Article written by: Ian Cooley - GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK
Although Covid-19 has caused a great deal of unprecedented disruption for businesses, the General Data Protection Regulation (GDPR) [and the UK equivalent, the Data Protection Act 2018 (DPA2018)] still applies.
The Information Commissioner’s Office (ICO) has acknowledged that personal information might need to be shared quickly or that your ways of working may need to be adapted to reflect less staff being available.
Data protection legislation will not stop you from doing that, it’s just about continuing to do things in a manner that respects an individual’s personal information and safeguards it from inappropriate disclosure.
There are two key aspects to the current situation:
Health information
Fundamental is that health information is Special Category Information and has additional safeguards and consent requirements that still apply.
For processing health information, you need a secondary condition for processing in place. The usual one for health information is explicit consent where the individual allows you to record their current health situation.
Although because of the importance of legally obtaining health information to fight this pandemic, you are likely to rely on vital interests or public health, depending on the type of organisation you are, for example, care homes would look to use vital interests in order to protect the vulnerable residents. If the individual has already made the information publicly available, this could also be your secondary condition.
Anonymised sharing of information
Although a member of staff has provided you with health information if you need to share it the information can be anonymised. For instance, you can tell your staff that a colleague may have potentially contracted Covid-19 and are self-isolating, however, you probably don’t need to name the individual and you shouldn’t provide more information than necessary.
You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them. It’s reasonable to ask people to tell you if they have visited a particular country or are experiencing Covid-19 symptoms, however, to minimise the information you need to collect you can merely advise staff to call 111 and comply with Government advice. This approach should help you to minimise the information you collect.
Remote working
With one of the key measures to prevent the spread of Covid-19 being social distancing, huge numbers of people are now working remotely. This does, however, offer some information security risks with potentially less secure access to your systems and the potential use of non-organisational devices.
Staff should be aware that they still need to ensure the security of the information that they have access to and use it appropriately.
Remote working essentials – Employees
Remote working essentials – Employers
Remote working enhancements – Employers
Emails
Paper records
Don’t forget that GDPR applies not only to electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of a filing system.
If you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
Key takeaways
Tips
In summary
Data protection legislation will not stop you remote working from home, it’s just about continuing to do things in a manner that respects an individual’s personal information and safeguards it from inappropriate disclosure.
Further reading: