If you process employee or customer or indeed anyone’s personal data then you must take steps (known as organisational and technical measures) to keep it safe i.e. confidential, free from loss/ damage and available for use when needed.
However, despite your efforts there may well come a time when you suffer a personal data breach. It’s important to recognise when a breach has occurred and what to do.
GDPR defines a breach as “a breach of [your] security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Some examples are:
Sending an email containing someone’s personal information to the wrong person.
Leaving someone’s personal information on a photocopier where other people can see it.
Leaving a voice mail containing personal information about someone with the wrong person
Losing an unencrypted computer
Losing access to personal data following a ransomware attack
A file of papers going up in flames or being destroyed by flood.
Selling on a computer without properly erasing what personal data is on the hard drive.
Hackers gaining access to the HR part of your computer network.
All breaches should be documented but not all need reporting to the Information Commissioner’s Office (‘ICO’) or to the individual whose data it is. You need to look at the level of risk of harm to the individual as a result of the breach in security. If you do need to report it is without delay and no later than 72 hours from discovery of the breach.
If you fail to report/ notify the individual when you ought to then you can be fined by the ICO.
Even if you report you may get fined although more likely told to improve your security practices and how. If you keep having breaches the ICO may decide to pay you a visit to conduct a security audit.
Breaches and ICO audits are a pain (although with audits some good can come of them).
If you need help to avoid a breach or you have had one contact me.
This blog is limited to overt (that is employees know it is happening) surveillance.
If an employer collects or generates any personal data (‘information’) about an employee then they have to do so in accordance with data protection law. This means complying with the six (seven if you include accountability) principles of data protection.
Employers must:
Ensure they have a legal ground to collect, store, consider, share, and generally make use of the information
Ensure that what is done with the information is within the reasonable expectation of the employees
Ensure employees know what is happening with their information
Use the information for legitimate purposes
Ensure that they collect the right information and enough of it- but not too much
Ensure that what they collect and deal with is accurate – and kept up to date
Ensure they do not keep it for longer than needed
Ensure that it is kept confidential and steps taken to prevent loss/damage and to ensure it is available for use when needed.
I’ll now expand upon the key points.
How can we do it legally?
Employees cannot consent to surveillance as consent requires a free take it or leave it choice. I would imagine that most employees would feel obliged to agree to surveillance – which isn’t consent.
As such the legal ground is likely to be that the surveillance is necessary to perform the employment contract or it is necessary in the legitimate interests of the employer to know what their employees are doing.
Whatever ground is relied upon it is good practice and indeed may be a legal requirement, to undertake a Data Protection Impact Assessment before any surveillance takes place. This will oblige an employer to set out what they are trying to achieve by the surveillance, if the type of surveillance proposed is, in fact, necessary and is also, what the law refers to as, “proportionate”. It will also address risks to the privacy of the employees and inform the employer as to whether the surveillance ought to go ahead and, if so, what should be done to minimise the risk of any privacy harms.
How do we tell employees we are conducting surveillance?
With a Privacy Notice- all of the purpose(s) [including any potential disciplinary action] of processing personal data should be clear – and the lawful ground for doing what the employer proposes to do set out. If information is to be shared with anyone this should also be set out. This notice should be given before any processing takes place.
What should we collect and how much?
Employers need to think about what they are trying to achieve by surveillance. They need to think about what information they need to achieve the purpose and collect no more than is needed.
How long can an employer keep the information?
It depends on what the information is collected/ generated for. As soon as an employer has achieved the purpose and no longer need it then it should be erased/ destroyed.
What about security?
An employer should look at what information they are processing and how they do so. How is it being stored or shared? An employer should look at what threats to confidentiality or integrity there might be [only those who need to see personal data should do so], how it might be lost or damaged or availability affected. They should also consider how likely that is to occur and, if it does, what the consequences for the employee might be. Weighing this up then appropriate organisational and technical measures to address the risk should be taken.
Can employees see what an employer collects?
Yes – unless an exemption applies (for which see the Data Protection Act 2018) an employee is entitled to a copy of any information that relates to them as well as other information such as why it has been processed, who it has been shared with etc. This is known as the right of access.
Whenever an organisation (this could be a business, charity, school etc.) shares personal data externally it is deemed to be ‘processing’ it. This means (let’s stick to ordinary personal data for the purpose of this blog] that there has to be a legal ground to do so.
How do we do that?
There are 6 ways that personal data (information that relates to an identified or identifiable living individual) can be potentially processed.
They are:
The individual has given their consent. The UK GDPR has a particular definition for what constitutes consent – it has to be a freely given- a take it or leave it choice. A typical example might be marketing. Someone knows what they will be sent by an organisation and they tick a box to say they agree….
