Since our article on 16 March (Key tips to stay compliant), with many employees now working from home, we set out a data protection checklist for multinationals to consider for minimising risk during the lockdown period.
1. Data breaches when working from home
Have you reminded your employees about the need to maintain high data protection standards whilst working from home and the importance of reporting any data breaches immediately? You should review your usual escalation processes for data breaches and, if necessary, adapt these. If you don’t have a procedure for this adopt one as soon as possible.
As more employees are working from home, this is increasing the risk of data breaches. People will be working more informally or with different working patterns and they could easily become distracted by family members, the TV, or social media. This all could result in emails being sent in error or with the wrong attachments, or other people in the household or from open meetings seeing information inadvertently. There has also been a huge increase in cyberattacks from phishing emails to system takeovers.
2. New working environments
Review your security measures are still appropriate as a result of any changes in working environments and remind employees about confidentiality. New working environments and changes in use of technology could see videos capturing information unexpectedly, conversations being overheard, screens being looked at and virtual meetings hacked. This may mean personal or confidential information is inadvertently shared with people outside the business.
Employees need to be reminded to maintain confidentiality and to comply with security measures in their new working environment. Such measures could include encouraging employees to update passwords, reminding them to lock screens, consider the use of shredders, and take steps to lock hard copy documents away.
3. Use of personal devices
Flexibility on the use of personal devices needs extra thought. What security is needed? It has been proposed that employees are asked to turn off Alexa (or similar devices) whilst discussing confidential or business sensitive matters, due to the purported ability of the technology to record without you knowing it at all times.
4. Sickness reporting
There are no legal reporting requirements for employers about COVID-19 virus cases, but there may be a balancing act between providing information in the public interests and protecting individual’s rights by not collecting or providing more information than is necessary. Ensure processes for reporting are managed officially and confidentially by HR. Policies should be updated to cover self-isolation, quarantine or lockdown measures.
5. Medical checks, testing and tracking
Organisations need to exercise care when collecting, using and disseminating COVID-19 related information across the business. A combination of information that an employer releases and information obtained by other means could mean individuals are identified as having coronavirus or other sensitive information, such as their underlying health conditions.
The data protection authorities across Europe have expressed different views about collecting and processing COVID-19 related information. The French and Danish authorities have stressed that only limited data collection and processing is possible.
The Dutch watchdog warned that "as an employer you almost never have the right to register the medical data of your employees yourself." The French authority has said employers cannot require employees to do daily body temperature checks, while the Irish authority has said businesses should prove “strong justification…based on necessity and proportionality and on an assessment of risk” if they send employees questionnaires about their health or personal travel.
In Luxembourg, the authority has warned employers not to require employees give them a daily update of their body temperatures or they fill out medical sheets or questionnaires. We are tracking the regulators’ position globally on this (and other issues).
Tracking across the globe has resulted in significant discrimination, and employers should be very wary of using work equipment such as phones to do so without a legal obligation (see employee monitoring below).
In relation to temperature checks, there has been some debate as to whether such checks are effective and therefore may not be able to be relied upon to assess whether someone has the virus. If you are undertaking checks, or testing if it becomes available, you also need to consider the duty of care you will have to the employee undertaking the checks or tests, and what protective measures and/or training is required.
6. Employee monitoring
Monitoring your employees whilst they are working from home needs to be considered carefully. Home IP addresses will be considered as personal data and therefore it is difficult to monitor employees on an anonymised basis. You should undertake a data protection impact assessment (DPIA) to help you identify any data protection risks from monitoring employees from home.
There are now numerous instances of governments around the world turning to technology to track people to help prevent the spread of the virus. But there are also concerns that privacy standards would need to be loosened to protect against serious threats to public health.
In South Korea, the government is informing people about the location of infected individuals. In China, people are required to download apps that to score them based on their contagion risk but also share information with the police. Russia is using facial recognition to track whether people are complying with the quarantine rules and, as the outbreak continues to worsen, the need to use such techniques in Europe will grow and challenge the data protection principles under the GDPR.
This area is fast-developing but as at the time of writing regulators are showing positive support for governments or public bodies using phone mobile data direct from mobile phone companies to track and monitor behaviour, but this is unlikely to be justifiable by an employer. In the UK, the ICO stated over the weekend that tracking of mobile phone data is allowed but only if it is anonymised and aggregated.
Multiple websites are being created to encourage tracking of symptoms by individuals directly. Guidance reminding employees of behaviour on social media that may impact the business will need to be updated to reflect this growing trend.
7. Use of employee personal contact details
You may need to think about using personal contact details of employees (such as personal mobile numbers) beyond your usual requirements, for example, in order to keep employees informed about workplace opening arrangements. You should consider whether you have a legal basis under Article 6 of the GDPR for processing of this data. It would also be advisable to check your workforce privacy notice as this should refer to the possible uses of personal contact information for employees.
8. Privacy notices
You will probably be collecting health data on employees or visitors in response to the pandemic beyond what is currently within your privacy notices. You may also be using new technologies that aren’t covered in your privacy notices, such as Zoom, Webex, and Microsoft Teams. Business should consider issuing a specific privacy notice in relation to data collection in response to the COVID-19 crisis or look at updating their current notices. You will also need to consider how you will communicate this privacy notice with them and consider how long you will keep the data for.
9. Updating records
You are required under the GDPR to hold records of your processing activities. You should check these records to see if they cover the COVID-19 pandemic and update accordingly so that it specifies the condition for processing relied upon (including the special category data condition relied upon) and what the retention period will be for such records.
You should also consider undertaking a DPIA, particularly as it involves employees and special category data. This will allow you to consider compliance risks, any risks to the rights of individuals, and help you identify and minimise those risks. For larger businesses, a DPIA is likely to be mandatory. Even if it isn’t mandatory, it is probably still a good idea to do one.
10. Communicating with customers
It is understandable that businesses will want to keep in touch with their customers during this time. However, to avoid any potential complaints, you should be careful about sending marketing information along with COVID-19 updates in your communications with customers.
Direct marketing is strictly regulated in many jurisdictions and therefore it is vital to consider whether the communication is transactional or promotional. It may be reasonable to contact all customers to let them know that your business has closed or has different trading hours, but when that email or telephone call then includes an advertisement or promotional offer, this may be beyond what certain customers would expect to receive from that business. Retaining customer confidence will be critical during these uncertain times.
11. Sharing of personal data
As a result of the pandemic, you may now be sharing personal data with new service providers or other vendors or be sharing new categories of personal data with existing providers. You should still undertake appropriate due diligence prior to sharing such personal data and check that appropriate security measures are in place. If service providers are processing personal data on your behalf, you will need to ensure that there is an appropriate contract in place containing the provisions prescribed by the GDPR.
You should also consider whether any personal data is going to be transferred to entities outside of the European Economic Area and if additional safeguards are required in order to lawfully transfer the data in this way.