Coronavirus: Data protection risk in a time of health monitoring, data sharing and mass home working
It's fair to say that priorities have (quite rightly) shifted for almost every person and business on the planet in the last few weeks and months.
There are a multitude of fascinating but fairly esoteric or academic talking points in the context of privacy, open data and Coronavirus (in particular, see Yuval Noah Harari in the FT on 20 March). But in practical and business risk terms, what are the bear traps? How can businesses avoid them?
In this note, we look at how, in practical terms, businesses can manage new or increased data protection risk in the most uncertain of times.
In summary (with much more detail and practical advice below):
- There are some practical easy-wins in terms of mitigating the additional information security risks created by sudden and unplanned working from home at scale. Some of it is very basic (refresh training, consider hard and soft copy data storage, identify where staff might look for 'workarounds'), other areas will need more thought.
- The fraudsters and cyber-criminals are out in force and on this front, awareness-raising could be your best preventative risk mitigation measure.
- Transparency, proactivity and referring back to your core principles will give you the best chance of ensuring good day to day data risk management whilst operating with skeleton resources.
- Proportionality and processes will be key when it comes to collecting and sharing staff/visitors' health-related data.
- In the context of a rapidly accelerated move to digital service provision, you will need to focus on the basics and make sure that the consumer-facing documents and processes are fit for purpose.
The (relatively) obvious risk: increased working from home
The risk:
Even businesses that are used to agile and remote working may need to deploy new tech at speed. For other organisations, this will be the first real 'test' of working remotely at scale. Data protection law won't prohibit this. But it is important to remember that skimping on testing, skimping on security, diverting information security resource to more operations-focused roles may create technical and operational security vulnerabilities (e.g. employees creating their own 'workarounds' if IT teams are busy, relaxing the processes around verification of new or free tech solutions). Further, whilst data protection regulators across the globe are keen to point out that they will be pragmatic about the circumstances, there's no 'free pass' to cut corners just because of the crisis that businesses find themselves in.
The guidance:
The UK's National Cyber Security Centre (NCSC) has issued best practice guidance to help businesses to prepare for an increase in home and remote working. This recommends steps to take if your organisation is introducing (or scaling up the amount of) home working to help manage the cyber security risks. It's a really good reminder of some of the basics and is worth sharing widely.
What to do:
- It might sound glib, but this is unfortunately just yet another juggling ball that businesses will need to keep in the air.
- Some elements won't be new. For example, accept that you might need to refresh training for staff, increase VPN provision, increase capacity to scan for vulnerable 'endpoint' devices, enhance or accelerate security patching procedures, improve encryption practices.
- However, you might find you need to consider brand new issues. For example, you may suddenly find that staff need to use their own devices for connectivity while the business sources more hardware. Or you may find that you're suddenly having to rely on portable storage devices to transmit data. Don't jump into this without at least pausing to consider what risks might arise and how you can identify and mitigate them in advance. You may not need (or have time for) formal impact assessments, but make sure you document your 'thinking' as an organisation and that you leave yourself a paper trail to explain the risk mitigation measures you took at the time.
- Remember that it's also not just about cyber risk – with increased working from home, you'll probably need to remind staff to shred sensitive or personal data and not to put hard copies in the 'normal' post.
- On a slightly separate note, remember that employee monitoring rules that apply in the workplace will continue to apply whilst people are working at home (if not even more so). Don't be tempted to monitor performance, presence or productivity in new or different ways without first considering the data protection (and employment law) implications as this could create significant regulatory and legal risk for the business.
Cyber risk: hostile actors taking advantage of a crisis
The risk:
Leading hacker groups have (generously?!) indicated that they will no longer target healthcare providers during the Covid crisis - though let's all accept that fraudsters and hostile actors are not necessarily known for their integrity or reliability in a crisis.
The WHO, the NCSC and major hospitals have all been subject to attacks in recent weeks. Template Covid-related "phishing" emails are available to purchase, and hundreds of Covid related domain names have been registered and are hosting unsafe/insecure hostile sites. This is not the time to let your guard down.
The guidance:
The notes above relating to information security in general are of course relevant here. Specifically, the NCSC has produced a new e-learning training package "Stay Safe Online: Top Tips for Staff". The training is free, does not require a log-in and its content can be applied to any organisation, regardless of size or sector. This can be completed online or built into organisations' training platform and may be useful as a refresher or to refocus minds on security despite the dramatic changes to many people's working lives.
What to do:
- Remind staff of the absolute basics in terms of not clicking on links, verifying email senders' details by phone before actioning requests received by email, not looking for workarounds or circumventing the business's usual data access and storage procedures. Everyone should consider this period a 'higher risk' time than normal.
- Re-train staff, including by using the NCSC training above as a supplementary/refresher training module. It's free, accessible and very recently created with current threats in mind.
- Talk to other industry participators. Keep up to date on what others are experiencing. There is great value in simple awareness when it comes to cyber/hostile threats.
Governance in a pandemic – operating with skeleton resource
The risk:
Even those organisations with beautifully documented and diligently implemented policies and processes will be struggling to maintain BAU levels of data protection focused governance. Post rooms are unmanned, comms teams have new priorities, and IT, Legal and HR teams are working around the clock to keep businesses going. This can obviously lead to even well-established processes being missed, delayed or abandoned – critical and potentially high profile processes such as identifying and responding to subject access requests or even early detection of a data breach. There's clearly commercial and reputational risk here, and businesses need to keep in mind that the Covid crisis hasn't 'paused' the normally applicable legal and regulatory risks too. Businesses could (and probably will) find themselves the subject of regulatory enforcement and litigation as a result of failings during this unusual time.
