Written by Emma Garland.
Along with pubs, restaurants and places of worship, many businesses have now re-opened after the lockdown and are requiring their staff to return to work. There has been a lot of guidance about how the physical aspect of premises can facilitate a safe return, but it is also important that employers do not forget the need for good data protection practice. Much of the process of leaving the office may have been done hastily, but many of the practices that are now established will be in place for a significant time to come.
In short, the principles are the same as they always have been. Data protection does not prevent employers from using personal data in a new way to ensure both the workplace and employees are safe. However, it is important that the risks associated with new personal data processing activities are recognised and addressed.
Whether an employer wants to create records of staff who are self-isolating, needs information to understand which staff are vulnerable or share data about staff with the NHS, Data Protection Impact Assessments (DPIAs) are an important tool for planning purposes. They will help to clarify the specified aim, the information flow and the risks associated with the processing. The DPIA will require answers to questions such as what do we want to achieve and what personal data do we need to do it? What systems are we going to use and who is responsible for the data? What are the risks to Data Subjects and how are we going to address them?
Communication is vital. The Information Commissioner’s Office (ICO) states in its blog “Be clear, open and honest with staff about their data”. There might be changes in policy and procedure which have an impact on processing employee personal data. Employers should consider if there is a need to update their privacy notices or even create additional ones
Now is also a good time to think about physical premises and the impact on data security. If employers have implemented a one-way system, does this make is easier for someone to gain access to personal data?
Whatever measures are implemented during and after the pandemic, employees must still be able to exercise their data protection rights. If personal data is not clearly organised across systems, with logical steps in an information flow, then it might not be possible to comply with subject access requests.
Other important steps include amending the organisation’s Record of Processing Activity (RoPA) and the Information Asset Register. Retention periods must also be carefully considered. This is a time of uncertainty which makes ‘just-in-case’ retention periods tempting; but should be avoided. There is nothing wrong with telling people that information has been destroyed as it had reached the end of the retention period for the specified purpose it was collected for.
The Information Commissioner’s Office has produced some further guidance for organisations as they recover from the Coronavirus period.
Emma Garland is a Data Governance Officer at North Yorkshire County Council and a blogger on information rights. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online GDPR Practitioner Certificate course is fully booked. A few places left on the course starting on 6th August.