COVID-19 has prompted many businesses to re-assess the way that they work. Working from home for an extended period, adjustments to office space to enable social distancing and the introduction of measures to minimise health risks to employees are challenges faced by the majority of businesses. One aspect of addressing these challenges which may be forgotten is the impact on data protection. Raj Shah looks at the value of a Data Protection Impact Assessment.

Even the UK government has apparently overlooked the implications when designing its track and trace programme.

Article 35(1) of the General Data Protection Regulation (GDPR), as applied in the UK under the Data Protection Act 2018, states:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

What this means is that businesses should give careful thought in planning and implementing any new project, or introducing any major new system of software, to the likely effect on individuals and their personal data. Personal data includes anything that identifies a specific person. So, for example, if an employer decides that in order to re-open its office it needs to introduce a system of temperature tests on all employees and visitors, in order to detect possible COVID-19 sufferers and minimise the risk of the spread of the disease, it will need to carry out a Data Protection Impact Assessment (DPIA) first.

This is a clear example where a high risk to the rights and freedoms of individuals is likely, since temperature testing will produce data related to the health of individuals, and health data is “special category” or sensitive data. That means it can only be processed if specific safeguards are in place to ensure privacy and confidentiality.

Other examples are set out in Recital 75 of the GDPR. These include (but aren’t limited to):

• where the processing may give rise to discrimination, identity theft or fraud;
• where the processing may result in financial loss or loss of confidentiality of personal data protected by professional secrecy;
• where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
• where there is processing of ‘special category’ personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures;
• where personal aspects are evaluated, in particular analysing or predicting aspects concerning work performance, interests location, or movements in order to build personal profiles;
• where vulnerable persons’ personal data is processed (e.g. children); and
• where the processing involves a large amount of personal data and affects a large number of data subjects.

Widespread working from home could potentially lead to increased data protection risks under one or more of the above headings.  Staff should be reminded of their obligations to follow data protection policies and procedures, and to report actual or suspected data breaches as soon as possible. Many businesses moved to remote working very quickly and without time to prepare and consider additional risks that might arise, so in those circumstances they should now look at the possible risks with the benefit of past few months’ experience and address issues that have already arisen or those where the risk profile seems to have increased.

Any business which deals with large numbers of individual customers and/or whose services require the collection of sensitive data should consider whether remote working or the introduction of any new process or procedure could result in a high risk to individuals’ rights and freedoms.  If so, a DPIA should be carried out without delay, especially as its output of a DPIA can help businesses demonstrate their compliance with the GDPR’s requirement of accountability.

1. Are you planning to introduce new software or a major new or changed business process? YES/NO
2. Will the new software / process involve processing personal data? YES/NO
3. Is that processing likely to result in a high risk to rights and freedoms of individuals, such as processing ‘special category’ personal data, or risks of discrimination, identity theft or fraud, financial loss, damage to reputation, or loss of confidentiality? YES/NO/MAYBE
4. Is the level of risk either very likely or severe in impact (including low likelihood but severe impact, and high likelihood with mild impact)?  YES/NO/MAYBE

Unless you can answer NO to all of these, you will need to carry out a DPIA. This will describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

5. Have you identified a high risk that you cannot avoid or minimise?

If so, you must consult the ICO before starting the processing. The ICO will normally respond with written advice within 8 weeks.

6. Have you made record of your decision-making about conducting a DPIA, including any difference of opinion with your Data Protection Officer or Manager, or any individuals consulted?

If you have any questions about whether you need to carry out a DPIA, or how to go about it, or if you need any help with gathering the necessary data, the Collyer Bristow Data Privacy Team can help.