Have the rules on GDPR been relaxed given Covid-19?
The UK's data protection laws are fully in force and have not been suspended or relaxed. Organisations will need to take extra care to ensure that they remain compliant with the GDPR and other data protection regulation in these challenging times.
For example, the 72-hour timescale for reporting breaches to the UK's data protection authority, the ICO, and the 1-month timescale for responding to data subject access requests still apply.
It is worth reminding everyone in the organisation of their continuing obligationto report any data protection breaches internally, which is particularly important where people are taking on unfamiliar roles as a result of a reduction in active staff numbers, as undertaking a new role may increase the risk of a breach.
If you are unable to comply with time frames due to remote working or reduced staff levels, you should document why you took a certain approach and how that has maintained good data protection practices.
Am I able to let the rest of the office know if a colleague has been diagnosed with Covid-19 or started displaying symptoms?
A key principle of data protection law is that personal information should only be shared where it is necessary to do so. So, where an individualis symptomatic of Covid-19, it might be necessary to share that (special category) information with others in the workplace so that they can keep an eye out for symptoms and self-isolate accordingly. It is unlikely to be necessary to share that person's identity. It should only be shared in limited circumstances, e.g. with the explicit consent of the individual.
Can I use my personal laptop to work from home?
The answer to this will vary in each organisation, and each organisation should have an appropriate home working policy in place to regulate how employees work from home (which will also cover health and safety aspects as well as the practical steps that should be taken from a data protection perspective).
Use of cloud-based remote working platforms on your own devices may be a good compromise, but care should be taken to ensure that the device you use issecure and your connection to your organisation's platform is unlikely to be compromised. This will include steps such as ensuring up-to-date anti-virus software is installed on the device. Avoid using personal email accounts and ensure that work is saved into your organisation's software rather than locally to your device where possible.
What extra precautions should I be taking to keep personal data confidential when working from home?
It can be tricky when working from home to keep matters private,particularly where there are multiple members of the family around. Try and give yourself a separate room to work in if possible and, for work conversations and online meetings, make sure you go into a separate room where you cannot be overheard.
Print items as infrequently as possible and follow your organisation's home working policy when destroying paper documents (some employers may require you to shred at home, others may prefer you to hold on to paper documents securely and then shred them centrally).
Finally, remember that criminals will see the current situation as an opportunity to take advantage of organisations in this time, with increasing opportunities for cyber fraud. Scams are already in circulation, for example criminals are posing as HMRC or senior colleagues in an attempt to maliciously obtain financial information and access to computer systems from unsuspecting organisations and individuals.
We're trying out new software to help us when working from home. What should we be thinking about?
There are a variety of platforms available to help improve the ability for employees to work from home, however each come with their own risks, each of which will require mitigation. It may be that some products are suitable for internal team meetings or social interactions, but not for sensitive discussions or sharing documents.
In each case, you should consider whether to undertake a data protection impact assessment (DPIA).
A DPIA is required where the proposal islikely to result in a high risk to individuals but is good practice for all new software projects.
A DPIA assesses and sets out a process for mitigating the risks identified. Documenting this process through a DPIA is helpful in showing compliance with your data protection requirements, even where it is not strictly required by data protection law.
What concerns should we bear in mind with our office closed?
Whilst an office is closed, proper security measures should of course be in place to minimise the risk of any theft or unauthorised disclosure of information. It's also important to ensure that there is some continuing formof monitoring of the office.
Essential maintenance of IT servers may require some physical attendance at the office. Regular checks of any postal communications should also be maintained, not least because service of claims, contractual notices and other documents may still be taking place even where the office is closed.
If only one member of staff is taking on the role of reviewing post, proper procedures should be established to minimise the risk of personal information being inappropriately shared. The individual should take extra care to ensure documents containing sensitive information are only sent to members of staff to whom it relates, thereby minimising the sharing of this information. The individual going into the office should follow lone worker policies (which should be in place to ensure the safety of the member ofs taff).