In reaction to the increasing number of coronavirus cases, the Government has ordered most businesses providing ‘non-essential’ services to close their offices and other work premises and, where possible, to require their employees to work from home.
To support those HR teams facing a data protection headache from this quick transition to home working, we’ve outlined some essential tips for dealing with personal data during the Covid-19 crisis.
Think about security
Having employees working from home multiplies the number of networks, applications and user interfaces through which personal data is accessed. These are the three main points in an IT system where data is most vulnerable so it is important that organisations are mindful of the data security risks.
Where possible, businesses should use ‘mobile device management’ (MDM) to enable them to remotely manage and monitor an employee’s personal device (such as remote wiping and location tracking).
Take care if using own devices
If employees are using their own mobile phones and laptops for home working, those devices are likely to be used for social purposes as well as for work. By accessing websites and uploading photographs and other content, employees could unintentionally infect their device with viruses or malware that could provide a backdoor into the company’s systems.
To avoid this risk, organisations should try to provide business phones and laptops for home working and where this is not possible ‘sandboxing’ should be used to create a secure section on an employee’s device to be used exclusively for company matters.
Shared work spaces
For many people, working from home involves working in an area which is shared with other people and may even involve using computers and other IT equipment that is accessed by others. This sharing of work space and equipment brings with it an increased risk of breaches of confidentiality and data protection.
Where home working involves printing or handling documents and other tangible materials, staff must be given suitable facilities to store those materials and to shred them or otherwise dispose of them in a confidential manner when they are no longer needed.
Ensure no one is listening…
It is important that when people are working from home they ensure that confidential information and personal data is not accessible to others (even family members). This requires them to keep documents secure and to ensure that computers are protected by suitable passwords and two factor authentication, and that they log out or disconnect when they are away from the computer.
It is also crucial that telephone calls and video confidences that involve the sharing of confidential information or personal data are held in private.
… including Alexa
Smart speakers such as Alexa and Google Home have listening facilities to enable them to know when people are trying to activate them and these listening facilities can also be accessed by Amazon or Google employees for the purpose of ‘improving voice-recognition features’.
It is difficult for users to know whether their smart speakers are recording so it is advisable for home workers such as HR professionals, doctors, lawyers, social workers and teachers to change their privacy settings or unplug their devices when working to ensure that any confidential conversations are not inadvertently overheard or recorded by their smart speakers.
Put in place a simple remote working policy
Faced with the rapid spread of the coronavirus, businesses are likely to be implementing home working arrangements urgently and will not have time to craft a fully rounded remote working programme.
Where speed is of the essence, organisations should focus on communicating with staff via a simple remote working policy that sets out:
What staff can and can’t do with their home working devices (including potentially what software they can use)
What steps staff should take to keep personal data and confidential information secure
What level of control and visibility the employer may have over home working devices (so users know what to expect)
What happens if the device is lost or stolen, or the employee leaves the company.
Be extra careful with special category data
Under the GDPR and Data Protection Act 2018 (DPA 2018), health information such as coronavirus exposure, symptoms or risk categorisation is classed as a ‘special category’ of personal data, which requires an additional layer of protection due to its sensitive nature.
Special category personal data can only be processed where there is both a lawful basis for processing (as set out in Article 6 GDPR) and where there is an additional condition for processing that special category personal data (as set out in Article 9 GDPR and Schedule 1 DPA 2018).
Avoid relying on consent
Where organisations collect special category data relating to visitors and other service users, they may rely on the data subject’s consent to justify processing that data. However, employers who seek to rely on consent should be mindful that, in an employment context, consent is often deemed to be invalid because the employee feels compelled to provide the information due to the imbalance of power in the employee / employer relationship.
If your employer asks for your consent to do something, how free do you feel to refuse that consent?
Because of this, for HR teams the main basis on which they will be processing special category data is where it is necessary for them to comply with their obligations as an employer in ensuring the health, safety and welfare of their organisation’s employees.
Warn staff, but don’t share too much personal information
The Information Commissioner’s Office (ICO) encourages employers to keep staff informed about coronavirus cases in their organisation where this is necessary to avoid the risk of exposure or to manage resourcing. However, there is no need to name the individuals concerned and HR teams should be careful not to provide more information than necessary.
Try not to worry
While there has been a lot of noise about the ICO’s ability to issue huge fines for data breaches. The ICO has issued some brief data protection guidance on the collection of personal data in relation to coronavirus.
In its guidance the ICO recognises ‘the unprecedented challenges that we are all facing’ and understands that ‘resources and data protection practices may be deviated from usual compliance’. The ICO reassures that ‘it will not penalise organisations that need to prioritise other areas or adapt their usual approach’ during these challenging times.