The World is a very different place than it was a few weeks ago and businesses are now operating in a time of flux, with many not being able to operate at all. With so many employees working from home and contact with customers being made in new or different ways; you need to ensure that you are still operating within the requirements of the GDPR and DPA18.
The data protection laws are not there to make communicating or working together difficult, but they do serve to ensure that personal data is secure, respected and processed in accordance with the essential principles. These principles are not relaxed simply because the nature of trading has changed overnight. In fact, this is when the data protection laws and compliance with them are of paramount importance.
The ICO have been helping firms to strike the right balance between processing personal data within the scope of the GDPR and DPA18, whilst also supporting innovative approaches for the use of personal data when in the public’s best interests.
Those businesses or sole traders with existing, compliant data protection policies and frameworks in place, will benefit from the sound understanding of the principles of data protection and are better placed to remain compliant in their new work enviroment whilst still benefitting their customers. A robust data protection compliance program will also be an essential tool for many data protection officers, who at this current time have been plunged into deep and often very murky waters.
The ICO have noted in many recent publications that they are a reasonable and pragmatic regulator and understand the need to not operate in isolation from matters of serious public concern. At this time of crisis with the coronavirus, there is a bigger need than at any other time for public bodies and health practitioners to communicate directly with the general public.
Coronavirus & Data Controllers
During this unprecedented time, how businesses work will have changed greatly, as will their systems and mechanisms for processing personal data. The ICO have published some essential Q&As about how you can use data processing during the pandemic. Questions in the publication include: –
- During the pandemic, our response to information rights requests will be longer. Will the ICO take regulatory action against us?
- As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?
- More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
- Can I tell my staff that a colleague may have potentially contracted COVID-19?
- Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation?
- Can I share employees’ health information to authorities for public health purposes?
Coronavirus & Personal Data
Whilst most people’s thoughts are not on their personal data during this difficult time, it is a fact that how businesses and public bodies process that data has greatly changed in just a few weeks. With so many people working from home or public messages being sent in different format; it’s important that customers understand the how, when & why of personal data processing.
For a summary of some of the personal data situations, you can point customers to the ICO blog on Coronavirus and Personal Data. You can also revise your Privacy Notice that you would have developed prior to the GDPR and DPA18 coming into force and ensure that you are still telling people how their data is being processed and how you intend to keep their personal data safe at this time.
Coronavirus & Secure IT Systems
With so many home workers of staff absent from work, safe IT systems will definately be a concern for many businesses. The good news is that if you already have a robust Information Security Program in place, this should lend itself to remote access and homeworkers already and can easily be revised for your current working situation.
You may also need to look at the homeworking measures across personal IT systems (i.e. home computers, routers, use of anti-virus software and firewalls on employees home devices). The NCSC has released guidance to help organisations reduce the risk of cyber attack on homeworking devices and of course important tips for avoiding phishing scams.