The new normal of living in a Covid19 world brings with it some important questions about how you’re going to manage your business’s data security.
If you’ve changed how and where your workers are based, such as home workers or shared work spaces, or have taken on extra measures such as track and trace or monitoring your staffs health, there are data security measures that you must implement to comply with GDPR and protect the processing of personal data.
Data Protection Impact Assessment (DPIA)
Under the GDPR you need to show that any processing of personal information is being being done in line with the GDPR. You’re responsible for being able to demonstrate your compliance and to show that you’ve considered the impact of the data your processing. It’s recommended that you have a Data Protection Impact Assessment (DPIA) to help demonstrate your assessment.
Making changes to your GDPR policy should only be done after a DPIA is carried out.
The DPIA is not just for large organisations, any business that is processing personally identifiable information is required to be registered with the ICO and to have a GDPR policy in place.
Am I processing personally identifiable data?
What counts as Personally Identifiable Data?
Any information that can identify an individual is Personally Identifiable Data, the most obvious being peoples names, but other types of data could also be used to identify someone;
- Names
- Client Reference ID’s
- Order Numbers
- Browser Cookies from websites
- PAYE information
- CCTV images
- Bank Details
- Mobile Phone Numbers
- Social Media Details
What counts as Processing Data?
Any time anything happens to the data, it’s processing. With digital data this would include when it’s first entered into your system, if it’s accessed, sorted or looked up and when it’s modified or printed.
It includes the collection of data even if it’s not stored, such as taking temperature readings.
I don’t use a computer for work?
The GDPR covers processing of data in any format, this includes data on your mobile phone (such as contact details, call logs, text messages, WhatsApp messages etc)
I don’t even have a mobile phone
It’s not just digital data that is covered, an form of filing system is taken into account, so an address book, Filofax or even the top drawer of your desk would all fall under the GDPR.
Track & Trace
If you’re recording information for Track & Trace, you are required to follow the GDPR when doing so. You should update your GDPR policy to include the processing of this data and carry out a DPIA to make sure you are following the requirements of GDPR.
You should make sure that individuals know why you are collecting this information, who will have access to it and how long you will retain it for. The data collected must not be used for any other purpose.
You will need to identify the lawful basis for collecting this information. If you have a legal requirement to collect the information, or are doing so because your industry is encouraged to do so, it’s likely that you will be able to use ‘Legitimate Interest’ as the bases. Otherwise you may be required to use individual consent.
You should collect the minimum amount of information needed for the purpose. This would probably be a contact name, phone number and the date, time and duration of their stay at your premises.
The ICO list an ‘ABCDE’ approach to contact tracing:
 | Ask for only what’s needed You should only ask people for the specific information that has been set out in government guidance. This may include things like their name, contact details and time of arrival for example.You should not ask people to prove their details with identity verification, unless this is a standard practice for your business, eg ID checks for age verification in pubs. |
 | Be transparent with customers You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you’ll do with it. You could do this by displaying a notice in your premises, including it on your website or even just telling people.If you already collect customer data for bookings, you should make it clear that their personal data may also be used for contact tracing purposes. |
 | Carefully store the data You must look after the personal data you collect. That means keeping it secure on a device if you’re collecting the records digitally or, for paper records, keeping the information locked away.See our guidance on simple security measures you can take here. |
 | Don’t use it for other purposes You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics. |
 | Erase it in line with government guidance You should not keep the personal data for longer than the government guidelines specify. It’s important that you dispose of the data securely to reduce the risk of someone else accessing the data. Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, for example. |
Track & Trace QR Code
If you’ve printed out a government Track and Trace QR code, you do not need to include that information on your GDPR as you will not be processing the information in any way.
Get a UK Government NHS Track and Trace QR Code here
Monitoring individuals for signs of Covid-19
(Temperature monitoring, symptom monitoring or asking about their health or the health of household members)
If you’re monitoring individuals (or their household) for signs of COVID-19 you will need to take extra care with the way the data is collected and processed. This type of data is classed as Special Category Data and has extra safeguards offered by the GDPR.
You should carry out a DPIA to ensure you have covered all the legal requirements for processing this kind of information.
