During the COVID-19 pandemic, customary business policies and practices, including those surrounding Data Protection, are likely to be pushed to the back of a business' mind whilst it focuses its energies on the more immediate challenges the pandemic brings such as the likes of HR and satisfying contractual obligations.
It is important, however, to recognise so far as possible that our responsibilities to protect personal data continue regardless, whether we are working in the security of business offices, or at our kitchen tables at home.
As likely processors of personal data (whether that be the data of employees, clients or customers), businesses must continue to familiarise themselves with data protection commitments during the COVID-19 pandemic. Those being:
- that personal data must be processed lawfully, fairly and in a transparent manner;
- that personal data must be collected for specified, explicit and legitimate purposes;
- that the processing of personal data must be adequate, relevant and limited to what is necessary;
- that the personal data must be accurate and, where necessary, kept up to date;
- the personal data must be kept in a form which permits identification of data subjects for no longer than is necessary; and
- personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
A number of businesses will be turning to paper-light working whilst employees follow Government guidelines on working from home where possible, a way of working which is likely to be unfamiliar to the more traditional companies. Possibly the most critical of data protection principles whilst working from home is the need to ensure that appropriate security (technical and organisational) is still applied to the processing of personal data, especially when reliance is being placed far more on remote forms of communication.
The Information Commissioner's Office has provided some assurances to businesses that it understands the challenges with allocating data protection resources during the pandemic and will not penalise where a company needs to prioritise other areas or adapt its usual practices of compliance.
It is important, however, to recognise that data protection concerns do not act as a barrier to home working, and vice versa, home working is not a justification in the eyes of the ICO to poor data protection practices. It is important to evidence so far as possible that the data protection principles are continually being met.
If you have any questions regarding your data protection obligations and the affect COVID-19 may have on these or the processing of data within your business, please do not hesitate to contact our Business and Commercial team on 01603 620508.