In the shadow of a national lockdown, a viral pandemic, and with the looming prospect of an economic recession on the horizon, one might be forgiven for thinking that the question of compliance with data protection law would take a back seat for most businesses. Unfortunately, the increasing numbers of employees working from home bring with them a host of privacy and security issues which fall squarely within the purview of the Data Protection Act 2018. Nor do the current circumstances relieve businesses from their compliance obligations to:
- provide individuals with information about how their personal data is being used;
- respond to data subject access requests (“DSARs”) and other requests by individuals to exercise their data rights;
- take appropriate technical and organisational measures to make sure that personal data is stored and processed safely; and
- comply with the data protection principles.
Whilst the Information Commissioner's Office say it is taking a pragmatic approach to compliance, their stance makes it clear that the outbreak of COVID-19 is no excuse for non- compliance.
Working from home
If you or other members of your team are working from home, it is important to keep your data protection and confidentiality obligations in mind. Home computers and routers are typically regarded as soft targets for hackers, since the average user is unlikely to take the same precautions as a dedicated security team with sensitive commercial data to protect. Security experts have already noticed a spike in hacker activity - much of it targeted at business users. Consider the following suggestions when working from home, to minimise the possibility of data breaches and ransomware attacks.
1. Restrict employees from emailing confidential material to themselves
Data protection law obliges all businesses to take appropriate technical measures to safeguard personal data. When business laptops are slow due to an unstable connection, or employees are unable to print from their home printer, it can be very tempting simply to transfer documents across to a much faster home computer or personal iPad. Employees must be discouraged from doing so in no uncertain terms.The transfer of confidential material to an unsecured hard drive is an open invitation to an unscrupulous hacker. If an employee works on a document from a home computer that is already infected with a virus, sending it back to their work machine or on to one of their colleagues could spread that infection to the entire business network. Much like COVID-19 itself, employees should practice digital distancing between their personal and professional devices. If the business needs employees to use their own devices, it may be advisable to purchase licences for a well-regarded antivirus package, and allow employees to install it at home.
2. Secure materials when not in use
Any printouts, handwritten notes or documents left on screen could display personal data to other members of the household. Consider keeping all printed documents in a specific cabinet, and retaining them until such time as they can be securely shredded. Many people now have shredders at home, but if in any doubt about how to dispose of documents, consider encouraging your employees to simply hold on to them and bring them back into the office when the lockdown ends (provided they can keep them secure in the meantime).
3. Send out training materials
If a data breach does happen, the ICO will want to know what measures were taken to make sure that employees were properly trained in how to manage personal data remotely. Consider sending out training materials about data security, how to recognise phishing attempts, and who to contact if a data breach occurs. Remember that the ICO will hold the employer responsible for the actions of its employees.Back to the top
Responding to data subjects
Data protection law has always advocated a proportionate approach to compliance. In the same way that an SME will not normally be placed under the same compliance burden as a FTSE 100 corporation, the law does not require businesses to put data protection above all else. Whilst any DSARs or other requests submitted by individuals must be dealt with as before, it is not unreasonable to warn them that the process may be delayed. As ever, care should be taken to document the response and decision-making process, and note how COVID-19 has caused it to take longer than it otherwise would. Back to the top
The principles
Where there is any doubt about the extent to which a business must comply with data protection law in this unprecedented time, the data protection principles may be able to provide some guidance. As a reminder, the principles state that personal data must be:
- processed lawfully, fairly and in a transparent manner;
- only processed for the purposes it was collected for;
- only collected and processed where necessary to fulfil those purposes, and not in an excessive way;
- accurate and kept up to date; and
- only kept for as long as is necessary.
Complying with the principles above all, and keeping a record of that compliance, will be critical in the event of a dispute regarding data handling, and proving to the ICO (the onus always lies on the organisation, not the ICO) that the business takes privacy just as seriously as ever. Back to the top
If you would like to talk through the consequences for your business, please email us and one of our team will get in touch.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.