Data Protection and COVID-19 – Regulator Guidance

The ICO has published in a blog post some helpful guidance on data protection compliance and COVID-19. This also draws on a statement issued by the European Data Protection Board (EDPB).

Broadly, data protection rules (such as the GDPR) do not hinder measures taken in the fight against the pandemic. The EDPB says that it is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB underlines that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of data subjects.

The ICO recognises the unprecedented challenges we are all facing during the pandemic, and that organisations might need to share information quickly or adapt the way they work.  The ICO confirms that data protection will not stop you doing that. It’s about being proportionate, and not going beyond what people might reasonably expect.

Core principles

Core data protection principles need to be followed even for emergency data uses. This includes the following:

  • Personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes.
  • Data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
  • It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties.
  • Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.

Delays in compliance

ICO guidance:  Organisations with concerns about complying with GDPR requirements are offered assurance. The ICO says they understand that resources, whether finances or people, might be diverted away from usual compliance work. The ICO indicate that they won’t penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period.

While the ICO can’t extend statutory timescales, they will tell people that they may experience understandable delays when making information rights requests during the pandemic.

Comment:  This offers some comfort, for example, to businesses that are currently grappling with lack of resource or access to documents for responding to data subject access requests (DSARs) which have a deadline for response of one month or, in complex cases, extendable to three months. A key factor will be to keep the data subject up to date with progress on the response.

Homeworking

ICO guidance:  Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

Comment:  Employers should carry out a data privacy risk assessment of the data protection implications of employees working from home on a scale greater than might be usual. This could include review of the following:

  • ensuring staff have been given training and guidance and regular reminders about their obligations to safeguard personal data, including not saving sensitive data to unsecured devices or cloud storage;
  • as there is an uptick in cybercriminals and email scams looking to profit from the crisis, warning staff about emails that may look as if they are from official sources but include malicious software, as well as fake phishing emails impersonating people within the organisation;
  • requiring the use of complex passwords and the need to change them often;
  • taking care when using wifi, avoiding public wifi and using known secure wifi where possible.

Can you tell staff that a colleague may have contracted COVID-19?

ICO Guidance: Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.

The EDPB adds that in cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context), the concerned employees should be informed in advance and their dignity and integrity protected.

Comment: even though such information relates to a person’s health, which is classified as special category (or sensitive) personal data, an employer is entitled to process / disclose this information where necessary to comply with employment law which includes ensuring the health, safety and welfare of its employees. Again, this only extends to what is necessary and proportionate for this purpose.

Can you collect health data in relation to COVID-19 about employees or from visitors?

ICO Guidance:  You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.

It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.

You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.

If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Comment: while this guidance was issued only in the past few days, it can become rapidly out of date as Government / NHS guidance on COVID-19 changes.

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at nmiller@foxwilliams.com

Codes of Conduct and Certification Schemes: one step closer….

Sian Barr

In brief

The GDPR provides two ways in which certain organisations can demonstrate that their processing of personal data is compliant with data protection laws, thereby satisfying the accountability requirement under the GDPR: Codes of Conduct and Certifications Schemes.

While each of these procedures is voluntary, organisations have been prevented from attempting to use them up until now as the administrative framework for gaining the requisite approval from the ICO of a proposed code or scheme has not been ready.

The good news is that these processes are now open: as of 27 February 2020, organisations can submit their proposals for a GDPR code of conduct or certification scheme criteria to the ICO for their approval.

In practice though, controllers and processors must continue to be patient as there are currently no approved codes or schemes out there.

The detail

  • Accountability is one of the data protection principles, requiring organisations to demonstrate their compliance with data protection laws.
  • Codes of Conduct and Certification schemes should both be useful voluntary accountability tools, once up and running.
  • Codes of Conduct can be used by organisations such as trade, membership or professional bodies to set out practical ways in which individual members of the organisation can comply with data protection laws, in light of the data protection issues specific to their sector or businesses. Once a Code of Conduct has been approved by the ICO, individual members of the organisation will be able to sign up to it to help demonstrate their compliance with data protection legislation. Adherence to the approved Code will be monitored by a monitoring body, which will also have been approved by the ICO.
  • In its new Guidance on Codes of Conduct, the ICO describes its role, which is to:
    • provide advice and guidance to bodies considering or developing a code;
    • check that codes meet the code criteria set out below;
    • accredit (approve) monitoring bodies;
    • approve and publish codes of conduct; and
    • maintain a public register of all approved UK codes of conduct.
  • As for Certification, this tool will allow businesses to demonstrate their compliance with data protection laws in respect of specific processing activities that are covered by a certification scheme. Organisations will be able to use certification to build trust in their business and to demonstrate compliance to their customers and contractors.  In particular, the GDPR states that certification can be used to assist in compliance with data security, privacy by design and international transfer obligations.
  • In its new Guidance on Certification Schemes, the ICO describes the UK certification framework as follows:
    • The ICO will publish accreditation requirements for certification bodies to meet;
    • The UK’s national accreditation body, UKAS, will accredit certification bodies and maintain a public register;
    • The ICO will approve and publish certification criteria;
    • Accredited certification bodies will issue certification against those criteria; and
    • Controllers and processors will apply for certification and use it to demonstrate compliance.
  • Codes of Conduct and Certification Schemes are not a ‘one size fits all’ solution: they will not be relevant to all organisations. They will apply to processing within specific industries, or to specific processing activities.

Comment

Codes of conduct and certification schemes are a welcome and useful addition to the methods available to businesses to satisfy the accountability principle.  Many sectors are faced with specific data protection issues, particularly when it comes to the processing of special category data.  ICO approved norms for addressing these issues, which are codified and then used across a sector will improve compliance across the industry and ensure a level playing field for data protection compliance amongst competing businesses.

Certification too will be useful once it is available.  It may allow consumers to quickly check that an organisation can be trusted to use their personal data for certain purposes.  It is also likely to form part of the due diligence carried out on a proposed processor or sub-processor, and may feature as a requirement in data processing agreements where a relevant certification scheme is available.

Sian Barr is a Senior Associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at sbarr@foxwilliams.com