• Home
  • Insights
  • Data protection and coronavirus: what you need to know

15 Apr 2020

Data protection and coronavirus: what you need to know

Linkedin

Managing data protection and privacy risks while dealing with responding to the threat posed by Covid-19 is a challenge. However, organisations handling personal data should be reassured that data protection law will not prevent them from responding to the pandemic appropriately.

It is important not to let this crisis lower your usual data protection standards, since they are no barrier to protecting your employees, customers and third parties. The rights and obligations conferred by data protection law are fundamental and, what's more, they are entirely consistent with taking steps to tackle coronavirus.

International data protection regulators have been publishing lots of guidance on how to deal with coronavirus while respecting data protection law. Guidance from the ICO (available through its coronavirus hub) will be of particular interest to our UK clients, and the EDPB is also working to promote a common approach to the use of mobile apps and data in fighting coronavirus and has mandated its subgroups to produce guidance on geolocation and tracking tools; and on processing health data for research purposes in the context of Covid-19. The National Cyber Security Centre's guidance on home and remote working by employees is also valuable, as it covers practical steps for managing security.

The key guidance, taken together with views from other countries' regulators, plus some of the issues we've seen arising in the market, can be summarised to give the following takeaways for UK organisations:

  • Response times and information governance: Organisations are being reassured that they will not be penalised if they need to prioritise other areas or adapt their usual approach to dealing with requests or complaints from data subjects during the pandemic.

    The ICO is one of a handful of pragmatic regulators to explicitly say that it understands that businesses may not be able to meet the same standard of response times to information rights requests as they would under normal circumstances. Therefore, while it is unable to officially extend statutory timescales, it has said that it will seek to advise complainants that they may experience understandable delays when making requests during the pandemic.It has published a paper on its approach to regulation during the pandemic, which states that it is prioritising its resources, and that while, for example, data breaches must still be reported within 72 hours, it will “take an appropriately empathetic and proportionate approach”, recognising that the current crisis may impact organisations’ response times. In deciding whether to take formal regulatory action, including issuing fines, the ICO will also take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. Organisations may be given longer than usual to rectify any breaches that predate the crisis, where it has impacted the organisation’s ability to take steps to put things right.
     
    While there has still been no official word on whether subject access and other information rights requests may be more likely to be "complex" at present, we consider that this may be arguable in some circumstances, for example where it is difficult to access records that are kept in an office that is currently closed. If a request is complex, controllers have an additional two months to respond to it.
  • Disclosing to staff that a colleague may have contracted Covid-19: Data protection law is not a barrier to keeping staff informed about any confirmed or potential cases within the organisation. This is because businesses have an obligation to ensure the health and safety of their employees, which may provide the legal basis for employers' processing of certain health data. Other grounds may also apply to this disclosure, such as vital interests or the public interest in public health by protecting against cross-border threats. Consent is unlikely to be an appropriate or necessary legal basis.

     
    It will not usually be necessary to tell other staff members the names of infected colleagues, and only necessary information should be collected and disclosed to other staff members, in line with the principles of data minimisation and proportionality.
     
    However, it may be the case that it is necessary to inform immediate team members of their colleague's diagnosis, for example for contact tracing purposes. If this is the case, we would suggest that this is done on a "need to know" basis to select staff members only, with the affected employee being warned in advance that certain colleagues are being informed. Ideally notification should also be carried out verbally, rather than in writing, and in confidence. This will minimise unnecessary recording of health information, which carries additional risks of an email being forwarded to an unintended recipient. Verbal disclosure may even take the disclosure out of the ambit of data protection legislation entirely, as it does not cover purely verbal communications, and it may help to make the disclosure less intrusive.

  • Carrying out temperature checks: There are differences of opinion between supervisory authorities as to whether it is acceptable to conduct mandatory temperature checks on workers or visitors. The factors to bear in mind is whether such checks are necessary, or whether there is another less intrusive way of checking on the individuals’ health.

