Covid-19 – Key Data Protection issues facing businesses

This note is part of a series that the lawyers of Reddy Charlton will issue on the major legal, personal and business issues that will confront us all during the COVID-19 crisis.

The Covid-19 pandemic continues to cause many difficulties to businesses in Ireland who are trying to navigate through these strange times. While businesses are facing many challenges, it is important that they do not become complacent in relation to data protection compliance. Businesses will need to balance their obligations to protect the health and wellbeing of employees with their obligations to continue to protect personal data. Data protection regulators will be monitoring the change of business operations and the manner in which businesses ensure the relevant protocols are being adhered to.

In this article Reddy Charlton seeks to outline the most prevalent Covid-19 data protection issues currently being faced by employers.

Measures to be implemented when working from home

As many businesses will now have more employees working from home on a more consistent basis, employers need to review the security measures in place in respect of these new work places. These measures may include reviewing the antivirus software to ensure it is updated, updating passwords regularly, and requiring that employees lock screens and store away any documents containing personal data safely at the end of each day. Some employers may prohibit printing of business documents outside of the office.

The challenge of course is trying to monitor and enforce such rules when the employer has no visibility of the individual work spaces. Accordingly, it is important for employers to ensure that they have clear policies setting out these obligations which are communicated regularly to employees to reinforce the message.

Of course we all know that the weakest link in the cyber security attacks on business, which are often designed to target and steal personal data held by businesses, is human error. Therefore, again there should be clear policies in place and regular reminders for staff in relation to sharing bank accounts, opening email attachments etc.

Given the new situation in which many businesses find themselves, it important that policies are reviewed and updated to take account of the change in circumstances as required. As many employees will not be in their usual environment or working under normal conditions, it is easy for them to forget the normal protocol unless they are reminded.

Covid-19 and employee confidentiality

Employers need to exercise caution in disclosing information about staff members who may have confirmed or suspected case of Covid-19. The employer must of course take such action as is required to protect the health and wellbeing of other employees. Therefore, it may be necessary to inform other employees of the situation, particularly those who have been in contact with the ill employee. However, consider whether all employees need to know. They may all need to be informed of the case but not necessarily the identity of the employees in question. The identity and health status of employee should only be disclosed where deemed necessary.

Employers are entitled to ask their employees to detail their illness on medical certificates as this may be used to protect against serious threats to public health within the workplace.

Where an employer is acting in accordance with the guidance of the HSE or other governmental agency in this regard, the Data Protection Commission has confirmed that the basis of processing data in the context of the current pandemic will likely fall under the scope of provisions of the data protection legislation which provide that is it ‘necessary for reasons of public interest in the area of public health’.

Businesses are advised to approach this topic sensitively and if personal data is to be disclosed, it should be conducted by way of protected communication with the necessary safeguards in place.

Data Processing and Covid-19

Businesses should ensure they are operating a transparent system in relation to Covid-19 data processing. Where any business practices have changed the manner in which personal data is processed by the business, it is recommended that current privacy notices/policies are reviewed and updated to include details on how data collection will be managed and processed in relation to the ongoing pandemic. Data subjects will need to be informed as to what data is being collected and how it is being used or shared as the case may be.

The obligations introduced by GDPR and the Data Protection Act 2018 have not changed or been waived in any way due to the current crisis. Therefore businesses must ensure appropriate safeguards and security measures remain in place to protect the data subjects affected. So if you have had to change the manner in which you do business, you need to ensure that your data protection policies and procedure reflect those changes.

Any decisions or changes adopted by an employer, as a reaction to the Covid-19 crisis, should be documented. These decisions impact the data ordinarily processed by the employer and therefore they will need to show that these decisions were indeed warranted and proportionate.

Subject Access Requests

The legal obligations around subject access requests have not changed with Covid-19. However, complying with those obligations in many cases has become more difficult as business are operating remotely or on skeleton staff or businesses involved in front line essential services may be over burdened. The Data Protection Commissioner has issued some guidance for both the data subject and the person from whom the data is requested.

She has asked that those making requests to bear the current difficulties in mind when making requests and to expect some delays on compliance with time lines. Furthermore, to assist those responding to requests, she has also advised that data subjects should make their requests as specific as possible.

For those trying to respond to a request, she has confirmed that the normal obligations continue to apply but notes the unprecedented challenges being faced with businesses. Therefore, she advises that where a business is likely to be in difficulty complying with the legislative timelines, it is important to communicate with the requester to ensure that they are kept fully informed of any difficulties, delays and likely timelines. One suggestion is dealing with a request in stages so that as categories of data or engaging with the requester to further refine the request criteria.

Where an organisation will be unable to comply with its requirements, the reasons why and the measures taken should be documented.

How can Reddy Charlton help?

During this Covid-19 crisis, Reddy Charlton Solicitors are eager to support, encourage and guide your business. If you have any queries or seek further information on the above data protection issues faced by businesses or any other area of commercial law, please contact emcgrath@reddycharlton.ie