Protecting data in a coronavirus world
Working from home
Whilst you might have had to react quickly to the lockdown challenges and implemented working from home for most of the workforce, if this is now business as usual you need to make sure you have the right data protection routines in place, even with a remote workforce. All staff who are working remotely, whether on a temporary basis or permanently, need to have been given clear data protection policies that include such things as remotely accessing corporate data, storing it securely and disposing of it when it is no longer needed. Staff should be reminded of the need to use unique and complex passwords even if they are working from home, just as they would do in the office.
Employee equipment. Some businesses had to ask staff to use their personal equipment as they were unable to centrally supply adequate IT etc. If this approach has continued and personal equipment is being used to access company systems, at the very least you need to consider:
- at least two-step authentication for people accessing company systems remotely
- that any personal data on their device must be kept separate from company data and not moved into any personal storage areas or onto other personal devices that the business is not aware of
- that the IT team should be aware of which employees are using their own devices for accessing company systems so they can assess the risk and plan accordingly.
If the company was able to issue equipment to everybody, has data loss prevention technology been installed that will stop data being extracted from the device? If it wasn’t possible to provide for remote access or equipment this presents another challenge as it will undoubtedly mean that corporate data has been installed on a personal machine which could be lost, corrupted or inadvertently/deliberately shared with family members who are not employees or even to others outside the home. There will be huge vulnerability to hackers if personal email accounts have been used to share company data.
Pro advice. Make sure staff know that it is not advisable to store data on USB sticks and it’s their responsibility to keep personal data secure.
Pro advice. If the worst happens make sure that all staff working remotely know how to report a data breach promptly so that the business can move swiftly in respect of its data protection responsibilities.
Of course, there will be a lot more email traffic with homeworking so it’s worth reminding people of some of the basic rules and putting in place IT routines if you haven’t already. There’s been a huge increase in phishing attacks. Make sure that you’ve blocked the ability to add forwarding rules to external emails or can detect if they have been used.
Businesses that have moved to cloud storage are in a much stronger position to allow users to access data away from the office on any device as it will avoid staff having to use their own personal storage. But, of course, cloud storage itself also needs to be controlled through password access or other types of authentication. Consideration must be given as to who needs full access to the data in terms of being able not just to access it, but also to amend data.
Pro advice. If it hasn’t already been done, now is the time to review security profiles to ensure the correct personnel and levels of access are in place.
The move to video conferencing software has been a vital part of doing business and keeping in touch, so what are the data protection issues to consider?
- controlling access to meetings via passwords and restricting who can issue and share meeting passwords
- what controls are there over people sharing their screens?
- are you aware of all the attendees that you’re expecting? Malicious people can spread phishing messages through video chat boxes so make sure staff don’t click on any links or attachments they were not expecting, or from people they don’t recognise
Pro advice. It may be that you started to use conferencing software in a hurry without checking whether the selected option meets with your corporate IT policies, so do make sure everyone knows what your team is using and is comfortable with it.
Pro advice. Document some housekeeping rules about video conferencing and make sure these are shared with participants ahead of any meetings being organised.
Whilst you want to keep your workforce and workplace safe, as COVID-19 testing involves health data it’s classed as “sensitive” so must be even more carefully protected under the GDPR and the Data Protection Act 2018 . It’s worth carrying out a data protection impact assessment (see Follow up ). This will allow you to consider if you are handling the data lawfully, fairly and transparently which are key data protection principles. Will what you’re doing help provide a safe working environment? Could you achieve the same result without collecting any personal data and particularly health information? For example, you might decide after you’ve done the impact assessment that there are only certain roles which are high risk and require testing and that only certain people within the organisation will have access to the results. The lawful basis for any private sector employer is likely to be the “legitimate interest” defence, whereas for the public sector the “public task” defence is likely to apply.
Pro advice. To meet the “transparency” data protection principle tell employees how you will collect their data, what you’ll be using it for and how long you will keep it.
Whilst the news has been full of stories about the number of people losing their jobs, it’s good to know that some have also been changing jobs, but that can mean joining the organisation as a remote worker. This will not be what anybody has been used to so a lot of the onboarding routines need to be thought about and not ignored. That means communicating data protection policies and ensuring that training is delivered as it would be if somebody was physically new to the workplace.
New employees need to be told how the organisation processes their data and where they can find this on your website or intranet.
Collecting customer data
You’ve got used to being asked to provide your data in pubs and restaurants, but what should your organisation be thinking about in respect of this data? The same principles apply, that whilst it’s lawful to collect this personal data you need to be clear with customers why you’re collecting it and only collect what you need in order to be able to contact them should any coronavirus risks be identified after their visit.
Make it clear what the data collection is for - the NHS Test and Trace scheme in England, for example.
Each part of the United Kingdom has different collection schemes, so make sure if you are a nationwide business that you’re following the appropriate rules for the country you’re operating in.