for practical reasons, namely because they will either need to work from home (if they are able to do so) during the self-isolation period, or take sickness absence if they are not able to work from home. In any case, the employee may have a duty of care to inform their employer that they are potentially infectious.
It is likely that the employer will be able to lawfully process this personal data under data protection laws on the basis that they need it in order to comply with their legal obligations to safeguard their workforce and others. However, employers will need to restrict the use of this data, access to it and retention of it to what is strictly necessary for that purpose. They may also need to carry out a data protection impact assessment, to ensure that their processing of that data is necessary and proportionate.
Can a business require employees/visitors to submit to a temperature check before entering the office/site?
Although mandatory temperature checks have been widely implemented by many businesses globally, organisations need to consider whether temperature checks are an effective measure to combat the spread of the virus. A raised temperature could have a range of causes that are not linked to COVID-19, which could make it difficult for an employer to assert that carrying out these checks is a necessary and proportionate method of safeguarding employees and others from the virus. If the business decides to go ahead with the checks, it should document (at least briefly) its assessment and the basis on which carrying out the checks complies with data protection laws.