In the current pandemic circumstances, many more people are working from home and the administrative, process and compliance resources of organisations may become limited or stretched.
The ICO has given recent helpful guidance in such regard which we highlight below, with some further considerations to help you to continue to satisfy your data privacy compliance obligations in these extraordinary times.
It is certainly not 'business as usual'…
In the pandemic crisis, it is clear that there will be substantial changes to the profile of data processing by organisations from their 'business as usual' basis.
Such changes will arise from the increase in processing of personal data pursuant to remote or homeworking, be it electronically or by virtue of having physical documentation to hand. You might have to use communication channels with your staff and/or your customers that are different from your organisation's norm.
There may also be an increase in the processing of health personal data (both within the organisation itself and, potentially, as a result of data sharing with other parties) to help safeguard employee and public health concerns.
Sadly, it is also likely that there will be an increase in fraudster activity as they try to take advantage of the destabilising effect of the current crisis. Such activities might include phishing scams and the use of ransomware.
It is likely that organisations may be delayed in being able to deal with Subject Access Requests and the exercise of other individuals' rights.
So, how should your organisation deal with all that?
So, what does the ICO have to say in that regard..?
The ICO has helpfully confirmed that it is a: "reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency".
It also highlighted the following.
- The ICO understands that information might need to be shared quickly and organisations need to adapt they way that they work.
- Resources might be diverted away from usual compliance or information governance work, and the ICO will not penalise organisations that need to prioritise other areas, or adapt their usual approach during this period.
- Statutory timescales cannot be extended (for example when dealing with Subject Access Requests) but the ICO will let the public know that there may well be understandable delays in some circumstances.
- It acknowledges that public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
- Data protection does not prevent a move to home or other remote working, however, security measures for homeworking must be carefully considered.
- Staff can be told about potential COVID-19 cases within the organisation, but organisations should think carefully about the amount of information that it is necessary to provide on a wider basis, including whether it is necessary to name the individual.
The ICO also confirmed that: "We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.". This is a helpful reminder that the need for data protection compliance should not be misconstrued as being the basis for preventing reasonable and responsible data processing, particularly in the interests of public well-being.
Yes, there is a crisis, but you still have to assess risk and act properly…
It is reassuring that the ICO has confirmed publically that it will take the current pandemic into account before taking any regulatory action.
However, such reassurance does not mean that there is an abandonment or suspension of the legal obligations and duties regarding data privacy. Controllers and processors of personal data must continue to ensure that their data privacy practices and procedures address reasonably the risks arising from the operational changes being put in place given the prevailing pandemic.
Such changes might include the use of communications systems that have not been previously used by your organisation. In the prevailing circumstances, you should ensure that you obtain your customer's approval for the use means of communication that are different from your norm, and ensure that when using such communications system, that you set the privacy settings to the appropriate level.
Your determination of the appropriate measures to put in place in the changed data processing environment should be done using the same fundamental principles that your organisation should adopt in any event to its 'business as usual' data processing activities. They include:
- Be transparent with individuals about how you are using their data and why
- Understand what your legal basis is for processing data
- Do not collect excessive amounts of data, and keep your collection and sharing to that which is really necessary in the circumstances
- Keep personal data up to date and accurate
- Do not keep personal data for longer than is necessary, either during the pandemic, or after
- Keep on top of the security of personal data, whether in hard copy or electronic form, and issue appropriate guidance and training to employees
- Any use of personal data should be necessary and proportionate, taking into account relevant government and NHS guidance
If you have any queries on data protection and coronavirus matters, please contact the relevant member of our Data Privacy Group here