Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Insurance UK newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (April 10, 2020, 3:10 PM EDT )
Jeremy Feigelson |
Avi Gesser |
Jane Shvets |
While European Data Protection Board guidance[1] confirms that the EU General Data Protection Regulation should not impede the fight against the pandemic, even in these exceptional times, companies must continue to safeguard individuals' data protection rights — not least because of the additional health-related personal data businesses are likely gathering in response to the pandemic.
We share here our top three tips for those who oversee data protection compliance, drawing on guidance from the EDPB,[2] U.K.,[3] French,[4] German[5] and Irish[6] supervisory authorities.[7]
In summary, we suggest that businesses:
First, identify and address the new data security challenges posed by increased remote working and increased cybersecurity threats — as a result of employees suddenly dealing with business information in home settings, and hackers seeking to leverage pandemic-related anxiety to their advantage.
Second, ensure that when collecting COVID-19 related data, the business collects, shares and retains the least amount of information necessary to help it manage the crisis, and keeps individuals fully informed about how the business will use their personal data.
Third, maintain detailed records of COVID-19–related data processing decisions and impact assessments. While some supervisory authorities have signaled a potentially more lenient approach for those who fail to meet applicable data protection requirements due to the pressures of COVID-19, business should wherever possible contemporaneously document the steps taken to comply and the reason for any failings.
While by no means an exhaustive plan to address all data protection issues presented by COVID-19 and the new normal of remote working for many companies, these steps should help businesses address their most immediate risks.
Identify and address new data security challenges.
With many employees now working remotely,[8] data security concerns need to be addressed as the requirement to maintain appropriate technical and organizational measures to safeguard personal data[9] applies equally inside and outside the office. The U.K. Information Commissioner's Office's COVID-19 guidance specifically calls on companies to "consider the same kinds of security measures for homeworking that you'd use in normal circumstances."
Companies may therefore want to remind employees of the need to:
- Prevent unauthorized access to personal data by family members, housemates or anyone else in the home by sharing practical, easily implementable strategies such as putting work papers away at the end of each day out of sight. Those with voice-activated devices should also consider disabling voice recognition while working near them to avoid confidential information being captured unintentionally.
- Adhere to preexisting data security rules while outside of the office. For example, employees should not use personal email accounts for work business even if remote access tools are under strain.
- Remain vigilant for hackers trying to exploit the crisis through phishing emails and other attacks — for example, fake Centers for Disease Control and Prevention updates, IT alerts and software notices all aimed at tricking users into granting unauthorized access to malicious third parties. These and related issues are discussed further in our COVID-19 cybersecurity checklist.[10]
Collect, share and retain the least amount of information necessary.
Collecting and sharing COVID-19-related data needs to be carefully considered. While the ICO guidance[11] states that companies can lawfully keep staff informed about COVID-19 cases within the organization, it reminds businesses to share information only when truly necessary.
The ICO suggests that naming affected individuals is unnecessary in most contexts and should be avoided. Guidance[12] from the German Data Protection Conference, a group of German federal and state data protection regulators, supports this approach, stating that the identity of an infected individual must be kept confidential unless there is no other way to take precautions to protect others. If naming an individual proves unavoidable, companies should document the reason and follow the EDPB guidance[13] to inform the individual before their name is disclosed.
Companies must also be circumspect when collecting COVID-19-related information. Although few organizations will be receiving physical visitors for the time being, those which are should ask them to provide only the information truly necessary to protect the company's workforce. The same applies to employees. The ICO guidance[14] suggests that it is reasonable to ask people if they have visited specified countries affected by the virus or are experiencing COVID-19-related symptoms.
Similarly, guidance[15] from the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés, suggests that employers can invite individual employees to share information about their own medical situation or potential exposure to the virus, but directs companies not to deploy blanket medical questionnaires or introduce mandatory temperature checks.
Relatedly, the Irish Data Protection Commission's COVID-19 guidance[16] reminds companies to discharge their transparency obligations when collecting COVID-19-related data, including clearly communicating the purpose for which the data is collected and for how long it will be retained.
Furthermore, any data collected must be safeguarded and disposed of appropriately; the German guidance reminds companies that data collected to help manage this crisis cannot be used for other, unrelated purposes and should be deleted as soon as it is no longer needed. Business may therefore wish to segregate COVID-19-related personal data from other data sets to allow it to be easily expunged in due course.
Maintain detailed records of COVID-19–related data processing decisions and impact.
In line with the GDPR's accountability principle and record keeping requirements,[17] companies should record the decision-making process underlying COVID-19-related personal data measures and steps taken to ensure data protection compliance. This includes recording the lawful basis for processing the data; typically, either necessity for reasons of public interest in the area of public health[18] or necessity for discharging obligations in the field of employment where local laws require companies to safeguard their employees.[19] As always, businesses should consider carefully the most appropriate basis for their processing and record it accurately.
At the same time, it seems likely that many companies will find it challenging to meet their data protection obligations — for example, responding to data subject access and other rights requests — due to staffing or technological issues caused by the pandemic. The ICO's guidance[20] says it will not punish organizations that "need to prioritise other areas or adapt their approach during this extraordinary period."
Considering the possibility that other supervisory authorities may be less forgiving, a best practice would be to carefully record the reasons for any delays or defaults, and contemporaneously to collect and maintain supporting evidence. This will help any businesses that fall short to have full and reasoned explanations to hand, should they later come under criticism from a supervisory authority or affected individuals.
Jeremy Feigelson, Avi Gesser and Jane Shvets are partners at Debevoise & Plimpton LLP.
Debevoise attorneys Robert Maddox, Alexandre Bisch, Fanny Gauthier and Friedrich Popp contributed to this article.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
[2] https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
[3] https://ico.org.uk/global/data-protection-and-coronavirus-19/.
[4] https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles.
[5] https://www.bfdi.bund.de/DE/Datenschutz/Themen/Gesundheit_Soziales/GesundheitSozialesArtikel/Datenschutz-in-Corona-Pandemie.html.
[6] https://dataprotection.ie/en/news-media/blogs/data-protection-and-covid-19.
[7] Links to other authorities' guidance are accessible here.
[8] https://www.debevoise.com/insights/publications/2020/03/us-legal-considerations-for-remote-work.
[9] (GDPR Articles 5(1)(f) and 32).
[10] https://www.debevoise.com/insights/publications/2020/03/debevoise-coronavirus-checklists-cybersecurity.
[11] https://ico.org.uk/for-organisations/data-protection-and-coronavirus/.
[12] https://www.bfdi.bund.de/DE/Datenschutz/Themen/Gesundheit_Soziales/GesundheitSozialesArtikel/Datenschutz-in-Corona-Pandemie.html.
[13] https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
[14] https://ico.org.uk/for-organisations/data-protection-and-coronavirus/.
[15] https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles.
[16] https://dataprotection.ie/en/news-media/blogs/data-protection-and-covid-19.
[17] (Articles 5(2) and 30).
[18] (Article 9(2)(i)).
[19] (Article 9(2)(b)).
[20] https://ico.org.uk/for-organisations/data-protection-and-coronavirus/.
For a reprint of this article, please contact reprints@law360.com.