Wonderful service from start to finish.
How do I manage employee data and employee handling of client data during the coronavirus pandemic?
- AuthorEmployment Team
Increasing numbers of staff are working from home or away from the office which could make confidential information and personal data more vulnerable to data breaches; particularly where cyber-criminals are increasing their fraudulent scams. Data which relates to the health of employees during the pandemic is also subject to special security requirements. Our Employment Law team here reviews how employers can be protecting their data during these times of change, and how you should proceed if there is a breach.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) means businesses processing personally identifiable information about individuals have a statutory obligation to notify the regulator of any breach which places an individual’s personally identifiable information at risk. The GDPR and the DPA 2018 also gives power to the UK’s data regulator, the Information Commissioner’s Office (ICO), to issue high penalties for breaches.
Working from home and data protection
Organisations need to take data protection very seriously given that staff working from home may be using their own domestic internet connection and personal devices to access software and systems. Fines for data breaches from the ICO will still apply under these circumstances so you should therefore ensure that you have sufficiently clear policies in place with regard to employees working from home and how employees should handle and store client/customer data when doing so. Your policies with regard to working from home and handling of data should include the following:
- Guidance on the information that could/should be brought home.
- Guidelines on how to store the data (for example, in a box or locked cabinet if in hard copy).
- Clear rules on how to store data electronically such as on a secure server or a password protected folder.
- Procedures which should be followed if there has been a breach of any data provisions.
- Links to any disciplinary policy if required.
Cyber fraud during coronavirus
Human error is often the reason for data breaches and without direct supervision from managers or colleagues to consult, these breaches may be more likely to happen. There are reports of a sharp increase in attempted cyber fraud, with many more phishing emails, malware and social engineering, where fraudsters trick staff into making money transfers or revealing information. You should therefore remind your employees about being especially vigilant regarding these risks.
Personal data regarding health during coronavirus
The handling of individual information about staff and visitors who have travelled to a high risk area, their symptoms, their test results and when self-isolation has occurred could also be a major threat to data security. This is personal data protected by GDPR, and where it concerns information regarding health it may be special category data under Article 9 of GDPR, which requires special security measures. This information should be collected and used only as absolutely necessary in managing risk and should not be kept unless essential, such as for an insurance claim.
You should ensure your management and sharing of information is set out in a policy so your staff know who to inform and what information is shared with whom. The ICO has said that it may be appropriate to inform other staff if someone tests positive, or is suspected of having contracted the virus, so as to protect the health and safety of their staff, but the individuals should not be named and you should not provide more information than is necessary.
While the ICO states they will be pragmatic about matters such as speed of response to information requests during the crisis, there is no suggestion that they will accept reduced standards of data security.
We understand that you may be struggling to keep up in this fast-changing environment but it is important to protect your data. A breach with compromised data will be a serious issue and the ICO can impose fines of up to €20m or 4% of total worldwide turnover. As well as financial penalties, the damage to corporate reputation can be immense. If you have any questions for our Employment team about protecting theirs or your clients’ data during this time, you can contact the team on 023 8071 7717 or email firstname.lastname@example.org.
To receive regular Employment Law updates from the team regarding recent tribunal cases and legislation updates, you can subscribe to our weekly Employment Law Newsletter by completing our subscription form or emailing us at email@example.com.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.