Data Protection and COVID-19 – Regulator Guidance

The ICO has published in a blog post some helpful guidance on data protection compliance and COVID-19. This also draws on a statement issued by the European Data Protection Board (EDPB).

Broadly, data protection rules (such as the GDPR) do not hinder measures taken in the fight against the pandemic. The EDPB says that it is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB underlines that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of data subjects.

The ICO recognises the unprecedented challenges we are all facing during the pandemic, and that organisations might need to share information quickly or adapt the way they work.  The ICO confirms that data protection will not stop you doing that. It’s about being proportionate, and not going beyond what people might reasonably expect.

Core principles

Core data protection principles need to be followed even for emergency data uses. This includes the following:

  • Personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes.
  • Data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
  • It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties.
  • Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.

Delays in compliance

ICO guidance:  Organisations with concerns about complying with GDPR requirements are offered assurance. The ICO says they understand that resources, whether finances or people, might be diverted away from usual compliance work. The ICO indicate that they won’t penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period.

While the ICO can’t extend statutory timescales, they will tell people that they may experience understandable delays when making information rights requests during the pandemic.

Comment:  This offers some comfort, for example, to businesses that are currently grappling with lack of resource or access to documents for responding to data subject access requests (DSARs) which have a deadline for response of one month or, in complex cases, extendable to three months. A key factor will be to keep the data subject up to date with progress on the response.

Homeworking

ICO guidance:  Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

Comment:  Employers should carry out a data privacy risk assessment of the data protection implications of employees working from home on a scale greater than might be usual. This could include review of the following:

  • ensuring staff have been given training and guidance and regular reminders about their obligations to safeguard personal data, including not saving sensitive data to unsecured devices or cloud storage;
  • as there is an uptick in cybercriminals and email scams looking to profit from the crisis, warning staff about emails that may look as if they are from official sources but include malicious software, as well as fake phishing emails impersonating people within the organisation;
  • requiring the use of complex passwords and the need to change them often;
  • taking care when using wifi, avoiding public wifi and using known secure wifi where possible.

Can you tell staff that a colleague may have contracted COVID-19?

ICO Guidance: Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.

The EDPB adds that in cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context), the concerned employees should be informed in advance and their dignity and integrity protected.

Comment: even though such information relates to a person’s health, which is classified as special category (or sensitive) personal data, an employer is entitled to process / disclose this information where necessary to comply with employment law which includes ensuring the health, safety and welfare of its employees. Again, this only extends to what is necessary and proportionate for this purpose.

Can you collect health data in relation to COVID-19 about employees or from visitors?

ICO Guidance:  You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.

It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.

You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.

If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Comment: while this guidance was issued only in the past few days, it can become rapidly out of date as Government / NHS guidance on COVID-19 changes.

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at nmiller@foxwilliams.com

Codes of Conduct and Certification Schemes: one step closer….

Sian Barr

In brief

The GDPR provides two ways in which certain organisations can demonstrate that their processing of personal data is compliant with data protection laws, thereby satisfying the accountability requirement under the GDPR: Codes of Conduct and Certifications Schemes.

While each of these procedures is voluntary, organisations have been prevented from attempting to use them up until now as the administrative framework for gaining the requisite approval from the ICO of a proposed code or scheme has not been ready.

The good news is that these processes are now open: as of 27 February 2020, organisations can submit their proposals for a GDPR code of conduct or certification scheme criteria to the ICO for their approval.

In practice though, controllers and processors must continue to be patient as there are currently no approved codes or schemes out there.

