Coronavirus and GDPR: How does COVID-19 impact data protection?
24th March 2020
The UK’s Information Commissioner’s Office (ICO) have responded to businesses who are worried that their data protection practices and procedures may not meet their usual standards given the unprecedented challenges facing all workplaces in the wake of the Coronavirus (COVID-19) pandemic.
The ICO have stated that, effectively, they will to a certain degree be relaxing their regulatory actions as they “understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work.” The ICO have reassuringly stated that they will not penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period.
This does not mean that businesses who process personal data can breach data protection laws with impunity but that the ICO are taking a pragmatic approach to the situation. Organisations should continue to respect the data protection principles as set out in the General Data Protection Regulation ("GDPR”).
It should be made clear that the statutory data protection deadlines (e.g. one month to respond to a subject access request) have not been altered, however, the ICO’s advice is to tell people that they may experience understandable delays due to the pandemic.
One of the more prevalent data protection concerns during the pandemic is the increase in staff working from home. Data protection is not a barrier to flexible working arrangements, though, organisations should have in place a Home Working policy to ensure that staff members implement the same type of security measures at home that they do (or should do) in the office environment.
Examples of this include:
• Ensuring that written information is not left out on desks or work areas;
• Telephone calls where personal data and confidential information are being discussed should take place out of earshot of other individuals;
• Computer screens should be locked when not in use or you leave your desk;
• Anti-virus software should be up to date and on the latest versions (particularly relevant if staff are dusting off old laptops to use at home).
Should one of your staff contract the Coronavirus you should advise your workforce so that they can take suitable protections. Crucially, the ICO have advised that you “probably don’t need to name individuals and you shouldn’t provide more information than necessary.” Remember however that data protection does not prevent you undertaking your duty of care to staff and your obligation to ensure the health and safety of all employees.
Should you have any data protection concerns about your business during the Coronavirus pandemic please contact us. WJM will remain open (operating on a Home Working Policy for most) and ready to assist and advise you during this difficult time.
The information contained in this newsletter is for general guidance only and represents our understanding of relevant law and practice as at March 2020. Wright, Johnston & Mackenzie LLP cannot be held responsible for any action taken or not taken in reliance upon the contents. Specific advice should be taken on any individual matter. Transmissions to or from our email system and calls to or from our offices may be monitored and/or recorded for regulatory purposes. Authorised and regulated by the Financial Conduct Authority. Registered office: 302 St Vincent Street, Glasgow, G2 5RZ. A limited liability partnership registered in Scotland, number SO 300336.