Coronavirus (COVID-19) - What Companies must consider with regards to data protection
In light of the COVID-19 outbreak employers have had to adopt a number of measures for the purpose of preventing and/or containing COVID-19 while having to adjust their work procedures to the new realities we are currently facing. Such measures and procedures may involve extensive collection and processing of personal data, especially health data. To this end, ensuring that all new and/or modified procedures are in line with the data protection regime constitute an integral part in both corporate and state responses.
With the spread of COVID-19 companies have been forced to engage in an extensive collection and processing of personal data for the purpose of protecting their employees and clients. The foregoing measures involve processing of personal data including special categories of sensitive personal data, like travel-reporting information, health data (such as health examinations and reporting of symptoms) and tracing of personal contacts. Such data may be collected either via questionnaires, health checks and personal feedback whilst they may relate to employees or contractors and their relatives as well as visitors and/or clients.
Furthermore, compliance with governmental measures and new local legislative measures could also force companies to adopt new procedures in order to be in a position to comply with their newly enforced obligations. Finally, the new working environment adopted by a lot of companies, such as the “work-from-home” policies, could also mean that new procedures are required with regards to the processing of personal data of employees and clients.
It is important that the employer takes all necessary action to safeguard the secure and lawful processing of any personal data for the above purposes. Thus, it is imperative that the data subjects receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
Furthermore, it is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.
Working remotely – Practical Advice
- Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced,
- Make sure that any device has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates.
- Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimise who else can view the screen, particularly if working with sensitive personal data.
- Lock your device if you do have to leave it unattended for any reason.
- Make sure your devices are turned off, locked, or stored carefully when not in use.
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
- When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.
- Follow any applicable policies in your organisation around the use of email.
- Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email, make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.
Cloud and networks
- Where possible only use your organisation’s trusted networks or cloud services and complying with any organisational rules and procedures about cloud or network access, login and, data sharing.
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
- Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
- Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.
Data Protection – Checklist
- Engage your Data Protection Officer in the procedure
- Keep up to date with the guidelines and measures taken by both local and European authorities
- Provide the necessary information to the data subjects involved in any new and/or updated processing activities
- Respect data subjects’ rights throughout this difficult process
- Put in place appropriate corporate policies and procedures
- Maintain the necessary and appropriate internal documentation on the lawful bases of any protective measures adopted
- Conduct Data Protection Impact Assessments (DPIA)
- Maintain all necessary measures for data security and confidentiality.
- Update your data protection documentation, in particular the data protection impact assessment (DPIA) and the register of processing activities.
Authors: Iacovos Kouppas, Thea Nicolaou