How data protection is affected by the coronavirus outbreak

Businesses processing personal data need to keep the protection of customer and employee data at the front of continuity planning as they tackle the coronavirus threat.

The increased risk of data security lapses

Staff are likely to be working remotely or under different circumstances which could make customer information more vulnerable to data breaches. Further, data relating to employee health during the pandemic may be subject to special security requirements.

Businesses are implementing contingency planning with staff working from home and using domestic internet and possibly personal devices to access cloud-based software and systems, making it more important than ever to keep data safe and secure.

While data protection law doesn’t stand in the way of homeworking, or the use of personal devices, it demands even greater attention to security measures.

The human element is often the reason for most data breaches and without direct supervision and colleagues to consult, these may be more likely to happen. Certainly, there are reports of a steep rise in attempted cyber fraud, with many more phishing emails, malware and social engineering.

Handling data belonging to affected people

The other major threat to data security during the crisis is the handling of individual information about staff and visitors, which might include who has travelled to high-risk areas, symptoms, test results and when self-isolation has taken place. This is personal data protected by GDPR, but in addition, where it concerns health it may be special category data under Article 9 of GDPR, which requires further grounds for processing.

Employers will most likely want to rely on the ground in Article 9(2)(b) (“employment, social security and social protection”) to process special category data about their employees. In the UK the Health and Safety at Work Act 1974 says that companies must take steps to look after the health, safety and welfare of staff. This means that it is reasonable, and normal, for businesses to collect certain information as part of their general duty to their staff. There is a clear limit to what employers can collect, however, just as the new guidance from the government makes clear that they expect most employers to collect data about coronavirus just for the purposes of assisting their staff, rather than making plans or a strategy for dealing with it, which are to be left to the NHS. There may be other grounds that businesses can rely on – these will depend on the circumstances and the likely impact of doing so.

Employers should also still be very mindful of the overarching data minimisation principle; that they should only collect what is strictly needed for the task in hand. This means applying limits to what they ask and not having a ‘one size fits all’ approach, since what may be relevant for one person could be irrelevant for another, and collecting that irrelevant information would infringe the minimisation principle.

The ICO has published guidance in the form of FAQs about how to handle data during the outbreak, which employers are encouraged to read. Useful points include what information they consider in principle can be collected from staff. They also emphasise that while they say they will be pragmatic about matters such as the speed of response to information requests during the crisis, there is no suggestion that they will accept reduced standards of data security.

Should you have any specific questions as to how this relates to your business please contact David Sloman or a member of Ashtons’ technology team on 0800 915 6037.

This information is correct at 10.30am on 25 March 2020.