Data Protection in times of COVID-19

Published: Thursday, 21 May 2020
Written by  // Articles// 321
Rate this item
(0 votes)

Naomi Korn, Managing Director, Naomi Korn Associates, talks about the key considerations during the COVID-19 outbreak. www.naomikorn.com

Summary

  • Working remotely presents new data protection security risks, with staff using their own equipment and communicating on public platforms such as Zoom.
  • If staff have been furloughed, make sure that any potential data breaches and Subject Access Requests are monitored and a process put in place to respond to them accordingly.
  • Ensure that staff, contractors and others who work for or on behalf of your organisation are aware of their roles and responsibilities in terms of legal compliance and home working. Webinars and/or update emails are useful examples of ways to make sure that levels of awareness remain high.
  • Update your online Privacy Notice/s and any other privacy statements to take into account new ways of processing personal data and different platforms and systems that you might be using.
  • Do not save personal data unless there is a reason to do so. This means deleting emails as necessary, and not storing personal information.

In March 2020, at very short notice, homeworking became the new norm in response to the UK’s COVID-19 crisis. Among other new ways of working, staff who have been used to working mainly face to face have quickly moved to platforms like Zoom and Microsoft Teams for team and client meetings, meet-ups with colleagues from other organisations and for running/receiving training. The use of social media platforms to reach existing and new audiences has often been extended and the development of online resources has accelerated at an unimaginably fast pace. Opportunities abound in this brave new world of working, but how far are these shifts in our working practices legally compliant?

While we are adjusting to new ways of working, our obligations to comply with the data protection legislation (GDPR, the Data Protection Act 2018) have not changed. Existing complexities associated with how and why we process personal data remain, together with new challenges to ensure legal compliance. When working from home, the need to follow internal policies and procedures, as well as legal compliance obligations, are as important as ever, even when using new systems and/or equipment to use and store data.

The UK’s regulatory office for data protection, the Information Commissioner’s Office (ICO), understands that resources might be diverted away from usual compliance or information governance work and has indicated that it will not penalise organisations during this period. The ICO acknowledges that, during the pandemic, staff can use their own devices or communications equipment. Data protection law doesn’t prevent that, but the guidance states, “you’ll need to consider the same kinds of security measures for home working that you’d use in normal circumstances”.

In response to this, we have drafted some top tips for data protection compliance, which we believe will provide an important checklist to help staff get to grips better with these essential issues in uncertain times.

Data protection top tips

  1. When using new platforms, such as Zoom and Microsoft Teams, make sure that you carry out a DPIA (Data Protection Impact Assessment) to help you understand the risks, whether these are acceptable and what you can do to mitigate them. Completed DPIAs should be passed on to and stored by your organisation’s data protection officer. Any high risks that you identify must be discussed, a plan formulated to mitigate them and, if mitigation is not possible, decisions made about whether the new platform should be used.
  2. Read the small print of any new platforms that you choose to use with your colleagues and other users/students. Make sure you understand the terms and conditions and with whom the platform might be sharing content you place on it, including personal data.
  3. You will need to make sure that you have third-party permissions to record and upload recordings on to the Cloud. Make sure that any participants in your recordings know that any chats (including private chats) will be recorded and shared.
  4. Make sure that, even if staff have been furloughed, any potential data breaches and Subject Access Requests are monitored and a process put in place to respond to them accordingly.
  5. Remind colleagues about who is the data protection officer (DPO), how to contact them and what help they can provide.
  6. Ensure that staff, contractors and others who work for or on behalf of your organisation are aware of their roles and responsibilities in terms of legal compliance and home working. Webinars and/or update emails are useful examples of ways to make sure that levels of awareness remain high.
  7. Update your online Privacy Notice/s and any other privacy statements to take into account new ways of processing personal data and different platforms and systems that you might be using etc. If you do so, record and publish the date of the update to your Privacy Notice, and where appropriate inform relevant users.
  8. Review risk management and risk mitigation procedures. The implementation of data breach policies and procedures and documentation of decisions taken, as well as clear procedures and policies, will also help your organisation to remain compliant with data protection requirements.
  9. You can ensure that you remain GDPR compliant and reduce risks of cybercrime through keeping your passwords strong on devices that you are using from home (particularly if you are sharing them), not saving any work-related documents to your personal devices and ensuring files are encrypted for security. Ensure that staff who are using shared PCs at home have up-to-date anti-virus software and unique log-ins, and remind them to log out of sessions if leaving their PCs for a break.
  10. Do not save personal data unless there is reason to do so. This means deleting emails as necessary, not storing personal data on personal drives and safely shredding any paper documents that include personal data.
  11. Remember only to copy others into your email if required. Before sending an email, read it over and check who is copied in to ensure that you don’t inadvertently create a data breach.
  12. Have a clear statement to all staff (part of your record of action as part of your COVID-19 homeworking approach or action plan or risk assessment) stressing that “The protection of personal data that we hold and use is important to us and must be handled at all times in a way that is compliant with data protection law and our privacy policy. While we have to adapt to comply with the official guidance, we will adjust our working processes to allow us to deliver our services. These are time-limited instructions that will be kept under review. At the end of the period, all data that is held temporarily on personal devices as a direct result of this exceptional time will be deleted.”
  13. Set out what use of data, contact lists and customer documents is being allowed.
  14. As part of this exceptional response to homeworking, keep a full record of where staff are working from and what equipment they are using.
  15. State that you have assessed the best way of ensuring homeworking efficiency and are proposing that personal devices and mobile phones can be used, and that you will review this (weekly seems sensible at present) in line with experience and how staff report it is working.
  16. For the weekly reviews, have your senior team note the numbers of staff using personal devices and any queries or issues they are finding, and demonstrate that you are monitoring the situation and are flexible about closing it down if any specific concerns arise. This is where a nominated data protection officer can support the senior team in the messaging to colleagues.
  17. You can find out more about your data protection obligations and the latest official advice from the ICO website: www.ico.org.uk

Whether you are working from home or elsewhere, it is as important as ever to ensure a “Privacy by Design” culture within your organisation. The cultural change instigated by GDPR back in May 2018 should continue to be encouraged when processing personal data, so that everyone who does so thinks about what personal data they are processing, why, for how long and how they can keep it safe.

About the author

Naomi Korn imageNaomi Korn is the co-author of a new book: Information Law: Compliance for librarians, knowledge managers and information professionals, which will be published by Facet Publishing in June 2020. Naomi Korn Associates delivers comprehensive online copyright, data protection and legal compliance training. https://naomikorn.com/services/training/

 

Naomi Korn Associates logo

Additional Info

  • ExtraInformationOnline: No

Most frequently read