The ICO GDPR coronavirus hub ‘Testing’
Individuals who are asked about their health or the health of those they live with, or who are asked to take a test or have their temperature taken, have rights under the GDPR. They are entitled to know at the point of collection;
- What information is being collected.
- Why it’s being collected.
- Who will have access to the data.
- How long the data will be held for.
- What the legal basis is for collecting the data.
- who they should contact if they have any problems or issues.
They will also be entitled to request a copy of the data (Called a Subject Access Request, or a SAR)
Furthermore, they will be required to give specific, clear consent for the collection of this information.
Home workers access to company data
With many organisations now looking at moving to full or part time home workers, you need to make sure your GDPR policy covers the movement of data to and from your remote workers, and the data’s security while off site.
The transfer of data to and from your workforce and your office network should be a closed, secure transfer, either digitally over secured communications channels or physically.
If your workers are in the office or in other company owned premises, the security can be centred around the closed network design, but when your workers are remote or working from a home office, that transfer of data needs to be done via public systems (This could be manual, such as moving paper records and files from the company to the workers, or digitally over the public internet)
If the data falls under the scope of the GDPR, then it is a lawful requirement that you protect the transfer of the data.
For files and paper this could be by using a locked briefcase or storage box, a pre-vetted courier or an employed courier. For digital information, this should include encrypted data over secure connections, such as a VPN (Virtual Private Network) Remote Desktops or secured cloud services.
Passwords
You shouldn’t be letting your staff use weak passwords anyway, but we know in a secure office environment it can happen.
With staff accessing your business network remotely, those passwords suddenly become critically important and must be strong, ideally with 2FA (Two Factor Authentication) in place so any logon attempt needs to be verified by a text message or mobile phone app.
You should have sufficient monitoring of access so you can identify malicious logon attempts and any issues of security.
Data transfer and storage for home workers
You should make sure data is secured during transport, whether digitally over the internet, on USB devices or as paper files.
Once the data has been delivered to the remote worker securely, you need to make sure it’s stored in a secure way.
Paper folders and files should be stored in a secure locked cupboard or filing cabinet in the house for example, it’s not a good idea to leave them in a car or in a garage or shed.
Digital data should ideally be encrypted when not being accessed, and only kept in the remote location for as long as is necessary.
Using a home pc or mobile
If your remote workers are going to use personal devices for processing your organisations data, you should ensure that it meets your data security policy standards.
This should include sufficient secure (encrypted) storage, segregation of data from personal data, robust antivirus measures and secure internet connections as a minimum.
If you already have a Bring Your Own Device (BYOD) policy in your GDPR and IT deployment pack, then you should make sure it’s up-to-date, appropriate for it’s new use and that your employees read it and understand it.
Video Conferencing
Using video conferencing is a great way to keep in touch with staff and clients, but you should cover it’s appropriate use in your DPIA.
You should choose a platform or two that offer corporate level security, two factor authentication, logging and recording facilities and end-to-end encryption and deploy them for use.
You should make sure users are kept updated on proper use, and how to spot improper use or potential scams on the platforms, and you should make sure the end users are keeping their platform client apps up to date.
In your policy file you should include items such as screen sharing, file sharing, remote control and instant messenger chat use.
Office Chit Chat
One of the things people might miss while working from home is the office chit-chat. Not the gossiping at the coffee put for 20 minutes, but the background day-to-day chatter that helps the office function.
To help with this, there are a few digital radio stations and channels that will pay constant background chatter, it sounds odd but having that quite noise in the background can actually make it easier to concentrate on what your’re doing.
For the time when you would just pop your head up and ask a colleague something, you might find it useful to have an ongoing meeting room open between all your office staff. That way they don’t have to start a specific call with someone if they just want to ask a quick question.
We can help you conduct and write your Data Protection Impact Assessment (DPIA) to make sure you’re protecting personally identifiable data in line with GDPR requirements.
We can help you move your business to an agile, modern IT setup, with remote workers, hot desking and secure digital storage.
We can also help you with IT Support for your remote workers, making sure your agile workforce are getting the support they need in this new way of working.
If you need help with setting up remote workers, GDPR Policy files, DPIA’s or any other IT support issues #WeCanHelp
https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/
