Coronavirus, home working and Data Protection
I have had interesting conversations this week about the Data Protection implications of the coronavirus pandemic, particularly when almost all lawyers are now working from home.
I have previously mentioned the need for employers and staff to be aware of their responsibilities and to take sensible precautions.
The Information Commissioners Office has published helpful advice. It is clear that in these exceptional times, they will take an exceptional approach to compliance.
They key points are –
1. The ICO acknowledge that it might take longer to comply with a DSAR request because of limited resources – “We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” They have no power to extend deadlines but – “will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic”
2. As far as working from home is concerned the advice is simply to follow the same security measures that you would normally follow. Many firms have a working from policy but not all. If not you will need to put measures in place. These are, in the main, common sense –
(a) If papers are taken home, this needs to be recorded so you know what is where. Staff need to take care that any papers are stored in a way that protects them being accessed by a third party. In the current climate there are likely to be limited visitors in any event.
(b) Staff should be advised to avoid discussing confidential client matters with friends and family, particularly during telephone conversations with clients, colleagues and other parties,
(c) Are emails encrypted and are sensitive documents sent and received securely?
(d) What help is available to staff? What do they do if they suspect a breach
3. The advice is that there should not normally be any need to gather health information about staff. The guidance is that they should tell you if they have visited a particular country or have symptoms and to call 111. This should keep data to a minimum. You can advise staff if someone has contracted COVID-19 but there is no need to name the individual or to provide more information than is necessary,
4. Data protection law will not prevent you from sharing health information with authorities with where necessary although this is unlikely.
The ICO make it clear that they will be reasonable and pragmatic.
I have heard of some businesses using data protection concerns as a reason for not allowing staff to work remotely. This approach has been out of date for years but is even more so in the current difficulties.
There is an ICO helpline at – 0303 123 1113