Are you prepared for data protection in the time of coronavirus
12 June 2020
The 25th May 2020 marked the second birthday of the implementation of the General Data Protection Regulation (GDPR), throughout the UK and Europe.
Two years ago, the world’s toughest data protection legislation put all of us under pressure from large corporations and small business to public authorities and our hospitality industry. Personal data protection was slap bang to the forefront within the whole European Union (EU) and gave citizens the right to privacy. The 31st January 2020 was the formal date that the UK exited from the EU, but Brexit is largely irrelevant to the UK domestic legislative force of the Data Protection Act 2018 (DPA18).
The substantial work and preparation that took place in the run up to May 2018 was in fact significant at that time but has now become a crucial tool in your armoury in a way that most of us could not have predicted. Most of us knee deep in work juggling many tasks in the fast paced and connected world we live in, will be forgiven for missing “The next outbreak? We’re not ready” 2015 TED Talk warning from Microsoft co-founder Bill Gates. He said: “If anything kills … people in the next few decades, it’s likely to be a highly infectious virus rather than a war,” Gates said “Not missiles, but microbes.”
Following the outbreak of a global pandemic, Northern Ireland continues with coronavirus recovery. The NI Executive has moved into Phase III of V in our recovery process, and whilst work from home should continue where possible we begin the phased return to the office and onsite working subject to risk assessments, schools have begun preparations and our hospitality sector is working hard to open the doors on July 20th.
Collecting and Processing Personal Data
However, logistics, health and safety, screens, sanitisers and spacing aside in what is now this time of coronavirus all of the extraordinary efforts and work undertaken by you for GDPR implementation two years ago laid crucial foundations to prepare for this new normal. The collecting and processing of data shall now include a new category of information about staff, customers, suppliers, pupils, and any individual interacting with you during business as usual.
New personal data might for example include:
- Body temperature data for any individual visiting, employed or connecting with your organisation;
- Individuals underlying health conditions;
- Whether individuals are displaying symptoms of the virus;
- Which individuals have been in contact with others who display symptoms;
- General health status of individual households;
- The health details of an individual’s child;
- Whether individuals are complying with self-isolation rules;
- COVID-19 test results;
- Locations or tracking of where individuals have visited; and
- Ensuring data storage facilities are secure and compliant with GDPR, specifically knowing where your data is stored so your software provider is compliant with GDPR, especially if their servers are located outside the EU.
The difference is that this data falls into a Special Category of Data (SCD) and is likely to amount to high risk data processing and data storage which attaches much more onerous and complex legal procedures. SCD is personal data that requires you to have safeguards and protection in place when handling it because it is more sensitive than other types of data.
In order to lawfully process SCD, you must identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. There are 10 conditions for processing special category data set out in Article 9 of the GDPR. Five of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018. You must determine your condition for processing SCD before you begin this processing under the GDPR, and you should document it and, in many cases, you should have a policy document in place prior to you conducting this data activity.
Understandably to safeguard the health and safety of everyone there is the temptation to collect as much data as possible. This should be given a cautionary stare. It is a legal requirement that you have checked that the processing of the SCD is strictly necessary for the purpose you have identified and that you are satisfied there is no other reasonable and less intrusive way to achieve that purpose. Organisations should have a clear purpose and understanding of what personal data and / or SCD, and level of detail, is required to fulfil this purpose. This risk assessment must be conducted prior to collecting any personal data and / or SCD from individuals.
Data Protection Impact Assessment
Before engaging in a SCD activity you need to complete a Data Protection Impact Assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing each item of the SCD and apply to each item, by way of example you would conduct a DPIA for each of the "new personal data" bullet points listed above.
A DPIA is a useful tool to assist you in understanding why you are conducting the SCD activity and helps you to think about the risks associated with that data processing activity. Through that process you can readily identify any measures and steps that you can take to mitigate any risks posed to that data.
By conducting a DPIA organisations will often identify gaps in the structures and inform operational change by introducing new COVID-19 privacy policies or new ways of recording COVID-19 data.
The Information Commissioner's Office (ICO) issued special guidance suggesting that a DPIA should be performed where a processing activity involves biometric data, genetic data and / or tracking data.
Legal Basis to Process, Collect and or Store
GDPR imposes a legal obligation that you must have legal basis for processing personal data. That includes having a legitimate interest, a contractual necessity or legal obligation for instance. You should identify an Article 6 lawful basis for processing the special category data and an appropriate Article 9 condition for processing the special category data. Where required, you should identify an appropriate DPA18 Schedule 1 condition.
SCD can also fall within various categories of legitimate processing such as employment, medical advice or public health grounds and it is important to satisfy the relevant GDPR condition of each legal processing requirement as well. Safeguarding and protection obligations require you to document which special categories of data you are processing. The issue of consent can be complex as it is not freely given in certain relationships such as employee-employer status so additional considerations for GDPR compliance must be adopted.
Privacy Notices and Internal Policies
This is a good time to undertake a review of your privacy notices and policies to ensure that they continue to be valid in a COVID-19 context.
Confidentiality and COVID-19 Disclosure
Special consideration must be given to how you communicate and what you disclose in relation to SCD and COVID-19 related data. This involves a sensitive balancing of countervailing rights and requires you to keep a record of how you determine such disclosures. We have vast experience of advising in relation to these legal balancing tests and have litigated the issues in recent years.
Regulatory Guidance Responding to COVID-19
Whilst this is a new normal and many of us feel in uncharted territory, the legal principles and law is the same but applied in different contexts. The ICO and Data Protection Commissioner as regulatory authorities in Belfast and Dublin are sure to release updated guidance to assist you in your business as usual operations. It is a useful starting point for any organisation or business, and you should keep an eye out for any new regulations.
On the 15th April the ICO recognised that Data Protection law must operate in the context of COVID-19. The exceptional circumstances included an appreciation that organisations and individuals are facing operational, financial and personal impact which must be taken into account.
Carson McDowell have worked closely with many of you in your extraordinary endeavours to become GDPR ready and through that process we were able to learn more about your business needs. We have specialist GDPR lawyers who have the resources and understanding to provide immediate and bespoke solutions to any queries you have.
We look forward to working with you in our new normal and together we can ensure that GDPR’s third birthday is a lot more mundane.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.