Whilst it was comforting to hear from the UK’s data protection regulator, the Information Commissioner’s Office (ICO), a few weeks ago, confirming that regulators will be adopting a flexible, common-sense approach to data protection compliance during this challenging period of COVD-19 disruption, the ICO stressed that the pandemic was, nevertheless. not an excuse for non-compliance. For example, genuine delays in responding to breaches/ data protection rights requests due to reduced workforces and/or resources will be a mitigating factor, but taking advantage of the current situation will not be well-received by regulators.
Now several weeks into the COVID-19 lockdown, as organisations continue to adjust their practices to cope with the new measures, it is an opportune time to remind organisations to be mindful of their data protection compliance.
We have picked out some key points we think you should be aware of during these extraordinary times:
- Security – whilst many organisations facilitated working from home before this crisis started, this was on a largely individual, often ad-hoc basis – entire workforces operating from home is an unprecedented situation. With this in mind, it is vital that organisations check the robustness of their remote working systems – it is much safer for staff to work on normal workplace servers and systems through a virtual private network etc. rather than storing files locally on their computers. Organisations should stress their security guidelines and where possible ask staff to complete information security training as a refresher.
Examples of things that should be emphasised include such points as:
- work-related data should not be saved on personal devices;
- work emails should not be forwarded to personal email addresses;
- any information pertaining to individuals (including paper files) should be stored as securely as they would be in an office;
- calls where confidential/sensitive information is likely to be discussed should be held in as private a place as possible; and
- where people have printed work materials or have hard copies, these should either be taken into the office once the lockdown ends, or securely shredded/destroyed.
Data breaches are the number one method for coming to the attention of data protection regulators and the world at large – definitely the wrong kind of publicity, and whilst they can occur at any time, there is a heightened risk as individuals acclimatise to working away from a secure office environment or otherwise adjust to working around home distractions. Regulators, for all their promises of flexibility, are unlikely to look favourably on organisations who do not have the requisite policies in place or have insufficiently informed their staff of their data protection obligations.
- Only process data that is ‘necessary’ – this is a well-established data protection principle which is no less true during this pandemic. Organisations are expressly allowed to collect data for the purposes of tracking or reporting on COVID-19 infections, but this data should be proportionate and only shared to the extent it is necessary. COVID-19 related data is of course linked to an individual’s health and as such is considered special category data (i.e. inherently sensitive) under the EU/UK data protection regimes – it should therefore be stored with the appropriate security required for this type of information.
As a working example, it may be necessary to update your workforce if any of your staff report COVID-19-like symptoms, but in such a scenario, there would be no need to share the person’s name.
- Sharing information with public authorities – it may also be necessary during this period for organisations to share health information with public authorities. Data protection laws expressly allow for this under the public health exemption (allowing authorities to request data to assist their response to public health crises), although (as above) only necessary information should be shared. In practice, this means any data provided (such as self-reported COVID-19 infections) should, where possible, be aggregated and anonymised before being sent.
- Using home addresses – there may be scenarios in which organisations need to or would like to send information/items to their customers/clients at their home addresses. One example that landed on our desks at KWM recently was an organisation that wanted to send webinar materials/small gifts to its clients in this time of crisis. It is perfectly legitimate to do this as long as individuals have the choice as to whether or not to provide their home address. It is advisable however to mention that it is not the organisation’s usual practice to collect home addresses, but that it is doing so because of the COVID-19 pandemic.
The usual rules should also apply regarding access and storage; the information should be limited to a strictly need to know basis – be cautious of entering home addresses into marketing databases especially if they are not access controlled by jurisdiction etc. and do not retain this information once the pandemic is over unless you seek further permissions to retain it. Retention beyond this point would arguably be longer than is necessary for the COVID-19-related purpose for which it was collected.
- Corporate transactions involving distressed assets – it is an immutable fact that in times of crisis for some, for others, there is opportunity. The financial impacts of COVID-19 are likely to present some organisations with openings to purchase distressed assets/companies. A health warning of our own from a data protection viewpoint: conduct your due diligence carefully. In 2019, the UK’s ICO announced its intention to fine the Marriott hotel chain £99.2 million for a data breach involving the details of 339 million hotel guests. Why is that relevant here? Marriott had acquired a struggling business (Starwood) in 2016, in doing so inheriting Starwood’s IT systems which had already been compromised by hackers as early as 2014 (the breach was not discovered until 2018). In its finding, the ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood and should have done more to make sure its IT systems were secure.
This serves as a timely reminder that the purchasing organisation will be liable for any data breaches caused by insufficient data security on the part of the company they are procuring. Unless, of course, they protect themselves accordingly. To that end, it is not only thorough due diligence that is important, but also consideration of the wider risk allocation, with appropriate warranties and clawback provisions inserted into share purchase/asset sale agreements as applicable. Having completed the requisite due diligence during the acquisition process, conducting a data protection audit immediately after the acquisition would be another way of mitigating this risk and maximising the purchaser protections negotiated during the acquisition process.