In light of the developing situation with coronavirus (COVID-19), the ICO continues to release guidance for organisations on how it will approach data protection compliance in these unprecedented times.
The key takeaway for public authorities is that organisations must be able to work together to combat the pandemic:
“The top line here is a recognition of the importance of organisations being able to work together to respond to this pandemic. Data protection law will not stop this happening.”
This suggests that the ICO will prioritise public health over strict compliance, and that data protection should not be a barrier to effective working with other organisations. In practice, this will mean that public authorities should be considering effective, but limited, data sharing with other organisations where this is essential to get help to those in need. It also means prioritising the health of your staff. Home working should be permitted as far as possible, although this will present some challenges in terms of data protection compliance.
Whilst the ICO appears to be taking a relaxed approach to some areas of compliance, for example statutory deadlines for responding to requests for information, we anticipate that this will not extend to all areas of compliance. Most notably, in relation to information security practices, and the current situation will not be a valid excuse if there is a data breach caused by lax security measures. It will be difficult (but not impossible) for public authorities to maintain information security standards for home workers.
Therefore, we suggest that you ensure:
- You have issued specific guidance to staff who are home working. The guidance should include advice about keeping papers somewhere safe and making sure that family members cannot see confidential information on screen, as well as guidance on disposing of confidential waste. Much of the guidance should already be contained in your staff data protection policy or information security policy, and this guidance will remain the same now – such as not using public wi-fi.
- You have given staff the tools to enable them to work from home securely, for example, secure remote access. The current situation does not mean that staff would be permitted to email confidential information to their personal email addresses. The ICO will expect that home working set-ups do not rely on this as a means of accessing information.
- That all staff are aware and have the contact details of the DPO, who should be on hand to answer any questions that they may have about best working practices while at home.
Another area of concern is how much information can be shared with colleagues about the health of their fellow workers. It is the view of the ICO that you may tell staff if a colleague has caught coronavirus but that you “probably don’t need to name individuals and you shouldn’t provide more information than necessary”. We therefore recommend that staff are kept updated on a need-to-know basis, and that information sharing is limited to that which is strictly necessary.
The ICO has produced a Q&A section on its website which contains further detail on the points outlined above.
For specialist support in making home working measures data protection compliant, please contact Andrew Gallie in award-winning law firm VWV’s Information Law team on 0117 314 5623, or at firstname.lastname@example.org.