The guidance:
A number of data protection supervisors have issued statements recognising the challenges that data controllers are facing and that these challenges will reasonably require a diversion of resources. However, it is unlikely that any statutory timescales will be extended (the UK's ICO and Ireland's DPC have said as much). The Irish DPC's statement recognises that "unavoidable" delays may occur, and specifically calls out healthcare related organisations as being likely to experience issues in complying with deadlines. The UK's ICO will be publicising the fact that data subjects should expect delays given the issues that businesses are dealing with.
What to do:
Transparency, proactivity and sticking to your core governance principles and processes will be key here. Get ahead by considering really practical steps. For example:
- If your post rooms aren't open/staffed, publicise this on your websites or social channels.
- If your social channels or customer service inboxes aren't being monitored as closely, put notices up on websites or email customers to let them know.
- Set up 'auto reply' messages to incoming communications to tell people to expect delays for the foreseeable future (but don't treat this as a green light to just ignore the incoming communications).
- Treat SARs and other rights requests as a dialogue with the individual – be open with them about the efforts that you are making and the limitations that you're experiencing. For example, you might be able to search and provide digital files but not search or provide data stored in hard copy for the time being.
- Ask yourself the question: "what can we do?". If you can deliver on your core data protection-related policy positions by alternative, varied means then consider all options on the table and look for opportunities to mitigate risk even if you can't meet your own usual best practice standards.
- Don't bury your head in the sand if things mount up – like most issues, they'll only escalate if left without attention!
Collecting and sharing health data of staff or visitors
The risk:
At every level, organisations are collecting health data at a scale and speed not seen before. For the majority of organisations (leaving aside those organisations in the field of collecting, interpreting, using or sharing the massive scale data sets informing government level policy), this means collecting and possibly sharing health data of employees and 'visitors' (a catch-all term for third parties with whom a business may come into contact).
For example, most businesses may at least be tracking whether individuals have Covid-19 symptoms or are in a high-risk category in terms of the severity of the impact of the virus.
Clearly, health data features at the 'high risk' end of the data risk spectrum – it is "special category" data and therefore requires special protection. Collecting health data in the first place (plus any subsequent use, sharing or retention of it) requires additional thought or businesses risk falling foul of the most fundamental of their data protection obligations and possibly attracting regulatory enforcement action down the line.
The guidance:
Many data protection regulators around the world have issued statements or guidance on this issue. The UK's ICO and Ireland's DPC have issued some limited but practical FAQs/dos and don'ts for businesses on their websites and these are worth reviewing.
What to do:
- Don't collect more information than you need – this is not the time (or type of data) for 'nice to haves'. For example, whilst it's likely that you'll be justified in collecting information about those who have symptoms or confirmed cases of the virus (and possibly even requiring it in the UK – though that won't be the case in some other territories), it's likely to be disproportionate in most cases to ask employees to give you frequent health updates or to ask all visitors to fill in questionnaires or provide health information.
- Avoid sharing information about individuals' existing health conditions (including mental health conditions) amongst colleagues or third parties since this is likely to be disproportionate and therefore legally unjustifiable.
- It's unlikely that you'll need to name individuals diagnosed with Covid-19 or displaying symptoms (though you may need to tell employees about any confirmed cases in an anonymous/general way).
- Make it clear to employees how they can report symptoms confidentially, and make sure that staff are updated about how that reported information will be used (and – crucially in the context of making sure that people are confident to report – how that information will not be used).
- Make sure you keep a paper trail – whether that's by way of formal impact assessment or otherwise (i.e. don't lose sight of your usual best practices, given the type of data at stake).
Rapid acceleration of the move to digital service provision
The risk:
For lots of reasons, Covid-19 has led to an increase in demand for online services, such as online banking, shopping, socialising, exercising (you name it) in view of the government's guidance to self-isolate and apply social distance to slow the spread of the virus.
Clearly, for some organisations this is a completely new foray into digital services, while for others this will result in higher volumes of digital collection and processing of personal data than ever before. There may be some businesses who find that their documents and processes are simply not fit for purpose, whether that's privacy policies, consent processes, cookie practices and policies, CRM functionality and so on. Organisations that were previously 'flying under the radar' may find themselves in the cross hairs.
The guidance:
This issue probably falls under the same general "you don't have a free pass but we recognise the extraordinary circumstances" (or thereabouts) guidance issued by a number of data protection regulators across the world.
In reality, it's a case of business as usual here – all legal and regulatory data protections obligations will apply as normal, notwithstanding that businesses may not have anticipated the rapid digital transformation or digital escalation that they've been forced to undertake in a matter of mere weeks.
What to do:
- Go for the easy wins and get the basics right. Make sure you are being transparent with consumers about what data you're collecting and how it's being used. For example, a really good (i.e. in genuinely plain language and bespoke) privacy policy goes a long way. Make any consent language really clear and straightforward.
- Talk to suppliers. For example, make sure you know what tracking technology your web developer has deployed, make sure you know what hosting providers are delivering services in your data/digital supply chain.
- Whilst nobody is in fully-fledged sales mode right now, if you've got one eye on the future and if you are planning to turn this into opportunity, invest the time as soon as you reasonably can to make sure that you're building a useable and strategically valuable dataset. That might mean (once resource and focus allows) carrying out data protection impact assessments and building proper data governance structures – don't put this off for longer than you have to otherwise you risk missing out on opportunity when your business is ready to focus on the long term future again.
If you have any queries and would like to get in touch with us, a coordinated team of experts are leading our support and can be contacted collectively using our dedicated inbox: [email protected].