You are contacting
COVID-19 has prompted many businesses to re-assess the way that they work. Working from home for an extended period, adjustments to office space to enable social distancing and the introduction of measures to minimise health risks to employees are challenges faced by the majority of businesses. One aspect of addressing these challenges which may be forgotten is the impact on data protection. Raj Shah looks at the value of a Data Protection Impact Assessment.
6 August 2020
Even the UK government has apparently overlooked the implications when designing its track and trace programme.
Article 35(1) of the General Data Protection Regulation (GDPR), as applied in the UK under the Data Protection Act 2018, states:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
What this means is that businesses should give careful thought in planning and implementing any new project, or introducing any major new system of software, to the likely effect on individuals and their personal data. Personal data includes anything that identifies a specific person. So, for example, if an employer decides that in order to re-open its office it needs to introduce a system of temperature tests on all employees and visitors, in order to detect possible COVID-19 sufferers and minimise the risk of the spread of the disease, it will need to carry out a Data Protection Impact Assessment (DPIA) first.
This is a clear example where a high risk to the rights and freedoms of individuals is likely, since temperature testing will produce data related to the health of individuals, and health data is “special category” or sensitive data. That means it can only be processed if specific safeguards are in place to ensure privacy and confidentiality.
Other examples are set out in Recital 75 of the GDPR. These include (but aren’t limited to):
Widespread working from home could potentially lead to increased data protection risks under one or more of the above headings. Staff should be reminded of their obligations to follow data protection policies and procedures, and to report actual or suspected data breaches as soon as possible. Many businesses moved to remote working very quickly and without time to prepare and consider additional risks that might arise, so in those circumstances they should now look at the possible risks with the benefit of past few months’ experience and address issues that have already arisen or those where the risk profile seems to have increased.
Any business which deals with large numbers of individual customers and/or whose services require the collection of sensitive data should consider whether remote working or the introduction of any new process or procedure could result in a high risk to individuals’ rights and freedoms. If so, a DPIA should be carried out without delay, especially as its output of a DPIA can help businesses demonstrate their compliance with the GDPR’s requirement of accountability.
Unless you can answer NO to all of these, you will need to carry out a DPIA. This will describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.
If so, you must consult the ICO before starting the processing. The ICO will normally respond with written advice within 8 weeks.
If you have any questions about whether you need to carry out a DPIA, or how to go about it, or if you need any help with gathering the necessary data, the Collyer Bristow Data Privacy Team can help.
6 August 2020
You are contacting