Sharing is necessary for the performance of a contract to which an individual is party to or in order to take steps at their request prior to entering into a contract. Think buying something online. The retailer may pass your name and address on to a delivery company so that it can be transported to you.
Sharing is a legal requirement– such as the duty of organisations working in the regulated sector to make ‘Suspicious [money laundering or terrorist financing] Activity Reports’.
There is a need to share to protect an individual’s vital interests -or those of another. This is life and death situations. Think of someone who says they are going to jump from a bridge. A concerned organisation may pass on that information to the Police.
Sharing is necessary as part of a public task or as part of an organisation’s official authority. Many public sector organisations routinely share information, for instance, under the National Fraud Initiative.
Sharing is necessary to meet the legitimate interests of an organisation or of a third party. An example would be where the Police, engaged in a criminal investigation, contact an organisation to ask for information about an individual who has relevance to the inquiry. This ground requires the sharing party to consider the impact on the privacy of the individual if the information were to be shared. Documenting this exercise by completing a Legitimate Interests Assessments form is good practice.
Organisations that process personal data should, by now, have a Record of Processing Activities which sets out what personal data they share, of who, to who and what the legal base(s) for doing so is. This is what the UK GDPR refers to as ‘accountability’.
Is that all there is to it?
As well as having a legal ground to share information an organisation should do so fairly and transparently. An individual shouldn’t be surprised that their information has been shared with a third party [although there are circumstances when personal data can be shared without the knowledge of an individual] indeed any recipients of an individual’s personal data should be listed on the Privacy Notice given to the individual.
There are other principles that relate to the sharing (‘processing’) of personal data. The key ones being that you should only share the minimum amount of personal data you need to share in order to achieve the purpose of sharing and that what is shared is accurate and up to date. Also, the organisation sharing has to take appropriate measures to keep the personal data confidential when sharing and ensure it is not lost or damaged whilst doing so.
The Code
The Information Commissioner’s Office has recently [December 2020] issued a Code of Practice in relation to data sharing. That Office will look at what the code says when deciding if the person sharing has complied with their obligations under the law. It focuses on Independent Controller (those who individually determine what is done with data and how it is processed) to Independent Controller sharing and Joint (where two or more determine what is to be done and how) Controller situations.
Some sharing is routine. In these situations, it is wise (and in Joint Controller situations a legal requirement) to have a Data Sharing Agreement. This is, at it sounds, an agreement setting out the purposes of the sharing and the respective obligations of the parties in respect of the personal data. It also sets out who will be responsible for dealing with any requests by individuals seeking to exercise their data protection rights such as to secure access to their data or to have it erased. The code provides more information as to what should be in a Data Sharing Agreement.
In one – off situations it is wise to document the process by requiring organisations who want the personal data to set out what they want and why they want it. The other party can then consider the request and, whatever the decision, record it and the reasoning behind it. This will be useful if the ICO ever investigate a complaint made by an individual about data sharing.
The ICO recommends that if you plan to share information that you undertake a Data Protection Impact Assessment [‘DPIA’]. This should be done before any final decision to share. The law sets out when one is legally required – when there is a high risk of harm to an individual(s) from the proposed processing (sharing).
The ICO recommend that a DPIA be carried out even if not legally required. A DPIA is a way of identifying what might go wrong personal privacy wise when data is shared, the likelihood of occurrence, the harm that might result and, if it did, how severe it would be. Knowing of the risks then the parties involved in the sharing can work to put in measures to do away with risk or to reduce it to an acceptable level.
The code provides a handy checklist to go through when considering sharing personal data.
Conclusion
Think carefully before you share personal data. Get it wrong and you could face ICO Investigation, claims by harmed individuals for compensation and damage to reputation.
As of 1 January, this year UK law that is concerned with the security of personal data (and what happens when things go wrong) is contained within the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. The law is concerned with personal data -any information that relates to an identified or identifiable living individual.
If a Data Controller [someone who determines what is done with personal data and how it is dealt with] or Data Processor [someone who processes personal data on behalf of a Controller] fails to comply with the law (and there are lots of compliance obligations) then the Information Commissioner’s Office (‘ICO’) may take enforcement action against them. In the most serious cases this can result in a fine.
Affected individuals -known as ‘data subjects’ can also seek compensation for any harm that they suffer. There will also likely be reputational damage if a failure to comply with the law becomes public knowledge as well as a loss of organisational time dealing with issues and putting matters right.
However, information is a wider term than mere personal data. It includes personal data but will also include things such as intellectual property, corporate financial information, business plans or research.
Information security seeks to ensure that all information (that actually needs securing) whether that be in electronic or in hard copy form is secured.
