Insights

Coronavirus, cybersecurity and data protection

27/03/2020

Cyber security and data protection:  Cyber-security is already a key business risk with a spate of high-profile cyber-attacks.  Those risks are even more acute with millions of employees now working from home for the foreseeable future. 

Businesses hold vast amounts of confidential information which in many cases also contains personal data about individuals. Employees working from home should be given clear protocols for dealing with sensitive commercial information and personal data.   Key issues to consider include:

- In many cases, more than one person will be working from home in a household.  Staff should be instructed to ensure that, as far as possible, confidential phone and video calls are conducted in a separate room (although bearing in mind that childcare may make this difficult).

- Where staff have taken home confidential files for work purposes, they should be given instructions on storing them confidentially (e.g. away from other family members) and returning them once home-working is no longer required.

- Staff only use work IT equipment, email accounts and storage drives when handling confidential information or personal data, unless specifically authorised.   Likewise, they should be instructed only to use apps like Zoom and Houseparty for work purposes (or using work equipment where specifically authorised by the employer.   

Data breaches can result in substantial fines and claims for compensation – and employers will be liable even for the unauthorised acts of employees in relation to personal data.  Preventative measures are therefore essential. 

Similarly, all staff working from home should be given clear instructions as to how to maintain cybersecurity when doing so, including instructions on reporting any cyber threats and data breaches.  It would be worth reminding all staff about the company's reporting procedures and explaining any variations to those in the current circumstances. 

What can I tell other staff if a member of staff has COVID-19?

Employers must continue to comply with their obligations under the GDPR and Data Protection Act 2018.  

Personal data concerning an individual's health is 'special category data' under UK data protection law. If an employee is absent due to COVID-19, employers must be mindful not to release any confidential personal data of that employee (which would be special category data under the GDPR). They may communicate with other employees that an employee has a confirmed case of COVID-19, but should not reveal the name of the individual or other identifying details.

The Information Commissioner has issued brief guidance in relation to coronavirus https://ico.org.uk/for-organisations/data-protection-and-coronavirus/.  This emphasises that:

  • The ICO will not penalise organisations which are forced to divert resources away from data protection or responding to subject access request (or other information rights requests).
  • It's reasonable to ask staff if they have been experiencing COVID-19 symptoms but organisations should take care not to collect more information about staff members' health than necessary
  • Employers should inform staff if a member of staff has contracted COVID-19 so that they can take appropriate measures to protect themselves, but employers should provide no more information than necessary and probably do not need to name individuals.

Other European regulators have issued more detailed guidance, emphasising the need for employers to comply with GDPR requirements when processing sensitive health data.   The guidance states that employers should not collect generalised health information about staff or visitors - for example, employers should not subject staff and visitors to temperature checks or medical questionnaires to check whether they may have the virus.   However, they can encourage staff to report any risks of exposure and encourage staff to work remotely where possible.

If employers are asked to collect health data by public health authorities, they must only collect the health data requested by those authorities.

featured image