Welcome back to Part Two of ‘Coronavirus and Employee Health Data’!
If you haven’t read Part One, just head over there now and come back after.
You can also watch our free video ‘Coronavirus & Employee Data Part 2’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Right we’ll pick up where we left off and the next topic.
As health data is special categories, this flags we need to be particularly careful about the legal basis or bases for our processing.
Because it’s special categories, you not only need a core lawful basis under Article 6, you also need another basis under Article 9.
Now, under Article 6, your legal basis is probably going to be legitimate interests. You can’t really use consent as it’s almost impossible to rely on consent in employment situations. Employees are unlikely to have any choice here.
You might have a legal obligation as well if there’s an emergency law in place, as there is in New Zealand for all businesses to collect information about their employees. But bear in mind that the legal obligation may not cover all of the data that you’re looking to collect, so you may be wanting to add a second purpose into your DPIA.
Now, while you may well be able to use the same DPIA for both, you’ll probably benefit from separating them out into 2 separate DPIAs.
Given the risk levels, and you’re likely to rely on legitimate interests, you do need to write down a Legitimate Interest Assessment or LIA. Don’t panic! You’ve got lots of information in your lovely DPIA which will form the basis. But it is a separate balancing test – that your legitimate interests are not overridden by the rights and freedoms of the data subject.
Onto Article 9 – well, as an employer, you’ve got health and safety obligations under law. So your additional legal basis under Article 9 is the second ground in 9(2)(b): necessary for those obligations. If you’re in the UK and you’re looking at the UK 2018 Act, this is in condition 1 of Schedule 1.
OK, we’ve established the legal bases. We’ve dealt with the lawfulness part of GDPR’s 1st Principle, and it gives us our 6th Key Step for your DPIA: make a note of those legal bases in your DPIA.
Now, let’s look at the ICO’s 5th Step and GDPR’s 6th Principle, Security.
You’ve already looked at risks and measures you’re putting in place, which may well have been technical as well as organisational. But now you’ll really focus on how you’re going to secure that personal data.
You’ll look, in GDPR-speak, at the appropriate technical and organisational measures, and appropriate is appropriate to the risk to data subjects, and it’s going to be quite high, because the risk is high.
So, for example, we don’t recommend using paper if you can avoid it. It can be left lying around and easily lost. We recommend collecting it electronically from the start. Lots of ways to do this of various sophistication. It’s really easy to create a form in G-Suite or Office 365 for each person that connects over a secure network and can go into a secure folder, and you can put least-privilege access on it.
Now we mentioned least-privilege access, so just making sure only those people who need to see it, can see it. Password-protect it. Put 2 Factor Authentication on it for sure.
And you’ll also need to consider who you’re sharing it with outside your organisation and why. If you do store it in GDrive or OneDrive, then Google or Microsoft will be your processor. Maybe you’ve got a consultant who’s going to look at this and help you? They’ll be a processor too.
This is our 7th Key Step for your DPIA: write down the people you’re sharing it with, whether they’re processors, controllers, or maybe joint controllers. If you have a legal obligation to potentially share this with the authorities, then put that down too.
Now, you should have an Information Security Policy and Procedures you can leverage for these measures, and you can talk to your IT and Security colleagues or your Managed Service Provider for example, your MSP, who helps you with this, to get the right technology and security set-up in place.
The end game is to put in place sufficient, appropriate technical and organisational measures so that your processing no longer represents a likely high risk to data subjects, and you can proceed with that processing.
Of course, we want to bring that down as low as we can make it. If you haven’t reached that point, go back and review your measures, maybe change the way you’re going to be doing things, put more measures in place until you’ve done it.
And this is our 8th Key Step for your DPIA: record those appropriate technical and organisational measures in your DPIA.
And now we’ve addressed GDPR’s 6th Principle, Security. OK, OK: ‘integrity and confidentiality’.
Now, the UK ICO’s 5th Step also takes us onto retention, and the UK ICO reminds us it’s good practice to have a retention policy in place that sets out when and how personal information needs to be reviewed, deleted or anonymised. Now you won’t need to retain much of this information for very long, if it all – you’re likely to be reacting to it immediately and refreshing it periodically.
Obviously, look at any legal obligation on retention first. Maybe the emergency law states a time period. But consider exactly how long it’s really necessary for you to keep it for, and then delete it after that time or anonymise it.
We’ve now also addressed GDPR’s 5th Principle: storage limitation, and our 9th Key Step for your DPIA: make a note in your DPIA of your retention policy and how you’re going to achieve it.
So let’s round up: you’ve done a risk assessment, you’ve identified appropriate measures, made sure they lead to the minimum personal data being collected for your stated purpose, it’s all necessary and proportionate, you’ve done a Legitimate Interest Assessment, you’ve identified who you’re sharing it with, how you’re going to secure it, and how you’re going to destroy it at end of life.
You’re now ready to talk to your staff – which brings us to our last segment: Data Subject Rights, and the last two steps from the UK ICO.
You’ll need to draft a Privacy Notice to give to employees and others whose personal data you’re collecting. Now, we won’t go into Privacy Notices in detail, but you’ll find you’ve got most of the information you need in your draft DPIA. It’s a case of presenting it in a clear and appropriate manner and clear language.
Those Privacy Notices will also tell those individuals how they can exercise their rights to see what data you’ve got, for example, get a copy of it, maybe erase it, etc. So be prepared on how to react to those requests, whether and how to fulfill them.
And a quick note: it’s not obviously just about Privacy. So, for example, in the UK, under Health and Safety law, employees have their own duty to take reasonable care for their own health and safety as well as that of other people. You could create a separate document on that. This has got to be considered in the round. We’ve got some links to that in the notes.
We’ve now addressed the transparency part of GDPR’s 1st Principle and we’ve reached our last and 10th Key Step for your DPIA: make a note in your draft of how you’ll tell people about the processing, about their rights, and how you’ll be able to fulfill them.
So there you are! We’ve gone through the GDPR’s 7 Principles, the UK ICO’s 6 Steps, and we’ve pretty well completed your DPIA with 10 Key Steps, you just need to finish it off, including liaising with your DPO.
Now, it’s very easy to get your head twisted into a ‘GDPR bucket’, so it’s important to take a step back now and then and just use those common sense and sort of reasonableness views:
Do look at the UK ICO’s further guidance, it’s really good, and that will change as the situation in the UK changes. Look at the amazing work by the New Zealand Privacy Commissioner. And there’s also links below to other guidance from the Law Society, the IoD, the Federation of Small Businesses and others.
Please do look at our other Privacy Kitchen videos.
Do visit us at keepabl.com.
Please do use #privacykitchen to tell us the topics and questions you want covered.
Best of luck in your return to work and coronavirus program. Stay well in the meantime, and we’ll see you soon in Privacy Kitchen!
Joint Statement on the right to data protection in the context of the COVID-19 pandemic by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe, Strasbourg, 30 March 2020
Contains public sector information licensed under the Open Government Licence v3.0
GDPR applies when we’re working from home just as much as when we’re in the office. Otherwise, it wouldn’t be protecting that personal data. So stick with us as we…