As the UK moves into the next phase of its response to the COVID-19 pandemic, organisations will face a new set of challenges when it comes to thinking about data protection compliance. In this update we look at three areas:
- reviewing remote working procedures
- the use of COVID-19 contract tracing apps
- testing staff for COVID-19
Reviewing COVID-19 remote working procedures
Given the speed with which restrictions on movement were imposed, many organisations had to move quickly to remote working. Policies and procedures designed for occasional remote working by a small subset of the workforce may not work so well when all or almost all staff are working remotely. For example, staff may be engaged in tasks that policies did not contemplate would be carried out remotely, or may be using new software or services that had to be rapidly rolled out to staff. Alternatively, staff may be using workarounds in the absence of an official solution.
The Information Commissioner’s Office has said that it will adjust its regulatory approach to reflect the staff shortages and financial pressure that organisations are suffering during the COVID-19 pandemic.
However, that flexibility will only go so far. While the ICO may be understanding in relation to personal data breaches and non-compliance arising out of sudden organisational change, that understanding is likely to taper over time as organisations have time to properly address and assess potential risks and provide staff with additional training.
Following the latest updates from the Government, it is clear that many people will be continuing to work from home for the foreseeable future. Now is therefore a good time to review your policies and procedures, and the equipment and systems that you provide to staff to ensure that they are fit for purpose. For example:
- Are your policies up to date or do they reflect pre-COVID-19 working practices?
- Do you know that staff are using non-approved video conferencing or other communication platforms? If so, can you provide guidance on what should be used?
- Are people printing at home? If so, what are they doing with confidential and sensitive material?
- Does your remote working policy envisage homeworkers having certain equipment or systems that have only been made available to limited numbers of staff?
- Do you need to provide staff with any additional training to help ensure that they handle data properly?
- If your organisation does not have a homeworking policy, then you can download our Employment Team’s
temporary homeworking template, which can be supplemented with additional information on information security
- ICO Covid-19 and remote working guidance
- NCSC homeworking guidance
- ICO: How we will regulate during coronavirus
COVID-19 Contact tracing apps
The Government has now commenced trials of the new NHS contact tracing app.
As the Government has not yet published a privacy notice or data protection impact assessment for the app, it is not yet possible to properly assess the privacy issues in relation to the app. Use of the app will be voluntary and early reports suggest that sharing of location data will be optional, though the clear message from the Government is that they want as many people as possible to download and use it.
If the app is voluntary and there is no requirement on individuals to carry their smartphone with them at all times, then organisations will need to think carefully about whether it is possible or appropriate for the official UK app to form part of any measures introduced by organisations to enable staff to return to work or for visitors to their premises.
While organisations may be tempted to deploy the app on corporate devices, making the app mandatory will raise issues under both data protection and employment law, and doing so may lead to the employer becoming a joint controller for data protection law purposes. Asking staff to download the app on personal devices will raise similar issues.
- NCSC high level privacy and security design for the NHS COVID-19 contact tracing app
- ICO: Combatting COVID-19 through data: some considerations for privacy
Testing staff for COVID-19
Some organisations may want to use rapid testing so that workers showing symptoms, or that have potentially been exposed, can quickly establish whether they are infected and need to quarantine or self-isolate. Given the constraints on testing services provided by the NHS, some organisations may look to develop (or engage third parties to provide) internal rapid testing services for their workforce.
Testing raises a number of data protection issues:
- How will your testing facility operate? Do you have staff that have been properly trained in handling health data?
- If a third party is providing the testing services, have you carried out appropriate diligence and put in place an appropriate contract?
- Are you confident in the accuracy of the testing? Will the results lead to any automatic decision making?
- What is your legal basis for processing the data?
- What information are workers asked to share? Is testing voluntary or mandatory?
- What records will you create and retain? Where and how will these be held? How will they be kept secure?
- Who will have access to testing information?
- Have you updated your worker privacy notice? Do you need a “just in time” notice for the testing service?
- How will you deal with agency staff and contractors?
Testing temperatures or using health questionnaires to assess the potential infection risk with workers or visitors, or using antibody tests or immunity passports in recruitment will raise similar issues.
It is essential that organisations carry out a data protection impact assessment to help identify, document and mitigate the data protection risks.
- Read our previous update on the ICO’s guidance on asking staff to share health information during COVID-19
Data Protection Update webinar and more information
We will be covering these issues and many more in our Spring Data Protection webinar. You can register on the Brodies website.