I have had interesting conversations this week about the
Data Protection implications of the coronavirus pandemic, particularly when almost
all lawyers are now working from home.
I have previously mentioned the need for
employers and staff to be aware of their responsibilities and to take sensible
precautions.
The Information Commissioners Office has published helpful
advice. It is clear that in these exceptional times, they will take an
exceptional approach to compliance.
They key points are –
1. The ICO acknowledge that it might take longer to
comply with a DSAR request because of limited resources – “We won’t penalise organisations that we know need to
prioritise other areas or adapt their usual approach during this extraordinary
period.” They have no power to extend deadlines but – “will tell people through our own
communications channels that they may experience understandable delays when
making information rights requests during the pandemic”
2. As far as working from home is concerned the advice is simply
to follow the same security measures that you would normally follow. Many firms
have a working from policy but not all. If
not you will need to put measures in place. These are, in the main, common
sense –
(a)
If papers are taken
home, this needs to be recorded so you know what is where. Staff need to take
care that any papers are stored in a way that protects them being accessed by a
third party. In the current climate there are likely to be limited visitors in
any event.
(b)
Staff should be
advised to avoid discussing confidential client matters with friends and family,
particularly during telephone conversations with clients, colleagues and other parties,
(c) Are emails encrypted
and are sensitive documents sent and received securely?
(d)
What help is available
to staff? What do they do if they suspect a breach
3. The advice is that
there should not normally be any need to gather health information about staff.
The guidance is that they should tell you if they have visited a particular
country or have symptoms and to call 111. This should keep data to a minimum.
You can advise staff if someone has contracted COVID-19 but there is no need to
name the individual or to provide more information than is necessary,
4. Data protection law
will not prevent you from sharing health information with authorities with where
necessary although this is unlikely.
The ICO make it clear that they will be
reasonable and pragmatic.
I have heard of some businesses using
data protection concerns as a reason for not allowing staff to work remotely.
This approach has been out of date for years but is even more so in the current
difficulties.
There is an ICO helpline at - 0303 123 1113
No comments:
Post a Comment