Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Discuss the latest legal developments, ask questions, and share best practice with other LexisPSL subscribers
We first sent out this alert on 9 March and we’re updating it with some announcements from regulators in other countries and with some of the questions we’ve been asked by our clients.
There have been lots of alerts recently on the possible effects of the Coronavirus (COVID-19) but one often overlooked aspect has been the data protection aspects of an organisation’s relationship with its employees in particular. There are some data protection specific terms in this note which are explained at www.bit.ly/gdprwords
What is the issue?
It seems that a number of organisations are asking third parties to help manage employee health. This might involve using third parties to do health screening, analyze travel records or installing apps asking employees to input their data for analysis. In some cases organisations are not doing their usual supplier due diligence to enable them to respond quickly.
As a reminder health data is special category data under GDPR Article 9 (it was called sensitive personal data prior to GDPR). So handling health data requires special care under GDPR. There are a number of ways to legitimize the handling of health data but most of these possible bases are subject to a necessity test. Necessity means what it says – some apps or third party providers offer ways of processing which are convenient but there may be less data protection intrusive alternatives.
Can’t we just rely on consent?
Some employers seem to be seeking to rely on a data subject’s consent but in an employee/employer context consent could be problematical (essentially because of the inequality of bargaining power) and it can be withdrawn. As a result consent will not always be the best solution.
What are regulators saying?
It is important to remember that for EU countries whilst GDPR sets out a basic framework local law can differ even within the EU. It is also important to stress that guidance from regulators is just that – we can expect to see litigation and the courts may not follow that guidance. For example an employee disadvantaged as a result of data processed relating to their health may well contemplate litigation alleging that data processing was unlawful.
Some regulators expressed concern about the action of employers quite early in the spread of the virus. For example on 2 March 2020 the Italian DPA published guidance in both English and Italian. Their guidance made it clear that the primary responsibility for collecting health data relating to the virus is with the public health authorities and not with employers. It said:
“employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.”
Since then regulators in other countries have also issued statements. In Austria the DPA has issued a reminder that even a step like taking mobile/cell phone numbers from employees could have data protection implications. There are links to some announements and guidance from DPAs in alphabetical order at the end of this note.
The Chair of the EDPB has also issued guidance at an EU level which you can read here https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en. The EDPB itself followed that up on 19 March 2019 with its own guidance – https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
What about working from home?
Many organisations are now asking employees to work from home – some for the first time. It is important to remember that there are compliance implications here too. Businesses have to take appropriate technical and organizational measures (TOMs) under GDPR to secure personal data. That will include securing the personal data of customers and other employees as well. If you are asking or permitting employees to work from home you will have to make sure that you have the right protections in place for personal data both at the employee’s home and in transit.
If employees are being asked to work on their own personal devices rather than the company’s this can have security and data protection implications too. For example we have had cases in the past where DPAs have intervened after home security software backed up sensitive data into the cloud. There’s an example here https://bit.ly/2vH8dmM. Some software vendors are offering software without charge which might help – see for example here https://resources.trendmicro.com/Work-From-Home-Assistance-Program-UK.html and here https://www.cisco.com/c/en_uk/solutions/collaboration/working-from-home.html.
Again a DPIA can be useful. We have also had experience of doing specific training for working from home and we have produced fact sheets reminding employees of some of the most common security risks – something like a 10 top tips sheet or a short film can get the message across quickly and effectively.
Be aware of the fact that different employees may require different security measures – for example someone with network administrator rights may require extra security around their access.
Phishing attacks are on the rise and employees at home might be especially vulnerable. We’ve expressed concerns before that a lot of ‘off-the-shelf’ phishing training is not fit for purpose. It’s important to make sure employees are trained and that they have regular reminders. Organisations using O365 may be especially vulnerable at this time.
Can I monitor people working at home to make sure they’re working?
This is an area that requires careful handling. Even things like home IP addresses can be personal data – it’s very hard to monitor employees on a truly anonymised basis (for definitions of anonymisation and pseudonymisation see www.bit.ly/gdprwords). Again it’s very likely that you’ll need to a DPIA and to take proper advice.
What about communications with customers?
The normal rules apply for communications with customers. Be careful about advertising or marketing messages being included in virus-related communications. This might make the message unlawful and some customers won’t like it. We understand that complaints have already been made to DPAs about this. If you need a customer’s details (for example to process a cancellation refund or to check visitors when they come on site) be careful what you ask for and follow the 6 GDPR principles when processing that data.
What can we do to minimise risk?
To minimise risk it is important to consider a number of things including:
There is more information about DPIAs and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav
You can read guidance from DPAs here:
Cordery has helped organisations large and small with DPIA tools, templates and training. There’s a short film on doing DPIAs here http://bit.ly/facedpia.
Please note that we’re trying our best to keep this note up-to-date but to state what should be obvious: Events are moving quickly and you should not act or refrain from acting on the basis of anything in this note. Proper legal advice should be taken. We’re also providing links to third party software in an effort to help organisations cope with the crisis. We have not completed a technical analysis of these products and the inclusion in this note should not be taken as an endorsement or some sort of guarantee that these products will meet your needs.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Free trials are only available to individuals based in the UK
* denotes a required field
**excludes LexisPSL Practice Compliance, Practice Management and Risk and Compliance. To discuss trialling these LexisPSL services please email customer service via our online form. Free trials are only available to individuals based in the UK. We may terminate this trial at any time or decide not to give a trial, for any reason. Trial includes one question to LexisAsk during the length of the trial. See our full terms here.
Access this article and thousands of others like it free by subscribing to our blog.
Read full article
Already a subscriber? Login
Jonathan is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counselled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multi-national corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).
Jonathan is one of three co-authors of the LexisNexis definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and other channels and appeared on BBC News 24 as the studio guest on the Walport Review.
In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the U.S., Canada, China, Brazil, Singapore, Vietnam, the Middle East and across Europe. Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology, risk and governance matters for more than 20 years. In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK. Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica in their 2016 Data Security Top 100 Influencers and Brands Survey.
Jonathan is a Solicitor of the Senior Courts of England & Wales. In addition Jonathan is admitted as a Solicitor (non-practising) in Ireland.
0330 161 1234