I’ll admit it – I clicked the link. I will make the excuses; I am trying to work from home and keep a 5 year old occupied on something other than YouTube; I was quickly dealing with the quick-wins in my inbox, it sounded genuine (we would update our email footer, at a time like this, right?)
Luckily for me, the email was a fake fake and I was immediately spirited off onto cybersecurity training. But I could have fallen foul of one of the myriad of cybersecurity scams that have recently escalated due to the COVID-19 outbreak and the resultant spike in homeworking (and anxious workers). Europol state in their March report;
“Criminals have used the COVID-19 crisis to carry out social engineering attacks, namely phishing emails through spam campaigns and more targeted attempts such as business email compromise (BEC). There is a long list of cyber-attacks against organisations and individuals, including phishing campaigns that distribute malware via malicious links and attachments, and execute malware and ransomware attacks that aim to profit from the global health concern.”
The UK Data Protection regulator, the Information Commissioner’s Office, has picked up on the need for heightened vigilance of such attacks too and has issued guidance to individuals but I note that staff too should be reminded of the risks posed by cyber-crime to both company confidential information and personal data controlled by their employer. The National Cyber Security Centre suggests the preparation of training guides for staff, particularly on how to report problems and the need for prompt action, if an incident occurs.
To be clear, there has been no suspension or amendment of any data protection law during the COVID-19 outbreak. It is entirely business as usual.
In the context of home-working this means that businesses must take the appropriate technical and organisational security measures when dealing with personal data. Businesses may give consideration to the commercial aspects of implementing measures but these are balanced against the risks to data subjects. If data cannot be processed both securely and cost effectively in a home-working situation, it cannot be done. Similarly, steps must be taken to protect business confidential information in order to be afforded common-law protections from misuse by third parties. Simple steps such as marking documents confidential and advising staff to lock their screens whilst away from desks are suggestions.
Notwithstanding the starkness of the law, the ICO has stated that it recognises the “unprecedented challenge” associated with the outbreak and that alternative ways of processing of personal data may be necessary. The ICO goes on to urge organisations to be proportionate in their approach to data protection;
“if something feels excessive from the public’s point of view, then it probably is”
My advice is to document decisions relating to personal data carefully, ideally following a data protection impact assessment template in order to ensure that due consideration of all the aspects of the proposed processing are covered. If there are competing considerations, be honest in your deliberations as these may be reviewed later.
The ICO has expressly stated that use of personal devices can be acceptable (presumably where appropriate security measures are in place,) although I strongly discourage any data being emailed to a personal email address, for any reason.
Taking their pragmatism further, the ICO has noted that there will inevitably be delays responding to data subject access requests and they will not penalise organisations that have had to prioritise other areas. Even if it is obvious, any delay should be communicated to the requester with a brief explanation of the reason for the delay and updates on status when work starts to return to normal.
If a personal data breach does occur, the normal steps to report the breach should be followed. Staff should be encouraged to be prompt and honest about breaches, particularly if a cyber-security incident is involved. Quick reactions may stop the breach becoming significantly worse. All breaches should be documented in the data controller’s register. If there is a risk to the rights and freedoms of the data subjects, a notification to the ICO must be made. It is advisable to complete the breach notification with as much information as is available before the end of the 72 hour deadline, noting the difficulties in preparing a full report and then follow-up as and when further information becomes available.
Finally a note about data protection and COVID-19 related health information. Data relating to staff, customers or other third parties about who has COVID-19 or perhaps is shielding for other health reasons may be highly pertinent to an organisation at the moment. However, processing of such data requires a legal basis. This is likely to be a legitimate interest. As such, a legitimate interest assessment will need to be completed. The data in question is health related and therefore special category data and as such a further basis is required to process this data. Ordinarily consent is procured for the processing of health data but this is inappropriate where the processing must take place and consent cannot be withdrawn. Instead organisations should rely on either 9.2(b) relating to health and safety of employees or 9.2(h) capacity to work or 9.2(i) public health. In relation to these two latter categories, medical professionals with professional confidentiality obligations need to collate the personal data. The legitimate interests assessment should include consideration of the scope of the processing and how long the data will be retained for and it is important to follow-up and destroy data once the rationale for processing has passed...
…let’s hope that is soon.
This article first appeared in Information Age https://www.information-age.com/data-protection-time-covid-19-unprecedented-challenge-123489303/