Some organisations may not know or be unclear as to how to deal with people’s personal data during the pandemic. This article aims to clarify matters.
What the law says
The first point to appreciate is that UK law only applies to personal data. That is any information that relates [is ‘about’] to an identified person or to a person who is identifiable. The law gives a long definition, but someone is identifiable if they can be identified directly or indirectly, through an identifier such as, in particular, their name, an identification number [national insurance/ NHS number?], data about where they are located [many of us have smart phones that track our whereabouts] or through an online identifier such as an IP address.
The next point to appreciate is that the law applies to the ‘processing’ of personal data. Again, the law provides a long definition, but you are likely to be processing personal data if you collect it, consider it, alter it, store it, share it or erase/ destroy it.
The law places obligations on ‘Data Controllers’. These are individuals/ organisations who decide what to do with the personal data they collect, come into possession of or generate and how to process it. An organisation will be a Controller if it employs staff as it will collect employee personal data for particular purposes and generate more of it during the employment relationship.
There is a higher risk category of personal data that is relevant to Coronavirus- ‘data concerning health. This is personal data related to the physical or mental health of a person. This could be the employee or a member of their family. It also includes the provision of health care services, which reveal information about health status. Controllers need to take extra care of this kind of (for instance the fact that someone has symptoms of the virus, has it or is or has been receiving treatment) personal data.
When a Controller processes personal data they have to do so in accordance with six ‘principles’. The aim of these principles is to avoid harm to the person whose data is being processed. They are (simplified for the purposes of this article and with an explanation where necessary in bold) that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner.
This means that when you carry out any processing activity such as collecting or sharing personal data then you must do so in accordance with the law particularly the UK GDPR; in a way that the person might reasonably expect and by being ‘up front’ about your use of the data. The law sets out the 6 ways that ‘ordinary’ personal data can be processed and the (additional) ways that special health data can be processed.
(b) collected for specified, explicit and legitimate purposes
This means being very clear with a person as to what you are doing with their data and using it in a proper manner.
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
This means collecting the right information, enough of it but no more than you need
(d) accurate and, where necessary, kept up to date
Speaks for itself- data that is not accurate or is out of date has less value or potentially none
(e) kept for no longer than is necessary
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures
Requires a Controller to assess the likelihood of harm arising from what they are doing with the data, how severe that harm might be to the person whose data it is and then to put in place measures to remove risk or reduce it to an acceptable level.
Finally, Controllers are required to be able to prove that they are processing in line with the principles. This is what the law refers to as being ‘accountable’
What to do
Employers who process employee personal data in connection with Coronavirus should:
- Ensure that their employee privacy notice is clear as to the purposes that the employer wishes to process the employee’s personal data. It should also set out such things (and more) as how they lawfully intend to process the data, who they might share information with and how long they intend to keep the data.
- As a general rule ensure that they only use the data for the purpose(s) they said they would use it for
- Ensure that they collect enough of the right information from employees and no more than is needed to achieve the employer’s purpose(s)
- Ensure that any data collected is accurate and up to date. Employer’s may need to ask employees to periodically check the information held about them.
- Think about why they are collecting the employee’s information and erase/ destroy it when it is no longer needed and,
- Think about what could go wrong (that might result in harm to an employee) when they process personal data, the chances of that harm arising and how bad it might be. Then put in measures to do away with harm or to reduce it to an acceptable level.
One of the ways that an employer can prove that they process personal data in accordance with the principles is by:
- asking themselves if they actually need to process personal data and, if so, how much they need as a minimum in order to achieve their purpose(s)
- creating a ‘Record of [their] Processing Activities’. This is a legal requirement in many cases and is a document that sets out whose data is being processed, why, what types of data are being processed, who the data is to be shared with, how long it is to be kept for and how data is kept safe and secure. An employer can also record how they lawfully process the data.
- implementing policies and procedures governing how personal data is to be handled and protected
- drafting fit for purpose privacy notices
- conducting a Data Protection Impact Assessment if there is a high risk of harm to employees from the processing to be undertaken. Such assessments should be carried out before any processing occurs and can assist with the identification of measures [like a health and safety risk assessment] to do away with or reduce risk.
Knowing how to respond should an employee seek to exercise one of their data protection rights such as the right of access. Generally, an employer only has a month to deal with the request and cannot levy a charge.