No area of our life has remained untouched by the impact of COVID-19 and our information management practices are no exception. We are having to find new ways of working and adapt to the lack of face-to-face contact we are all used to.
What are the practical implications of online working for information security?
Although some businesses had already begun to allow for more flexible/agile working, the need for many organisations to operate remotely (and to put arrangements in place within a relatively short timescale) has put significant pressures on IT infrastructure and created consequent tensions around information security. At a basic level the need to print documents at home leaves the question of secure destruction. The need to communicate with fellow colleagues, customers and suppliers has led to the introduction of new technologies without the time for the usual security checks to be put in place, leading to concerns about the security and privacy settings of many of these communication tools.
Existing statistics from the Information Commissioner’s Officer (ICO) show that the highest number of data breaches relates to personal data being sent to the wrong recipients. With the extra pressures that remote working brings there is a greater need than ever to be vigilant about information security, to question the origins of any suspicious looking emails (and to treat all emails with suspicion), and to ensure that emails are correctly addressed or contain the correct information.
Does the need to work remotely excuse compliance from information management laws?
Data protection laws – and the relevant statutory deadlines – remain applicable during this time. The ICO has made it clear that, although statutory timescales for complying with data protection laws are unchanged, they will take into account that the restrictions currently imposed may make it more difficult to meet these timescales. They will also make it clear to data subjects that they can expect delays to the usual timescales during this period largely due to remote working and social distancing measures.
Freedom of Information (FOI)
The ICO has also indicated it will make allowances for public bodies that are unable to comply with the statutory timescales in terms of FOI laws under the UK legislation because their resources are diverted elsewhere.
Scotland, however, has taken a different approach. The emergency coronavirus laws extend the 20-working day period for responding to FOI requests to a maximum of 60 working days. This applies in relation to requests made to Scottish public bodies under the FOI laws but does not apply to any requests under the Environmental Information Regulations. Although this extension is time limited to the end of September there are provisions for it to be extended if required. Moreover, the legislation allows the Scottish Information Commissioner, on conclusion of an investigation, to find that a public body has failed in its FOI duties but that the failure was reasonable, due to the effects of coronavirus.
Can I collect data about whether my staff have COVID-19 and, if so, how can I use it?
More pertinently, the impact of COVID-19 raises questions around collection, use and sharing of personal data (particularly health data) about employees. This might also extend to cover collection of information about supply chain employees and contractors depending on the nature of a particular business.
Health data can be collected provided there is an appropriate legal basis for doing so. Generally, health-related data can be processed where there is a substantial public interest (here in relation to public health), where it is for the protection of the vital interests of the individual (the General Data Protection Regulation specifically refers to use in connection with monitoring an epidemic) or it may be because there is a legal obligation on the employer – for example, to provide a safe place of work. Moreover, public bodies may have a specific statutory duty that requires the collection of this information.
As an employer you are required to protect employees’ health and provide a safe work environment. However, that does not entitle the employer to collect excessive information. It might be reasonable to ask employees to indicate if they have, or believe they have suffered from, COVID-19, but care should be taken when sharing such information, particularly with other staff. While it may be relevant to indicate numbers of staff who have had (or believe they have had) COVID-19 there are very few circumstances where it would be necessary to name the individuals in question, particularly where there is no physical day to day contact.
This may change as we move into the phase of relaxing the current measures but a lot will depend on how the government intends to do that. Additionally, although it may be pertinent to collect and retain such information now, future consideration will need to be given as to how long this should be retained.
The core principles of data protection still apply, and it is important that existing data protection policies and procedures continue to be complied with and that data is not unlawfully shared. The principle of accountability must also be respected, and the decision-making processes and measures put in place should be documented and reviewed as appropriate.
In the words of the UK Information Commissioner: “We must reflect these exceptional times. We will continue to recognise the continuing importance of privacy protections, and the value of transparency provided by freedom of information. These rights are a part of modern life we must not lose.”