New data collection & new data protection considerations
None of us, apart from science-fiction writers, could have anticipated the strange world of 2020. Businesses have had to adapt quickly and pick their way through the crisis. From a data protection perspective, it’s presented us with considerable challenges.
Many organisations had to rapidly move virtually their entire workforce to a remote working environment, and quickly turn their attention to how best to collect and share COVID-related employee health data.
Then came collecting customer data for Track and Trace, and moves by some to introduce measures to monitor staff at home. And last but not least, we’ve finally seen the launch of the NHS COVID app.
Employers have, by necessity, made risk-based decisions – some of which may well need revisiting. The good news is there’s plenty of guidance and information out there to help navigate the challenges.
Here’s a short guide and some useful resources … but first of all I’ve three golden rules:
1) Is what you are doing proportionate and within people’s reasonable expectations?
2) Have you told people what you are doing?
3) Have you put appropriate measures in place to protect people’s data?
Working from home
I was speaking to a friend the other day, who told me, “as my husband works for a bank, he was always told he could never work from home.” Now he is – necessity has disrupted even the most traditional working models.
Quickly moving an entire workforce to WFH was a huge challenge for many organisations. Less so for those where people were already able to work from home, with security and data protection considerations already in hand.
As Michael Sturrock, the DMA’s Head of Public Affairs, points out;
“We have been bombarded with a plethora of new online platforms to facilitate conference calls, team working and document sharing. Inevitably, each of these have terms and conditions and privacy notices hundreds of pages in length. But are you going to read them? Or, perhaps more pertinently, are you going to tell your boss that you don’t want to use the platform that everyone else in the office is using?”
It may be worth taking another look at those terms, policies or your own guidance, now you are not in such a hurry. Robert Bond, Senior Counsel at Bristows LLP says now’s the time to revisit and check whether you’ve appropriate measures in place to protect personal data and keep it secure;
“The lockdown has changed forever the way in which many of us work. In the first few weeks many of us were working from home in circumstances that were never anticipated by management. Now, we need to ensure that we manage our obligations regarding data protection, confidentiality, and information security if working from home and from the office have to sit side by side.”
At the beginning of lockdown, organisations had to move fast and were unlikely to have found the time to conduct a Data Protection Impact Assessment (DPIA) surrounding the move to WFH. Strictly speaking, this should have been done. And as WFH looks like it’s going to be more than a temporary measure it’s worth doing now.
A DPIA could help you to identify risks you might not have considered, and allow you to think about measures to improve your protection of personal data.
Depending on your business and operating procedures, this exercise might also help identify the need for further staff guidelines and/or necessary changes to your policies.
Compliance in a work-from-home-environment by Robert Bond
Home working: preparing your organisation and staff from the National Cyber Security Centre
Data protection and working from home: what you need to know from the ICO
Getting you DPIA process on track from us here at the DPN
Employee health data
“Can we tell everyone that John in Accounts has got COVID?”
The next challenge was collecting new information about your employees and their health. In the past you didn’t necessarily need to keep a record of precisely why someone was off work. Suddenly, with a virus, you do need to know so you can protect other staff they may have come into contact with.
Furthermore, as the full lockdown lifted, some organisations have introduced temperature checks and other measures to protect their workforce.
The European Data Protection Board (EDPB) issued a helpful statement surrounding the lawful basis for processing health data of employees.
No, you don’t need consent (and in an employee context this would be tricky anyway as employees shouldn’t feel they have to consent to something). The EDPB confirmed the lawful bases were likely to be public interest or legal necessity.
The guidance also provides a helpful reminder that privacy notices should be updated to reflect the new processing of health data in the current circumstances.
Remember employees have the right to be informed, just like your customers.
My colleague Simon Blanchard has taken a look at this more detail and in particular biometric data: Are you monitoring your staff’s health during Covid-19?
(As for John in Accounts, it probably isn’t okay to tell ‘everyone’ he has COVID).
Monitoring staff working from home
How do you make sure your employees are actually working from home?
The majority of organisations will probably rely on a mixture of trust and evidence. However, more regulated industries will be required to have measures in place. For example, where you need to protect client confidentiality, monitor trading and or check for market abuse.
Anecdotally, I have heard that companies providing software monitoring employee activity have experienced a spike in demand this year!
This is an area to tread very carefully. Remember the golden rule – is the processing you intend to carry out proportionate and within people’s reasonable expectations?
Just because you can do something, doesn’t necessarily mean you should.
Track and Trace
There have been sensational headlines about the misuse of contact details collected for track and trace purposes; stories about bar staff contacting people to ask them on a date.
And then there’s the bus worker in Cornwall who lost his job after sending ‘creepy’ messages to a woman who left her details for contact tracing purposes only!
Some organisations will be in the fortunate position of already having systems in place which can be adapted for collecting data for track and trace purposes. Others, like pubs might be collecting their customers’ data for the first time.
Here are some simple rules to follow:
1) Only collect what’s necessary (e.g. name, contact number, arrival/departure time)
2) Tell people why you need their details
3) Keep the details secure and limit access to only those who need it
4) Only share when officially requested to do so (and be aware there are scammers about)
5) Don’t use the details for any other purpose and issue clear guidance to staff
6) Delete the information securely (for example in England the requirement is to only keep this data for 21 days).
Remember, you cannot force someone to download the NHS COVID App and use the QR code. You need to offer an alternative method of collecting the information.
The NHS App
The Government has faced many challenges, not least getting a contact tracing app up and running. It’s finally operational and I for one have downloaded it. Despite some issues, I believe any concerns for me are outweighed by the benefits. I know there are others that may not be so sure.
My colleague Julia Porter takes a look into the app’s privacy credentials; Is the new COVID app safe to use?
The DMA’s Michael Sturrock has also assessed it; Coronavirus contacting tracing app is privacy secure but still has issues.
There may be further data challenges ahead (anything seems possible at the moment), the key is to keep checking that what we’re doing is reasonable, that we’ve told people and consider data security at every step.
Philippa Donn, October 2020
If you feel it would be helpful to get some support and advice about your covid-related data, or any other data protection matter, we can help. Just get in touch for an informal chat.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.