As the world gets to grips with Coronavirus and its implications on businesses work practices, businesses are currently looking at their contingency plans and considering the implications of having to facilitate employees working from home if they have to self-isolate or there are wider “social distancing” measures implemented by the government.
When it comes to personal data this poses some interesting challenges for businesses – GDPR after all, continues to apply whether your employees are working from home or in the office, so make sure your contingency plans include GDPR protections and documented procedures for working from home, no matter how temporary that home-working may be. But that’s not all – if you have employees who are being tested or self-isolating and you’re processing their health data (e.g. that they have been tested for Coronavirus), that data is special category data which has special protections under GDPR and you may not be able to process it in the way you would think you could.
So, I’ve put together some checklists of things you should consider to implement and produced an information sheet you can download and share around your business about working from home, and also set out considerations if you’re processing Coronavirus related data.
6 things to do when considering your Coronavirus/working-from-home planning
- Carry out a Data Protection Impact Assessment (DPIA), particularly if this is the first time employees will have worked away from the office. A DPIA is essentially a data processing risk assessment and will help you identify the GDPR risks from your processing and help you work out how to mitigate those risks. The ICO has some detailed guidance on DPIA and provide a template you can use. The kind of risks you will need to consider include:
- Will your employees being using their own devices to access personal data or will you be providing work ones? What are the implications of using their own?
- What security measures can you put in place on devices in case they get lost or stolen? Is data encrypted, passwords secure, etc.?
- What protections are in place for when the devices are not in use? Will they be locked away?
- Will anyone else potentially have access to those devices in the home setting (e.g. employee’s partner, children, visitors, etc.) particularly if the device is a personal one?
- What are the risks of connecting to the internet and accessing personal data, particularly if the employee needs to rely on public wi-fi (if any is accessible in the case of a lock-down). Can you implement some form of secure connection for the devices (e.g. a VPN, or Remote Desktop)?
- What are the risks of accessing cloud-based applications outside the office environment? How do you protect against employees remaining logged into the services or storing passwords for access in their browsers, etc.?
- What virus protection is in place and is it up to date? How can you help ensure personal devices are protected?
- Are the devices’ software up to date (to protect against any patched security vulnerabilities)? Can you help your employees if they are using their own devices?
- How to do you mitigate any risk from your employees own systems or practices that could impact data security, for example, how to stop employees using their own personal accounts to process data?
- How can you prevent unnecessary data duplication or retention on devices, particularly when they are personal devices?
- Do you have any paper records that will be processed outside the office? If so, how will you make sure your employees can adequately protect them?
- What do you need to put in place to make sure you can deal with subject access requests and other individuals’ rights, particularly if not all data is accessible remotely and working from home is maintained over a long period of time?
- What will you do about any company data stored locally on remote devices during the remote working period?
- Provide your employees with an up to date IT security policy which includes information about appropriate practices when working away from the office
- Document your approach in an internal policy, so everyone is clear about your internal approach to remote working
- Make sure your employees understand their responsibilities. If possible produce an information sheet that summaries best practice when working away from the office and ask them to sign to acknowledge they understand and that they will not retain data on their own devices after the remote-working period is over
- Make sure everyone is up to date on GDPR – send round a reminder about the basics of data protection, what they should do if they suspect a breach, or someone wishes to exercise their data rights, etc.
- Remember that data about someone’s health is classed as special category data and therefore
Data about employees and their health is special category data
If you are processing data about someone’s health, such as their Coronavirus status, you are processing special category data which has special protection under GDPR. Specifically, when processing special category data, you not only need a lawful basis for processing, but the processing has to meet one of the requirements of the GDPR’s Article 9 conditions which restrict processing in general (although there are exemptions in the Data Protection Act 2018 that can apply to substantial public interest, and in the context of employment, health and safety, etc.).
So, if you find yourself recording (and therefore processing) Coronavirus related data about your employees, make sure:
- You understand (and therefore document) what you’re collecting and why you’re are collecting that data. Why is it necessary? Why it’s lawful for you to do so
- Only collect the minimal amount necessary – if you don’t need to keep anything about it, then don’t
- You understand your lawful basis for collecting and processing the information and which Article 9 special category data condition applies – in the realms of employment/HR you are likely to rely on the “Employment, social security and social protection (if authorised by law)” condition, due to your legal health and safety obligations towards your employees
- You are not forcing employees to provide information, particularly if you don’t really need it – remember the key is that you understand what to do if one of your employees falls ill, not necessarily record information about their condition
- You restrict who has access to any data relating to medical information – it should be on a need to know basis, typical the HR team and line manager
- You don’t unnecessarily disclose information about an employee to anyone else (internally or externally) unless required by law – so your team should know that someone has tested positive for example, but don’t necessarily need to know the name of the person; and their name should not be disclosed to local media, for example
- Be open and transparent with your employees about what you expect from them, what data you will collect, why and what will happen with that data
Download and share internally our information sheet to remind your team about the importance of getting GDPR compliance right at this time.
The ICO has published some limited guidance which may provide some limited assurances to business about their GDPR obligations during the crisis, specifically, to date they have posted:
Offer of assistance
If you need help getting your head around the GDPR implications for your business whether because of staff working from home, or your HR team processing special category data, we’re able to offer you free advice. Just contact us with your query and we’ll try to help you for free.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR