Data protection during COVID-19 DOs and DON’Ts
No doubt your customers have come across many articles advising on how to cope during the COVID-19 crisis. However, it’s not only the physical and mental wellbeing of their staff that they need to look after but also their companies ability to prevent security incidents.
With employees remote working and no longer subject to the security protections that the office provides, it can be hard to maintain good habits – particularly as amongst the uncertainty that the pandemic brings to everybody’s home and work lives.
This article aims to keep everybody on the same page, providing useful tips on what to do. And more importantly, what not to do – to ensure your organisation remains safe and secure.
DOs during COVID-19
- Under the GDPR (General Data Protection Regulation), organisations must have a lawful basis for processing personal data – this includes processing personal data to contain the spread of COVID-19. In this context, the following lawful bases may apply:
- Article 9 (2) i) (“processing is necessary for reasons of public interest in the area of public health”), including health data, if organisations are acting on the guidance of authorities and once suitable safeguards are implemented (e.g. limitation on access to the data, strict time limits for erasure, adequate training of the employees involved in the processing).
- Articles 6 (1) c) (employer’s obligation to protect its employees under the Safety, Health and Welfare at Work Act 2005, as amended) and 9 (2) b) of the GDPR provide a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.
- Article 6 (1) d) of the GDPR (processing carried out to protect the vital interests of an individual or other persons), where necessary. A person’s health data may be processed where they are physically or legally incapable of giving their consent, but only in emergency situations, where no other legal basis can be identified.
- Any data processing for the purposes of preventing the spread of COVID-19 must be carried out in a manner that ensures the security of the data.
- Organisations must provide individuals with information about the processing of their personal data.
- Organisations should document any decision-making process regarding measures implemented to manage COVID-19 that involve the processing of personal data.
- Recording of any health information must be justified and limited to what is necessary for an employer to implement health and safety measures. Therefore, only the minimum necessary amount of personal data should be processed. To achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
- Employers are required by law to protect the health of their employees. As well as to provide a safe place of work. During the COVID-19 situation, it would be considered acceptable for employers to ask employees and visitors to inform them if they have visited an affected area. And/or are experiencing any COVID-19 symptoms.
- Public health authorities may require the disclosure of personal data in the public interest. To protect against serious public health threats. Employers should follow the advice and directions of their public health authorities.
- The identity of affected individuals must not be disclosed to their colleagues or any third parties without a clear justification.
- Employers may inform personnel that there has been a case, or suspected case, of COVID-19 in the organisation. But they must not disclose the employee’s identity. However, public health authorities may require disclosure of this information. In order to carry out their functions with regard to providing medical treatment and contact tracing.
As the COVID-19 emergency wages on, GDPR compliance is more critical than ever.
Hackers are already trying to gain from the confusion and difficulty. And it can hard for your customers, isolated in their homes to navigate these risks.
Fortunately, we have everything your customers need to cope with these disruptions.
Our mobile solutions are available remotely, so you can address your customers cybersecurity worries without jeopardising their physical security.
Those who want guidance on how to help their customers manage their data protection during COVID-19. Should take a look at our Samsung Knox and SOTI solutions.