As the UK went into lockdown, organisations have had to quickly find solutions to new challenges. New situations mean new decisions have had to be made which could impact on the privacy of their employees, or indeed the wider public.
This doesn’t just effect organisations in health or social care sectors, who are handling patient and medical data, but also others which handle less sensitive data that still has the potential to cause harm.
The ICO has published fresh content and support via its blog. They flagged up 3 key privacy considerations for Covid-19: protecting the public interest, enabling responsible data sharing and monitoring intrusive and disruptive technology.
So, what can we all do to protect the privacy and uphold the data rights of individuals at this challenging time?
Lots of us are working from home. As we started to use video conferencing tools in our droves, Zoom came under scrutiny when its settings, designed for ease of use more than for privacy, allowed people to ‘bomb’ into an open Zoom meeting. This led to a rather speedy privacy upgrade to fix the problem.
Homeworking using a company laptop which is encrypted might not present a major privacy problem, but what about those who work from home use their own devices to access work emails or to get onto the network?
You might consider, for example, ‘Have we got sufficient information security in place?’ and ‘Should we remind staff about our Acceptable Use Policy?’
If you are asked to share data with public health or other government authorities, in most situations it is likely to be best to share the data in an anonymised form, so that specific individuals cannot be identified. Using anonymised data means the sharing will fall outside the scope of data protection rules.
Some have asked ‘Is it OK to tell staff if someone has contracted the virus?’ The ICO says that you should keep staff informed about cases in your organisation, however, you probably don’t need to name individuals and you shouldn’t provide more information than necessary.
In general, the identities of individuals to whom the medical data belongs (e.g. suspected or confirmed COVID-19 cases) should only be revealed if there really is a compelling justification for doing so.
Minimising the collection of COVID-19 data
In certain situations it might be necessary to process the location data of individuals in new ways, e.g. to track the spread of infection. The Government COVID-19 app has attracted a lot of scrutiny. The European Data Protection Board (EDPB) suggests such tracking “could be considered proportional under exceptional circumstances,” although it “should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles”.
The EDPB says this should include ensuring proportionality and limits on data retention. They go on to say, “The least intrusive solutions should always be preferred.” Thanks to IAPP for highlighting this.
A lot of information is being made publicly available about the actions which governments and other organisations are taking to tackle the spread of infection. Co-ordination of information has been actively encouraged.
Businesses which receive a request to share personal data with government agencies relating to the pandemic (i.e. data which is not anonymised) must, if they plan to share data, communicate this to its data subjects. And when sharing data, just as for other processing tasks, businesses should confirm the following:
- the purposes of the processing
- the relevant lawful basis
- whether you plan to share COVID-19 data with government or other parties
- how long you intend to retain the data
This also ties in with GDPR Article 30 requirements to keep Records of Processing Activities, which must include any data sharing activities.
The current situation is very fluid and changing daily. But I think we can expect that the privacy of individuals will continue to attract much scrutiny and debate as this awful pandemic plays out.
Simon Blanchard, May 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.