Covid-19 and data protection

We’ve seen claims that data protection laws can be put aside during the coronavirus crisis, and conversely, that complying with data protection rules would tie the hands of those trying to help out or adapt their work during this time. These are both myths, which we are happy to provide clarity on, and advise on good practice in light of the ways the coronavirus is affecting our working lives.

Like many things, the truth is somewhere in the middle, and the key message to employers is that while the UK’s data regulator, the Information Commissioner’s Office (ICO), have said they’ll show understanding if resources are directed away from tasks such as responding to SARs (subject access requests) within legal timescales, the data protection laws still very much apply and breaches will be taken seriously.

However, the rules do not prevent organisations from changing how they work in order to protect people’s health, as long as appropriate controls are in place.

Those controls are especially important now that the new normal for many office-based workers is working from home. Some will have already worked from home occasionally, but for others, it will be a completely new experience, and the data security risks are amplified with such a large proportion of the workforce currently based at home. This applies to charity and church volunteers too, with many meetings now taking place remotely.

Organisations that are now using increased homeworking should assess and mitigate the risks through secure processes as well as proactive and supportive management of your people.

Secure processes

Wherever possible, reduce the reliance on paper documents, and where paper is used, it should be stored and disposed of securely, not in regular household waste or recycling;
Consider if you can reduce the amount or type of data that employees need to handle while at home. Can some aspects of jobs be done differently, at least for the short to medium term?
Where your normal processes rely on obtaining consent, remote working will mean that consent is now obtained over the phone or email, which is perfectly acceptable, as long as a clear audit trail is kept for your records;
Provide your employees with secure, tried and tested, systems for remotely accessing your computer systems, so their work is still protected by all the controls they would have if working in the office, including firewalls and encryption;
In particular, personal email addresses or social media accounts should not be used as a substitute for company email addresses and accounts;
Review, and update if necessary, your policies around ‘BYOD’ (bring your own device) if staff are using their own laptops and PCs;
The use of video-calling platforms can reduce the feeling of distance between colleagues, but it can also be an unnecessary invasion, and could cause embarrassment and even a safeguarding risk, depending on who could unknowingly wander into shot, so consider your rules for the use of cameras, and whether there is an expectation to use them;
Video-calling platforms also bring potential new security risks, which should be assessed before using anything you’ve not used before, such as Zoom. There may be a temptation to rush to use new technologies in times of crisis, but due diligence should always be done first;
Organisations may feel inclined to introduce new methods of monitoring employees who are working remotely, but employers should be honest and transparent about this, and ensure the monitoring is lawful and proportionate, and again, due diligence should be done on any software that might be used.

People

It isn’t enough to provide secure processes; companies must ensure their employees are trained in how, as well as why, to use them. Good communication and management should help reduce the risk of people finding shortcuts around the secure systems, either to make their job easier, or for more worrying reasons.

Train employees in your secure systems and good practice to protect confidentiality at home. This includes ensuring computers are locked when not in use, especially if inquisitive children are around, and being aware of, and avoiding, other people overlooking their screen or overhearing confidential conversations.
Remember that “home assistant” devices, like Alexa and Google Home, are listening too! These should be switched off if sensitive conversations are being held nearby.
Despite secure systems and training, people do still cause data security breaches. Most often through human error, which may be more likely when employees feel stressed or distracted by worries, which is very likely in these unprecedented times. Sometimes, employees purposefully cause data breaches, and this is often aggrieved employees, who intend to hurt their employer, or plan to leave the organisation and take data with them. Both of these types of data breaches – in error and on purpose – could be reduced by careful management, and support, of employees working from home.

Further information

We are here to help – please contact us with queries about data protection, please contact Clare Paterson. For employment, please contact the employment team.

Latest news, webinars and podcasts

Care home contracts – CHC and additional fees Monday 19 October 2020

We have been working with care homes to update their contracts and advise on the risks of charging the resident a regular “top-up” or additional fee where a resident is funded through NHS CHC

In with a bang: cap on public sector exit payments from 4 November 2020 Monday 19 October 2020

The parliamentary processes are complete and the Restriction of Public Exit Payments Regulations 2020 (“the Regulations”) which cap exit payments in the public sector at £95,000 will be in force from 4 November.

WEBINAR: Practical lessons in crisis management and disaster recovery Friday 16 October 2020

As the UK’s social housing sector recovers from the initial Covid-19 outbreak and lockdown, now is the time to focus on the challenges that may emerge next.

WEBINAR: Role of joint ventures in driving housing-led regeneration Friday 16 October 2020

There is no universal approach to regenerating town centres. However, housing must be considered a key part of any regeneration project – providing well-needed new homes and economic growth.

Show racism the red card! #SRTRC Wednesday 14 October 2020

Friday 16 October marks the 6th annual Wear Red Day in England, Wales and Scotland. Wear Red Day is the brainchild of the charity; Show Racism the Red Card (SRTRC). SRTRC aims to educate young people so they are equipped to recognise and challenge stereotypes, misconceptions and negative attitudes towards race.

Prioritising building safety – the Fire Safety Bill Wednesday 14 October 2020

Alongside the Building Safety Bill published in July 2020, the Fire Safety Bill is a key step in the Government’s strategy to improve building and fire safety in the wake of the Grenfell Tower tragedy

LGPS: new flexibilities on extra payments and contributions Tuesday 13 October 2020

Government regulations came into force on 23 September 2020 providing LGPS (local government pension scheme) employers with flexibility on meeting exit payments and LGPS funds with flexibility too

Charities fortnightly round-up 22 Monday 12 October 2020

Charity Financials, the financial information program from Wilmington Charities, has published its latest Income Monitor report.

PODCAST: Redundancy and furlough Monday 12 October 2020

As employers face the end of the Coronavirus Job Retention Scheme on 31 October 2020, Katherine Sinclair and Libby Hubbard discuss the intricacies of the redundancy process for furloughed employees.

Covid-19 autumn 2020; overview of key developments for employers Thursday 8 October 2020

We have learned many things over the last six months; the latest lesson is that there is no new normal. The Government initiatives and guidance may have slowed down a pace, but the challenges for employers and their employees remain.

Covid-19 and data protection

Further information

Latest news, webinars and podcasts

Sector

Interests