     
    As travel histories are no longer a reliable indicator of potential risk, more intrusive health checks may be justified in some circumstances, but set against this is the fact that many people are infectious without having a fever or other symptoms, so temperature checks may be of limited use in stopping the spread of the virus. In circumstances where many people are now working from home and not seeing their colleagues or visitors, this measure is becoming less likely to be necessary. However, for essential workers in public-facing roles, it may still be relevant.

  • Public health messages and direct marketing: The government, NHS or health professionals may lawfully send public health messages to people by phone, text or email and these will not constitute direct marketing. As usual, it will be important to make sure that these messages only contain public health messages, in order to ensure that they are not considered direct marketing.

     
    In the same vein, we have noticed many companies sending out service updates in the light of protective measures against coronavirus. While true service messages are not considered to be direct marketing, if those messages also contain promotional content, they will also be covered by PECR. This means that they must be screened against suppression lists and only sent in accordance with the PECR prior consent requirements. The public health crisis must not be used as an excuse to circumvent the normal marketing requirements.

  • Homeworking and security: Data protection law does not prevent staff from using their own device or communications equipment in their own homes. The GDPR's security obligations still apply and businesses will need to consider the same kinds of security measures for homeworking that one would use in normal circumstances. This will be particularly important due to the increased number of cyber-attacks in the last few weeks, as hackers attempt to exploit changes to working habits and anxiety over the pandemic to influence people to take more risks than they normally would online. Organisations may wish to put in place, or update, policies covering how staff members should deal with confidential information and business personal data when at home – for example, locking information away at the end of the day, and limiting the use of devices that can record conversations, such as Alexa or Google Assistant, in the proximity of business calls.
     
    The NCSC guidance covers steps such as:
     
    • Authentication – two factor authentication is particularly important to mitigate the risks of remote access. Regular password strength should be maintained.
    • Devices – an enhanced risk of device loss makes encryption even more important. Organisations should ensure that their rules on keeping software and malware protection up-to-date are maintained.
    • VPNs – these should be implemented in order to minimise the risk of intrusions through home networks.
    The NCSC also stresses that it's important that businesses educate their staff to make them aware of the enhanced phishing risks at play at the moment, as individuals are more susceptible to clicking on a coronavirus-related link. Their recommendations include producing "How do I?" guides for employees, providing necessary training and tips on how to spot coronavirus email scams
  • Device tracking: There has been much discussion of the possibility of using mobile phone data to help track the spread of the virus, and the government is reportedly developing a contact-tracing app that would use Bluetooth signals between devices in order to alert those who have been in close proximity to someone who later develops symptoms. While the reports state that data would be anonymised and/or aggregated, this could clearly have significant data privacy implications, particularly as individuals’ locations will be continuously tracked and there are fears that the unique IDs given to each device could be used to “de-anonymise” people who report symptoms.
     
    The general view of supervisory authorities, including the ICO, is that mobile phone tracking data may be used to help fight coronavirus, because if it is properly anonymised and aggregated, it will not be covered by data protection law. Any anonymisation measures would need to effectively prevent re-identification, and aggregation could help to achieve this.
     
    European supervisory authorities have been attempting to co-ordinate their views on this issue, and the European Commission and national governments have held talks with major telecoms operators. The EDPB has gone further and has stressed that it may even be lawful to use mobile location data to track the virus, where necessary and proportionate in the interests of national security. The EDPB states that such measures would need to be authorised by national law under Article 15 of the ePrivacy Directive, which should include adequate safeguards such as granting individuals the right to judicial remedy.

In summary, as the EDPB states: "Data protection rules … do not hinder measures taken in the fight against the coronavirus pandemic … even in these exceptional times, the data controller must ensure the protection of the personal data of data subjects."

Linkedin

KEY CONTACT

Naomi Leach

Naomi Leach
Partner

T:  +44 20 7809 2960 M:  +44 7769 143 367 Email Naomi | Vcard Office:  London

Katie Hewson

Katie Hewson
Associate

T:  +44 20 7809 2374 M:  Email Katie | Vcard Office:  London