Coronavirus: Data protection risk in a time of health monitoring, data sharing and mass home working
1 Apr 2020 |
11 minute read
This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
It's fair to say that priorities have (quite rightly) shifted for almost every person and business on the planet in the last few weeks and months.
There are a multitude of fascinating but fairly esoteric or academic talking points in the context of privacy, open data and Coronavirus (in particular, see Yuval Noah Harari in the FT on 20 March). But in practical and business risk terms, what are the bear traps? How can businesses avoid them?
In this note, we look at how, in practical terms, businesses can manage new or increased data protection risk in the most uncertain of times.
In summary (with much more detail and practical advice below):
The risk:
Even businesses that are used to agile and remote working may need to deploy new tech at speed. For other organisations, this will be the first real 'test' of working remotely at scale. Data protection law won't prohibit this. But it is important to remember that skimping on testing, skimping on security, diverting information security resource to more operations-focused roles may create technical and operational security vulnerabilities (e.g. employees creating their own 'workarounds' if IT teams are busy, relaxing the processes around verification of new or free tech solutions). Further, whilst data protection regulators across the globe are keen to point out that they will be pragmatic about the circumstances, there's no 'free pass' to cut corners just because of the crisis that businesses find themselves in.
The guidance:
The UK's National Cyber Security Centre (NCSC) has issued best practice guidance to help businesses to prepare for an increase in home and remote working. This recommends steps to take if your organisation is introducing (or scaling up the amount of) home working to help manage the cyber security risks. It's a really good reminder of some of the basics and is worth sharing widely.
What to do:
The risk:
Leading hacker groups have (generously?!) indicated that they will no longer target healthcare providers during the Covid crisis - though let's all accept that fraudsters and hostile actors are not necessarily known for their integrity or reliability in a crisis.
The WHO, the NCSC and major hospitals have all been subject to attacks in recent weeks. Template Covid-related "phishing" emails are available to purchase, and hundreds of Covid related domain names have been registered and are hosting unsafe/insecure hostile sites. This is not the time to let your guard down.
The guidance:
The notes above relating to information security in general are of course relevant here. Specifically, the NCSC has produced a new e-learning training package "Stay Safe Online: Top Tips for Staff". The training is free, does not require a log-in and its content can be applied to any organisation, regardless of size or sector. This can be completed online or built into organisations' training platform and may be useful as a refresher or to refocus minds on security despite the dramatic changes to many people's working lives.
What to do:
The risk:
Even those organisations with beautifully documented and diligently implemented policies and processes will be struggling to maintain BAU levels of data protection focused governance. Post rooms are unmanned, comms teams have new priorities, and IT, Legal and HR teams are working around the clock to keep businesses going. This can obviously lead to even well-established processes being missed, delayed or abandoned – critical and potentially high profile processes such as identifying and responding to subject access requests or even early detection of a data breach. There's clearly commercial and reputational risk here, and businesses need to keep in mind that the Covid crisis hasn't 'paused' the normally applicable legal and regulatory risks too. Businesses could (and probably will) find themselves the subject of regulatory enforcement and litigation as a result of failings during this unusual time.
The guidance:
A number of data protection supervisors have issued statements recognising the challenges that data controllers are facing and that these challenges will reasonably require a diversion of resources. However, it is unlikely that any statutory timescales will be extended (the UK's ICO and Ireland's DPC have said as much). The Irish DPC's statement recognises that "unavoidable" delays may occur, and specifically calls out healthcare related organisations as being likely to experience issues in complying with deadlines. The UK's ICO will be publicising the fact that data subjects should expect delays given the issues that businesses are dealing with.
What to do:
Transparency, proactivity and sticking to your core governance principles and processes will be key here. Get ahead by considering really practical steps. For example:
The risk:
At every level, organisations are collecting health data at a scale and speed not seen before. For the majority of organisations (leaving aside those organisations in the field of collecting, interpreting, using or sharing the massive scale data sets informing government level policy), this means collecting and possibly sharing health data of employees and 'visitors' (a catch-all term for third parties with whom a business may come into contact).
For example, most businesses may at least be tracking whether individuals have Covid-19 symptoms or are in a high-risk category in terms of the severity of the impact of the virus.
Clearly, health data features at the 'high risk' end of the data risk spectrum – it is "special category" data and therefore requires special protection. Collecting health data in the first place (plus any subsequent use, sharing or retention of it) requires additional thought or businesses risk falling foul of the most fundamental of their data protection obligations and possibly attracting regulatory enforcement action down the line.
The guidance:
Many data protection regulators around the world have issued statements or guidance on this issue. The UK's ICO and Ireland's DPC have issued some limited but practical FAQs/dos and don'ts for businesses on their websites and these are worth reviewing.
What to do:
The risk:
For lots of reasons, Covid-19 has led to an increase in demand for online services, such as online banking, shopping, socialising, exercising (you name it) in view of the government's guidance to self-isolate and apply social distance to slow the spread of the virus.
Clearly, for some organisations this is a completely new foray into digital services, while for others this will result in higher volumes of digital collection and processing of personal data than ever before. There may be some businesses who find that their documents and processes are simply not fit for purpose, whether that's privacy policies, consent processes, cookie practices and policies, CRM functionality and so on. Organisations that were previously 'flying under the radar' may find themselves in the cross hairs.
The guidance:
This issue probably falls under the same general "you don't have a free pass but we recognise the extraordinary circumstances" (or thereabouts) guidance issued by a number of data protection regulators across the world.
In reality, it's a case of business as usual here – all legal and regulatory data protections obligations will apply as normal, notwithstanding that businesses may not have anticipated the rapid digital transformation or digital escalation that they've been forced to undertake in a matter of mere weeks.
What to do:
If you have any queries and would like to get in touch with us, a coordinated team of experts are leading our support and can be contacted collectively using our dedicated inbox: [email protected].