On the other hand, data protection is about how to handle personal data in accordance with the data protection laws i.e., how to lawfully process personal data, how to secure valid consent, the data protection rights of individuals, the need for contracts, when to undertake a Data Protection Impact Assessment, how to transfer personal data overseas etc.
The disciplines do overlap as the UK GDPR places an obligation on a Data Controller (anyone who employs staff or has individuals as customers or schools or membership organisations and so on) to process personal data in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. A Data Controller must protect using appropriate technical or organisational measures.
The UKGDPR does not tell a Data Controller what technical (or organisational) measures are appropriate. This is because security is not a ‘one size fits all exercise’. Every organisation that processes personal data is different and it is for the organisation to assess risk and to decide what is appropriate.
What is appropriate requires an assessment of what types of personal data is processed by the organisation and its sensitivity/ criticality to the organisation. Regard should be had to how the personal data is processed and what could ‘go wrong’. Any vulnerabilities in existence and threats to the personal data should be identified as well as the likelihood of any threat materialising and, if it did, the impact upon the individuals concerned. Cost of implementation also plays a part.
Weighing all of the above up then what is appropriate to protect the personal data (and restore availability and access to it in the event of an incident) can be determined.
For technical measures, a cyber security specialist can assist. Organisational measures include staff training and policies, procedures, and guidance as to what to do/ not do.
A failure to have appropriate information security impacts upon data protection as the law is concerned with the privacy of individuals. If there is unauthorised access to or disclosure of personal data or it is lost or damaged in some way then this impacts upon privacy and may cause harm to individuals.
The following specific UK GDPR obligations also have a bearing on information (personal data) security:
1) only collecting (and thus securing) what personal data is needed, collecting the right data, ensuring it is not kept for longer than needed and of course maintaining Confidentiality, Integrity and Availability;
3) the need for Privacy by Design i.e., considering security and how it ensures privacy at the design stage- before any processing gets underway;
4) the need to undertake Data Protection Impact Assessments in certain circumstances – these can be used to identify risks to personal data and the identification of appropriate control measures;
5) the need for documented agreements when two or more controllers work together -to focus the mind of the parties on their obligations and security;
6) the need to undertake security due diligence on data processors and the right to inspect them and the need for contracts.
8) when things go wrong – assessing risk of harm to individuals, potentially notifying the ICO, communicating with affected individuals and dealing with any investigation by the ICO.
Some organisations may not know or be unclear as to how to deal with people’s personal data during the pandemic. This article aims to clarify matters.
What the law says
The first point to appreciate is that UK law only applies to personal data. That is any information that relates [is ‘about’] to an identified person or to a person who is identifiable. The law gives a long definition, but someone is identifiable if they can be identified directly or indirectly, through an identifier such as, in particular, their name, an identification number [national insurance/ NHS number?], data about where they are located [many of us have smart phones that track our whereabouts] or through an online identifier such as an IP address.
The next point to appreciate is that the law applies to the ‘processing’ of personal data. Again, the law provides a long definition, but you are likely to be processing personal data if you collect it, consider it, alter it, store it, share it or erase/ destroy it.
The law places obligations on ‘Data Controllers’. These are individuals/ organisations who decide what to do with the personal data they collect, come into possession of or generate and how to process it. An organisation will be a Controller if it employs staff as it will collect employee personal data for particular purposes and generate more of it during the employment relationship.
There is a higher risk category of personal data that is relevant to Coronavirus- ‘data concerning health. This is personal data related to the physical or mental health of a person. This could be the employee or a member of their family. It also includes the provision of health care services, which reveal information about health status. Controllers need to take extra care of this kind of (for instance the fact that someone has symptoms of the virus, has it or is or has been receiving treatment) personal data.
When a Controller processes personal data they have to do so in accordance with six ‘principles’. The aim of these principles is to avoid harm to the person whose data is being processed. They are (simplified for the purposes of this article and with an explanation where necessary in bold) that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner.
This means that when you carry out any processing activity such as collecting or sharing personal data then you must do so in accordance with the law particularly the UK GDPR; in a way that the person might reasonably expect and by being ‘up front’ about your use of the data. The law sets out the 6 ways that ‘ordinary’ personal data can be processed and the (additional) ways that special health data can be processed.
(b) collected for specified, explicit and legitimate purposes
This means being very clear with a person as to what you are doing with their data and using it in a proper manner.
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
This means collecting the right information, enough of it but no more than you need
(d) accurate and, where necessary, kept up to date
Speaks for itself- data that is not accurate or is out of date has less value or potentially none
(e) kept for no longer than is necessary
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures
Requires a Controller to assess the likelihood of harm arising from what they are doing with the data, how severe that harm might be to the person whose data it is and then to put in place measures to remove risk or reduce it to an acceptable level.
