28 August 2020

GDPR in the News

By Naomi Korn and Faye Cheung

Naomi and Faye reflect on the lawfulness of the Government’s Track and Trace systems, discuss protecting personal data post COVID-19 and provide top tips regarding keeping data secure.

Lawfulness of the Government’s Track and Trace Systems

Online security and privacy considerations will underpin the technological solutions transforming the shift to home and remote working in the past five months. Coming out of lock down, track and trace technology is now being used in various countries throughout the world. Whilst no one country seems to have fully resolved the technological issues, privacy obligations also prevail.

The UK’s Information Commissioner, Elizabeth Denham, blogged in April that ““as with any new technology, the public need to have confidence that it is being used in a fair and proportionate way”. She emphasised that data protection law must not get in the way of innovative use of data in this public health emergency.

However, pressure from the Open Rights Group (ORG) has shone the spotlight on the legality of the UK Government’s Track and Trace system regarding compliance under the Data Protection Act 2018 and GDPR. This is because the UK’s Government acknowledged that it did not carry a full Data Protection Impact Assessment (DPIA) for its Track and Trace system. People who test positive are asked to hand over their date of birth, sex, NHS number, email, telephone and Covid-19 symptoms as well as the contact details of those they’ve been around. Carrying out a DIPA for new activities in which personal data, like this, is processed, is a requirement of the GDPR/Data Protection Act 2018 [1].

The GDPR principles provide a robust framework, specifically for how health data is to be used and shared in the appropriate circumstances. This affects all organisations, whatever the size or sector, as there will have been a need to collect personal data for staff and colleagues who were ill, ready for their return to work. Carrying out DPIAs, deleting this data when no longer needed and holding it securely should be now be second nature, in particular in the context of Track and Trace, and providing people with the confidence that such technology does not infringe their privacy.

Protecting Personal Data Post COVID-19

As work places are starting to reopen and more people are beginning to work less from home or remotely, many organisations are considering carrying out tests to see if their staff are displaying symptoms of COVID-19. None the less, the need to comply with data protection laws will still be applicable. Considered carefully and in line with data privacy requirements, it will be possible to share information and adapt to new ways of working. The UK’s Information Commissioners Office recognises these challenges and has provided detailed advice about how organisations can protect personal data, including the carrying out of tests on staff[2].

Example FAQs include:

“When they return to work, I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?

Yes. You will be processing information that relates to an identified or identifiable individual, so, you need to comply with the GDPR and the Data Protection Act 2018. That means handling it lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as ‘special category data’ so it must be even more carefully protected.

Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care.”

Keeping Personal Data Secure

Data protection legislation requires organisations to retain personal data only for as long as it is needed. This will depend on a number of factors including what the purpose of the data is and any legal requirements there are relating to the length of time specific types of data must be kept. For example, financial regulations require pension related data to be kept for as long as an employee is alive regardless of whether they are still working for your organisation. Some personal data collected might have a very limited use, such as information relating to participants who are attending a specific event. In this case, without additional permissions to contact participants in future, organisations would need to delete this data after the event once the business need had completed. The ICO provides guidance about how long personal data should be kept.

Organisations can guard against unintended or accidental loss of data by keeping an additional copy, or back up, of data. There are a number of ways that organisations can do this. Some services will provide automatic backups for you. Organisations should always make sure that they have an appropriate back up in place. Some data that organisations collect might be irreplaceable – for example oral history interviews. Other kinds of data might be prohibitively expensive or time consuming to replace. The NCSC provides a useful guide to backing up data.

This article was first published on Forum Business Media’s GDPR online resource https://www.gdprorb.co.uk/content-partners

Ensure you’re up to date about the latest data protection legislation & learn practical strategies to ensure your organisation remains compliant in our comprehensive 2 part training, Data Protection Officer Workshop. For more details see our training page.

[1] https://www.wired.co.uk/article/nhs-test-and-trace-unlawful-data

[2] https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/testing/