The detail

  • Accountability is one of the data protection principles, requiring organisations to demonstrate their compliance with data protection laws.
  • Codes of Conduct and Certification schemes should both be useful voluntary accountability tools, once up and running.
  • Codes of Conduct can be used by organisations such as trade, membership or professional bodies to set out practical ways in which individual members of the organisation can comply with data protection laws, in light of the data protection issues specific to their sector or businesses. Once a Code of Conduct has been approved by the ICO, individual members of the organisation will be able to sign up to it to help demonstrate their compliance with data protection legislation. Adherence to the approved Code will be monitored by a monitoring body, which will also have been approved by the ICO.
  • In its new Guidance on Codes of Conduct, the ICO describes its role, which is to:
    • provide advice and guidance to bodies considering or developing a code;
    • check that codes meet the code criteria set out below;
    • accredit (approve) monitoring bodies;
    • approve and publish codes of conduct; and
    • maintain a public register of all approved UK codes of conduct.
  • As for Certification, this tool will allow businesses to demonstrate their compliance with data protection laws in respect of specific processing activities that are covered by a certification scheme. Organisations will be able to use certification to build trust in their business and to demonstrate compliance to their customers and contractors.  In particular, the GDPR states that certification can be used to assist in compliance with data security, privacy by design and international transfer obligations.
  • In its new Guidance on Certification Schemes, the ICO describes the UK certification framework as follows:
    • The ICO will publish accreditation requirements for certification bodies to meet;
    • The UK’s national accreditation body, UKAS, will accredit certification bodies and maintain a public register;
    • The ICO will approve and publish certification criteria;
    • Accredited certification bodies will issue certification against those criteria; and
    • Controllers and processors will apply for certification and use it to demonstrate compliance.
  • Codes of Conduct and Certification Schemes are not a ‘one size fits all’ solution: they will not be relevant to all organisations. They will apply to processing within specific industries, or to specific processing activities.

Comment

Codes of conduct and certification schemes are a welcome and useful addition to the methods available to businesses to satisfy the accountability principle.  Many sectors are faced with specific data protection issues, particularly when it comes to the processing of special category data.  ICO approved norms for addressing these issues, which are codified and then used across a sector will improve compliance across the industry and ensure a level playing field for data protection compliance amongst competing businesses.

Certification too will be useful once it is available.  It may allow consumers to quickly check that an organisation can be trusted to use their personal data for certain purposes.  It is also likely to form part of the due diligence carried out on a proposed processor or sub-processor, and may feature as a requirement in data processing agreements where a relevant certification scheme is available.

Sian Barr is a Senior Associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at sbarr@foxwilliams.com

Happy Data Privacy Day! And what’s coming up in 2020?

Since 2006, 28 January has marked the anniversary of the first international law in the field of data protection – who knew?

A lot has happened since then. Data protection and privacy is now a rapidly expanding area of law of ever-increasing importance. As we head towards the second anniversary since the GDPR came into force, we review current developments and look ahead at what to expect in 2020.

Our special Data Privacy Day newsletter covers the following topics:

Accountability – sounds good, but what does it actually mean?
International transfers and Brexit
What’s cooking with cookies?
Whatever happened to the ePrivacy Regulation?
The growing culture of Data Subject Access Requests (DSARs)
Adtech – under regulator scrutiny
Artificial Intelligence (“AI”) and data protection
Data security – what’s appropriate?
Fines – more to come …
Class action compensation claims

Meanwhile, please make a diary note of our annual Data Protection Update seminar, which will be held on 14 May 2020.

Please do contact us if you have any questions or if our data protection team can assist you in any way.

Continue reading

Whatever happened to the ePrivacy Regulation?

The ePrivacy Regulation is due to replace the current ePrivacy Directive, which is the European law behind the Privacy and Electronic Communications Regulations (PECR). These are the rules which govern the use of cookies and similar tracking technologies, as well as digital marketing. The new Regulation is intended to bring the ePrivacy Directive into alignment with the GDPR and to introduce changes to the rules governing electronic marketing.

Originally intended to coincide with the GDPR, the introduction of the ePrivacy Regulation has been highly contentious and has met with considerable delay. Towards the end of 2019, the latest draft was rejected by the Council of Europe leading to further delays in its adoption.

The ePrivacy Regulation promised a simpler set of rules on cookies. It would remove the need for cookie banners and notices and allow browser settings to provide a way for users to indicate whether they accept or refuse cookies and other identifiers. It would clarify that consent is not needed for non-privacy intrusive cookies that improve internet experience (e.g. remembering shopping cart history) or analytics cookies used by a website to count visitors.

The new rules would also ban cookie walls (where a website requires users to accept cookies as a condition of being able to access the website’s content).

The proposal will also continue the ban on unsolicited electronic communications by emails, SMS and automated calling machines. However, it is not yet known if this will extend to B2B communications, or simply apply to B2C marketing as at present.

