The unprecedented impact of COVID 19 has had a colossal effect on businesses. Businesses are dealing with challenges they have not faced before, and as a result are likely not to have given consideration to data protection laws, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) and how they still apply.
We have set out an overview of some of the key issues for your business to consider during this crisis.
Protecting customer and visitor details
Depending on the nature of your business you may be collecting customers’ and visitors’ personal data for the first time, to support the various contact tracing schemes in the UK.
This is perfectly acceptable, but it is important that the collection and processing of the personal data is carried out in accordance with the requirements of GDPR.
Only collect the personal data that is absolutely necessary, for example name, contact details and time of arrival. It is important that you are transparent with customers, ensuring that you tell them precisely what you are doing with their personal data and that the information is easy to understand and in plain language. This can be achieved by having the appropriate privacy notice in place and displayed in your premises or on the website. Alternatively, you can tell the customers.
Once you are in receipt of the personal data you must secure it safely and make sure that you do not use the information for any other purposes, for example direct marketing. Finally, you should not keep the personal data for longer than you need it.
Consider undertaking a DPIA before collecting personal data and/or “special categories of personal data” (“SCD”) from individuals
Businesses should consider undertaking a data protection impact assessment (“DPIA”) prior to collecting any personal data and/or SCD from individuals relating to COVID-19.
A DPIA is intended to help businesses understand the risks associated with particular data processing activities and the measures that can be taken to mitigate such risks. A DPIA will also help to inform the changes that may be required in other data protection-related compliance documentation within the organisation (e.g., privacy notices and records of processing activities).
The GDPR requires organisations to undertake a DPIA if the processing is likely to result in a high risk to the rights and freedoms of individuals. Additionally, guidance issued by data protection regulators suggests that a DPIA should be performed where a processing activity involves biometric data, genetic data and/or tracking data.
Make sure your business has a legal basis for processing the personal data and/or SCD
The GDPR requires organisations to have a legal basis for processing personal data.
In relation to COVID-19 your business may be able to rely on the following lawful basis:
· Legitimate interests: businesses may consider it necessary to process personal data relating to its personnel (and other individuals) for the purposes of its legitimate interests in managing business continuity and the well-being of individuals with whom it interacts.
When considering legitimate interests as a lawful basis it is important that the business balances its interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override the businesses.
· Contractual necessity: where processing of personal data relating to COVID-19 is necessary for a businesses’ performance of its obligations to employees under the employment contract then such processing may be justified.
· Legal obligation: businesses may have legal obligations relating to health and safety, and it may be possible to justify certain personal data processing activities on the basis of these legal obligations.
Note that if the personal information falls within the category of SCD (which is likely in this context), then a further condition must be satisfied.
Make sure you review and update your privacy notices where necessary
It is important that businesses review existing privacy notices to ensure that these provide the necessary information regarding the data being collected and the purposes of processing.
If a business is collecting new categories of personal data and/or SCD from individuals and using such data for new purposes, it will likely be necessary to update privacy notices to reflect the new changes in the collection of data from individuals.
Can the business disclose COVID-19 cases to personnel?
Yes, but disclosure of such information should be limited as much as possible. If it is necessary to disclose the name of the personnel who has contracted COVID-19 to enable other personnel to take appropriate protective steps, the personnel who has contracted the virus should first be informed of the intended disclosure.
Should the business have a remote working policy in place?
Yes. If you already have a policy in place, now would be a good time for businesses to review and (if necessary) update remote working policies, and to remind personnel of the requirements of these policies.
What safeguards should business put in place to protect the information it collects?
The GDPR doesn’t set out the specific requirements that you should use. The Information Commissioners Office says “the GDPR requires you to process personal data securely using appropriate technical and organisational measures. What’s appropriate for you will depend not just on your circumstances, but also the data you are processing and the risks posed. You must assess your information security risk and implement appropriate technical controls”.
If you have any queries or wish to discuss any aspect of COVID-19 and what your business should be doing to ensure GDPR compliance, please do not hesitate to contact Claire Sumner.
Senior Commercial Associate
Jolliffe & Co LLP
Tel: 01244 310 022
Disclaimer: Information made available on this website in any form is for information purposes only. It is not, and should not be taken as legal advice. You should not rely on, or fail to take any action based upon this information. You should obtain your own independent legal advice. Jolliffe & Co LLP will be pleased to discuss with you any legal concerns you have in relation to this subject matter.‹ Back to news