Since the UK has been in Covid 19 Lockdown, much economic activity in the UK and across the world has come to a near complete halt. The day-to-day lives of the country’s workforce has seen a complete change. However, data transfers have continued unabated, even accelerated, with new risks associated with data policies and procedures, data privacy and data handling, compliance and governance impacting employees.
Employees working from home need to distinguish between their personal data, which is unconnected to work and the data used for professional purposes, even where the data is used and stored on the same devices. There are different consequences where data is misused, lost accidentally or through fraud, hacking or any other forms of data theft.
Downloading data from a remote cloud-based system connected to the workplace or through vulnerable/public wi-fi platforms brings extra risk. Even though the ICO has expressed a certain understanding regarding data handling under lockdown conditions, it still expects businesses to maintain certain demanding standards regarding data privacy.
From the employer perspective, it is even more important to maintain remote forensic checks on data handling and privacy with its workforce working remotely and connecting through a range of devices and platforms. The security perimeter around any firm’s network has extended and the staff, by working from home, have increased the cyber-security risk issues by presenting more vulnerable end-point users.
The increased and often novel use of video conferencing systems, such as Zoom, Microsoft Teams or Skype, requires employers to consider the “transparency” of these video conferencing systems, namely, how company data is used when setting these systems up and what is discussed in the course of those virtual meetings and recording of these meetings.
Businesses need to review their systems’ privacy settings, password and video conferencing ID to ensure online security and to be aware of any phishing or whether unwanted third parties have gained access. There is, also, the need to ensure that the systems in place fit with the organisation’s data handling policy. Finally, employees and employers have to make sure that all software is up-to- date and has a form of anti-virus / anti-malware cybersecurity protection.
It is important to consider whether any relevant personal data is being stored on an employee’s home system, and for its deletion at the appropriate time when its storage is no longer required.
Separately, the development of mobile applications tracking the spread of the virus and the user’s human contacts raises new issues regarding data privacy. Concerns have been highlighted regarding the need for these apps to have privacy features built into the technological process so as to meet data protection by design and by default.
App developers need to consider how Privacy Impact Assessments will be conducted by entities operating these apps. Furthermore, entities that will process the data from these applications will have to consider how the collection of data is necessary and proportionate, and can be stored securely and in accordance with GDPR in order to find the least intrusive solution.
Under the current circumstances, the ICO has taken the view that it will regulate a privacy policy associated with such apps that reflects conditions in the society now, and, therefore, accept certain restrictions on liberty to protect public health. This balancing of the erosion of certain fundamental human rights, including personal data, is a new and complex area. From a regulatory standpoint, these applications have to be able to assure the public and the ICO not only that they are proportionate, but also that there is sufficient accountability of their governance so that transparency in processing can be ascertained. The ICO expects that data will be stored on the device where possible rather than being transferred to a central source.
The final and key point about these mobile tracking applications will be to determine when processing of such a large quantity of data is no longer necessary and/or required legally which will probably be determined by the UK Public Health authorities and by the Government.
In these extraordinary times, data handling and privacy are applied through a different prism. However, this does not mean that data protection regulations are set aside, lessened or, in any way, forgotten. It is still vital for employees, employers, businesses and data users and processors to uphold the best practices around data protection. It is vital that, in these rapidly changing times, the general public can be confident that their own personal data is safe and secure.
W Legal can help with answering your questions on suitable policies, procedures and if you or your staff encounter problems or data losses, then please contact us and we can advise.
If you have any queries please contact Raphael Uribe at raphael.uribe@wlegal.co.uk or David Ellis at david.ellis@wlegal.co.uk