Shared & Halved – IHL series: Key global privacy issues of COVID-19

As part of our series of webinars to support in-house lawyers during the current pandemic, on 15 May 2020 we hosted a webinar focusing on what businesses should be thinking about from a global privacy perspective.

Introduction

The IHL series of our COVID-19 webinar programme covers bite-size topics designed for a half hour coffee break and focuses on practical tips for in-house lawyers.

This session focused on what businesses should be thinking about from a global privacy perspective. The key takeaway points are set out below:

Data protection generally:

• Even with COVID-19, don’t forget the core data protection principles. They are still the same, with the odd nuance
• The situation is evolving day by day, stay alert to changes!
• A lot of this is common sense but always step back and remind yourself of the core principles
• The UK data protection authority, the ICO, has said it will be a pragmatic and empathetic regulator during the crisis, focusing on the greatest threats. Of course, this doesn’t mean that businesses can sit back and relax, but they can take some comfort in the flexible approach
• The approach of other European regulators is not the same as the UK. They are not all as flexible in the current climate

Homeworking generally:

• At the start, businesses were in survival mode, reaching out and making connections in any way possible. However, now that processes have become more entrenched and routine, it’s prudent to make sure all those working from home are compliant

Do you have any practical tips?

• Use robust passwords
• Update your hardware
• Put anti-virus and malware software in placePrint less and shred where you can (or wait to shred at the office)
• Keep conversations confidential: be wary of other family members or, if in the garden, your neighbours!
• Lock your papers away if possible
• Be wary of phishing emails
• Use passwords for attachments to emails
• Where possible, make sure employees only use company equipment and devices and access is enabled via VPN
• Move to online calls (instead of calls via employees’ own phones)
• When video conferencing, have meeting IDs and passwords and don’t make IDs visible to others
• If you use personal devices, store all data onto cloud platforms such as Office 365 (accessible only through username and password) and limit rights to read, write and edit, with only key employees having full access rights
• Install software to enable remote wiping or disabling/ killing of company devices
• Check the costs of getting additional licences for:
  • audio/ video platforms
  • purchase of cloud storage
  • purchase of online phone call software
  • anti-virus and malware software
  • the cost of creating online homeworking training video
• perform network, software and maintenance updates regularly

Are data breaches more likely?

• Working remotely increases the risk of data breaches. Phishing emails have also increased:
  • check that current policies and procedures are still fit for purpose. Do the timelines still work?
  • are all the staff set out in the above still active in the business?
  • do staff need to be reminded again of what amounts to a personal data breach and what to do, who to contact and by when? (i.e. training)

What should in-house lawyers be wary of using video-conferencing?

• You should be wary of cybersecurity risks.  There have been security issues and undisclosed data sharing in many third party platforms
  • what’s on the shelves behind you?
  • where is the platform located? (EU? US?)
  • check the platform’s terms and conditions—most try to exclude liability
  • laws such as the GDPR and PECR may apply to these platforms so, if there is a breach, there are strict reporting requirements. The GDPR also brings the possibility of claims
  • remember that a data breach might not be the provider’s fault. Employees and businesses need to be aware of the part they may play
  • always use meeting IDs and passwords
  • make sure you have the most up to date anti-virus and malware protection in place
  • don’t show the meeting ID in public
  • employees may bring claims against the business (who will typically be the data controller)

What about employees and health data?

• Generally, there are no legal reporting requirements for employers about COVID-19 virus cases: it is a balancing act between providing information in the public interest and protecting individual’s rights by not collecting or providing more information than is necessary
• There are exceptions in certain countries, however, where businesses need to provide this information
• Health data is a special category of personal data because of its sensitivity. Keep it confidential and disclose it only on a need-to-know basis (and typically only to certain people in HR, nit the whole HR team)

What about medical checks on employees?

• The GDPR does allow this sort of personal data to be processed, although you need to take great care when doing so as each country has a nuanced take on this. There can be a whole host of issues that arise
• In some countries you will need to involve work councils

What about tracking employees?

• Again, each country has a nuanced take on this. Broadly speaking in the UK and EU you can’t monitor employees. The US has a more laissez-faire approach
• In the UK and EU you need to complete a data protection impact assessment (DPIA) to justify this

What is going on with contact-tracing apps?

• The situation is changing daily
• In the UK the NHS app is voluntary. Issues that have arisen with it include:
  • the lack of a clear retention period
  • the fact that DSARs might not be possible
  • there’s no opt in or opt out for third-party trackers
  • the data may be stored outside of the UK
  • it is currently a centralised app, with privacy and security implications around that fact
• The EU has just released interoperability guidelines to make sure that apps can operate on a cross-border basis, all being well
• The main issue with apps is public trust

Can I use employees personal contact details?

• Broadly-speaking: yes, but only where you need to. Go back to the core data protection principles to make sure that you can justify this
• Don’t forget that not everyone will have, e.g., mobile phones

What is the approach of the regulators at the moment?

• The ICO (as mentioned) is taking a pragmatic approach. They are unlikely to take a robust approach if you can justify why you haven’t reported a data breach within 72 hours or dealt with a DSAR within a month. Do your best!
• Fines are likely not to be crippling for businesses. We are still awaiting the British Airways and Marriott fines
• It is a ‘mixed bag’ in the EU: some other data protection authorities who weren’t particularly flexible in the past are now more pragmatic. Conversely and confusingly, some that were flexible in the past have become less pragmatic
• For businesses who operate across the UK and EU, taking a global approach can be done but it is not without its challenges and nuances. Some countries are riskier than others