The draft Regulation also introduces more stringent penalties for non-compliance, and bring the sanctions regime and remedies available broadly into line with the GDPR.

It is uncertain what the final form of the Regulation will be. However, given the latest delay, Brexit has now intervened and so the Regulation will not be directly applicable in the UK. Despite that, it is likely that the UK will adopt the new rules as and when introduced. While the UK may be able to make its own decision on this following Brexit, if the UK does not implement the new Regulation that may stand in the way of the adequacy decision the UK needs in order to allow the free flow of data to and from the EEA. Also, the proposed extra-territorial scope of the new Regulation (like the GDPR) means that it will remain directly applicable to UK businesses targeting the EEA.  Who said that after Brexit the UK will take back control of its laws?!

Meanwhile, the ICO has also published a draft direct marketing code of practice for consultation. The consultation closes on 4 March 2020 and the ICO expects to finalise it in 2020. The ICO plans to produce additional practical tools such as checklists to go alongside the code.

Some key points include:

  • The two lawful bases most likely to be applicable to direct marketing are consent and legitimate interests. However, where PECR applies and requires consent, then in practice consent should also be your lawful basis under the GDPR.
  • It is important to keep personal data accurate and up to date. It should not be kept for longer than is necessary. It is harder to rely on consent as a genuine indication of wishes as time passes.
  • If you are considering buying or renting direct marketing lists, you must ensure you have completed appropriate due diligence
  • Profiling and enrichment activities must be done in a way that is fair, lawful and transparent.
  • If you are using new technologies for marketing and online advertising, it is highly likely that you will be required to conduct a data protection impact assessment (DPIA).
  • If someone objects you must stop processing for direct marketing purposes. You should add their details to your suppression list so that you can screen any new marketing lists against it.

Once the draft ePrivacy Regulation is finalised and the UK’s position on Brexit is clear, the ICO has indicated that it will update the direct marketing code to take into account of the ePrivacy Regulation.

Return to Data Privacy Day 2020 index

What’s cooking with cookies?

Cookies have become a hot topic for the ICO, with it receiving many complaints about websites’ (often unlawful) use of cookies. This theme looks set to continue into 2020.

This is particularly the case since a huge number of organisations, including some of the largest businesses in the UK, have still not updated their practices to ensure they comply with the rules. This is despite the fact that the ICO published clear guidance concerning the requirements for the lawful use of cookies in summer 2019.

It is likely that the ICO will start taking enforcement action against organisations which do not follow the rules, and this could lead to fines. As such, businesses which are not yet compliant should take steps to ensure compliance now.

At a high level, the following are the main rules when using cookies on websites:

  1. User consent must be obtained (except in relation to “strictly necessary cookies”)

The ICO confirmed that the standard of consent for using cookies is the same high standard as under the GDPR, even for cookies which do not involve the processing of personal data. This means that implied or inferred consent can no longer be relied on for cookies. For consent, a clear affirmative act is needed; pre-ticked boxes or inactivity does not constitute consent.

Websites which use non-essential cookies without specifically requiring users to consent to these when accessing a site (e.g. by specifying that continued use entails consent) are, therefore, not compliant. This also means that all non-essential cookies should be switched off by default. It also means that such cookies should only be served on the user if and when the user consents.

“Strictly necessary cookies”, which do not require consent, are those which are essential to provide a user with the service they have requested or to comply with applicable law. Analytics cookies and advertising cookies do not fall within this exemption.

  1. Provide clear and transparent information to users concerning the cookies you use

The ICO Guidance emphasises the need to provide users with transparent information about cookies. The information must be in accordance with the higher standards of transparency as required by the GDPR; it must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

In relation to cookies, this means that online retailers need to review and update their cookies policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how the different types of cookies are being used on the website. Failure to provide clear information will breach the transparency requirement, and will also undermine any “consent” if the consent cannot be said to be sufficiently informed.

Highlighting the importance of transparency and consent, in January 2019, the French data protection regulator imposed a fine of €50 million on Google for lack of transparency, inadequate information and lack of valid consent regarding ads personalization on mobile devices. For more information on this, see further https://idatalaw.com/2019/01/25/e50m-fine-for-google-in-france/

Return to Data Privacy Day 2020 index