Finally, Controllers are required to be able to prove that they are processing in line with the principles. This is what the law refers to as being ‘accountable’
What to do
Employers who process employee personal data in connection with Coronavirus should:
Ensure that their employee privacy notice is clear as to the purposes that the employer wishes to process the employee’s personal data. It should also set out such things (and more) as how they lawfully intend to process the data, who they might share information with and how long they intend to keep the data.
As a general rule ensure that they only use the data for the purpose(s) they said they would use it for
Ensure that they collect enough of the right information from employees and no more than is needed to achieve the employer’s purpose(s)
Ensure that any data collected is accurate and up to date. Employer’s may need to ask employees to periodically check the information held about them.
Think about why they are collecting the employee’s information and erase/ destroy it when it is no longer needed and,
Think about what could go wrong (that might result in harm to an employee) when they process personal data, the chances of that harm arising and how bad it might be. Then put in measures to do away with harm or to reduce it to an acceptable level.
Accountability
One of the ways that an employer can prove that they process personal data in accordance with the principles is by:
asking themselves if they actually need to process personal data and, if so, how much they need as a minimum in order to achieve their purpose(s)
creating a ‘Record of [their] Processing Activities’. This is a legal requirement in many cases and is a document that sets out whose data is being processed, why, what types of data are being processed, who the data is to be shared with, how long it is to be kept for and how data is kept safe and secure. An employer can also record how they lawfully process the data.
implementing policies and procedures governing how personal data is to be handled and protected
drafting fit for purpose privacy notices
conducting a Data Protection Impact Assessment if there is a high risk of harm to employees from the processing to be undertaken. Such assessments should be carried out before any processing occurs and can assist with the identification of measures [like a health and safety risk assessment] to do away with or reduce risk.
Knowing how to respond should an employee seek to exercise one of their data protection rights such as the right of access. Generally, an employer only has a month to deal with the request and cannot levy a charge.
I blogged previously on changes to data protection at the end of the transition period – 11 pm on 31 December 2020.
I advised UK organisations who received personal data from Europe that any transfers of personal data to them from 1 January could only occur if the European GDPR allowed it. I advised organisations to look at entering in to ‘Standard Contractual Clauses’ with organisations in Europe who they rely upon to send personal data to the UK.
That advice needs to be revised as on Christmas Eve the UK reached a Trade and Cooperation agreement with the EU. Part of the agreement related to the continued flow of personal data from Europe to the UK.
The deal will be welcomed but it has not permanently resolved the issue of how personal data can lawfully flow from Europe to the UK- it just kicks the can down the road for a period of four (possibly six) months. During that period the EU has agreed that personal data can be sent to the UK as before. In return, the UK is not allowed to exercise certain powers that it would have been able to exercise such as to recognise other countries as having adequate data protection or to issue its own version of the above Standard Contractual Clauses [SCC’s].
The UK is still hoping to secure a finding of ‘adequacy’ from the EU. This is a formal recognition that the UK’s data protection regime meets the standards required by Europe. Securing such a finding at all, never mind within the next few months, is not guaranteed. As before organisations may wish for certainty and speak to those who they have relationships within Europe about entering into SCC’s to ensure that personal data can continue to be sent to the UK after the end of the above extension period.
So, what is the law now?
When the transition period ends the European version of the GDPR will be retained into UK law but will be immediately amended. What results will be known as the UK GDPR. There will also be changes made to the UK’s Data Protection Act of 2018. This Act supplements the GDPR. Organisations will need to comply with both of these laws when processing personal data as well as others such as the 2003 privacy regulations that deal with, amongst other issues, ‘cookies’ and marketing by electronic means.
What about sending personal data out of the UK?
UK legislation sets out how personal data can be lawfully sent out of the UK.
It can be sent to Europe (except Switzerland) as before.
It can also be freely sent to all of the countries that the EU previously deemed to have adequate data protection regimes. These are Andorra, Argentina, Canada (commercial organisations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, New Zealand, Switzerland, and Uruguay. As regards sending personal data to the UK many of these countries have already made declarations that regardless of the end of the transition period they will still send personal data as before.
The UK has also recognised the use of the current EC approved SCC’s as an appropriate safeguard if sending personal data out of the UK [disregard Europe and the countries listed above] or, for larger organisations who have a number of companies within a group, the use of what are known as Binding Corporate Rules.
Has the European GDPR gone for good?
No – UK organisations who offer goods/ services to individuals in Europe (or monitor them) must still comply with the European GDPR and, as such, may need to appoint an EU Data Protection Representative.
What about the UK GDPR?
Organisations outside the UK who offer goods/services to individuals in the UK (or monitor them) need to comply with the UK GDPR and may need to appoint a UK Data Protection Representative.
