Businesses processing personal data need to keep protection of customer and employee data at the front of continuity planning as they tackle the coronavirus threat.
The increased risk of data security lapses
Staff are likely to be working remotely or under different circumstances which could make customer information more vulnerable to data breaches with cyber-criminals ratcheting up their fraudulent scams. Alongside, data relating to employee health during the pandemic may be subject to special security requirements.
Businesses are implementing contingency planning with staff working from home and using domestic internet and possibly personal devices to access cloud-based software and systems, making it more important than ever to keep data safe and secure.
While data protection law doesn’t stand in the way of homeworking, or the use of personal devices, it demands even greater attention to security measures as the ones that you use in the office will need to be tailored to suit these new circumstances.
The human element is often the reason for most data breaches and without direct supervision and colleagues to consult, these may be more likely to happen. Certainly, there are reports of a steep rise in attempted cyber fraud, with many more phishing emails, malware and social engineering, where fraudsters dupe staff into revealing information or making money transfers.
Handling data belonging to affected people
The other major threat to data security during the crisis is the handling of individual information about staff and visitors, which might include who has travelled to high risk areas, symptoms, test results and when self-isolation has taken place. This is personal data protected by GDPR, but where it concerns health it may be specially categorised data under Article 9 of GDPR, which requires further grounds for processing this kind of data.
Employers will most likely want to rely on the ground in Article 9(2)(b) (“employment, social security and social protection”) to process special category data about their employees. In the UK the Health and Safety at Work Act 1974 says that companies must take steps to look after the health, safety and welfare of staff. This means that it is reasonable, and normal, for businesses to collect certain information as part of their general duty to their staff. There is a clear limit to what employers can collect however, just as the new guidance https://www.gov.uk/government/publications/guidance-to-employers-and-businesses-about-covid-19 from the government makes clear that they expect most employers to collect data about coronavirus just for the purposes of assisting their staff, rather than making plans or a strategy for dealing with it, which are to be left to the NHS. There may be other grounds that businesses can rely on – these will depend on the circumstances and the likely impact of doing so.
Employers should also still be very mindful of the overarching data minimisation principle; that they should only collect what is strictly needed for the task in hand. This means applying limits to what they ask and not having a ‘one size fits all’ approach, since what may be relevant for one person could be irrelevant for another, and collecting that irrelevant information would infringe the minimisation principle.
The ICO has published guidance