We have received a number of queries about Covid-19, working from home and data protection. There are a number of points to consider and so we have set some of these out, below.
Working from home
If employees are self-isolating or working from home as a result of Covid-19, you must ensure that they continue to comply with data protection principles so that your organisation is not at risk of breach.
It is one of the fundamental principles of the data protection legislation, that personal data is kept secure and confidential, a breach of this principle can (and has) resulted in huge fines. The obligation on an organisation is to implement appropriate technical and organisational measures that ensure an appropriate level of data security. This may include putting in place (or refreshing training on) working from home policies, bring your own device (BYOD) policies and procedures. Almost needless to say, it should be emphasised to employees that any paper documents taken home or moved into public spaces should be kept safe and secure and that any laptops used to work from home should be encrypted and locked when not in use.
It is also important to consider that some employees may be using public networks to access data (say for example if they are working in a coffee shop), this will move their devices into public spaces, increasing vulnerability as often networks are unencrypted and unsecured. Employees and potentially the employers network can then be left exposed and data may be intercepted particularly where BYOD is involved. It is therefore of important that your policy covers these aspects of remote working.
The ICO have published guidance, noting their understanding that it may be more difficult to ensure compliance, they have stated that they will not penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period. However, whilst this approach seems flexible it is unpredictable and unprecedented as to how the ICO will respond to a breach in the circumstances and therefore it is better to be safe than sorry by taking preventative measures from the outset.
There is little doubt that, with many more employees than usual working from home and in many cases, employees who are not used to working from home the risk from a cyber-attack leading to a data breach is significantly increased and so it is sensible to ensure that you know what to do in the event of such an incident.
What happens when an employee need to self-isolate or has a confirmed case of Covid-19?
An employee's personal medical data is subject to stringent restrictions on processing. Sharing the information with other employees, regarding an employee being sick with the virus, could risk the trust and confidence in the relationship between that employee and the organisation. But the organisation also owes a duty of care to other employees in order to keep them safe. So how does an employer manage the conflicting obligations and potential breaches?
The safest way to manage this is to communicate the key messages to staff but without disclosing any personal data. Instead, make a general announcement e.g. “an employee in our Manchester office has recently been confirmed with Covid-19 OR there are a number of staff within the office who are self-isolating due to Covid-19”- then the data will not be considered personal data and therefore the above will not apply. However, in smaller businesses or workplaces, making such a disclosure could lead to an individual still being identified. It is important to provide no more information as is necessary to convey the message about the case and what the next steps are, in line with Government guidance.
If you do require more information on this then please contact James Pearson at Brabners – firstname.lastname@example.org.
Guidance for employers and businesses on coronavirus (COVID-19)