Wednesday, April 22, 2020
In light of the recent developments due to the coronavirus pandemic, many businesses are faced with significant disruptions and challenges when trying to maintain their activity while at the same time follow unprecedented measures taken by the Irish government.
When resources are stretched and the general organisation of the business must be remodelled on short notice, organisations can find it difficult to manage data protection compliance.
The purpose of this note is to provide guidance to organisations with respect to some aspects of data protection in the context of the coronavirus pandemic:
1. Handling data subject requests within the statutory timelines – Do timelines still apply during the COVID pandemic?
Article 12 of the GDPR requires organisations to respond to requests from individuals with respect to their personal data within one month of receiving the request. Where necessary, this timescale can be extended by a further two months, considering the complexity and number of requests.
On the 25th of March, the Irish Data Protection Commission (“DPC”) issued guidance on this topic and took a practical approach by declaring that, while the timelines under the GDPR cannot be changed and remain applicable, the challenges arising from the COVID pandemic may cause understandable and unavoidable delays for organisations.
In its guidance, the DPC recommended that the following approach be taken by organisations having difficulties to reply to data subject requests within the statutory timescales:
a. Communicate openly: Organisations should engage with the individuals concerned as soon as possible and keep them informed of the progress made on their request. This includes giving reasons for the delay (e.g. number of requests, complexity of the request) and notifying the individuals when the decision has been made to extend the period for responding by a further two months.
b. Stage your response: As part of its open communication with the individuals, the organisation can opt for a staged reply and provide electronic copies of the information that is available to staff working remotely in the first instance and commit to send hard copies at a later stage.
c. Seek clarifications on the request: Organisations should look for as much detail as possible from the individual regarding the request in order to be clear on what personal data is being referred to and what the individual is specifically asking.
d. Document the process: For accountability and transparency purposes, organisations that cannot address a request in full or in part within the statutory timelines should keep records of the request received, the communications with the individual concerned, the decisions made regarding the request and the reasons for any delay and/or extension.
Regarding its regulatory approach during the COVID crisis with respect to data subject requests, the DPC stated that any extenuating circumstances will be taken into account in the event of a complaint made against an organisation. It is therefore crucial for organisations to document any reasons for a delay in addressing a request and maintain pro-active communication with the individual concerned.
2. Remote working and data security – What measures should organisations take when allowing their employees to work remotely?
A. At organisation level:
Article 32 of the GDPR places an obligation on organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk arising from the organisation’s processing of personal information. The Article specifies that the cost of implementation of such measures should be considered as well as, among other things, the nature, scope, context and purposes of processing.
As part of its strategy to contain the spread and mitigate the effects of COVID-19, the Irish government imposed a number of restrictions under which everyone should stay at home until 5 May 2020 (unless the travel is required to provide a service defined as “essential” in the legislation) and, where possible, work remotely.
In these circumstances, the DPC has issued another guidance on 12th of March with a view to assist organisations in complying with their data security obligations when implementing remote working for its staff. The guidance provides practical advice in the following areas:
a. Devices: The guidance places particular emphasis on the risk of unauthorised access to devices containing personal information the organisation is responsible for. The DPC warns against the risk of an organisation’s staff losing USBs, phones, laptops, or tablets. Such devices should be set up for remote work with appropriate antivirus/software updates and in line with the organisation’s IT Security Policy and Bring-Your-Own Device Policy. Effective access controls (e.g. strong passwords) and, where available, encryption should be used to reduce the risk if a device is stolen or misplaced. Also organisations should check whether it is possible to wipe the contents of such devices remotely where lost or stolen.
b. Emails: Organisations should ensure that any applicable policy regarding the use of email is followed by their staff. The use of work email accounts rather than personal ones should be encouraged. Where personal accounts are used, contents and attachments should be encrypted to reduce risk. In any case, particular attention should also be paid to the intended recipient(s) to make sure personal data is not shared with the wrong persons.
c. Cloud and Network Access: Where possible, the organisation should require its staff to use the organisation’s trusted networks or cloud services only and to ensure that any locally stored data is adequately backed up in a secure manner.
d. Paper Records: Given that personal data in manual form (such as paper records) is subject to the GDPR when it is, or is intended to be, part of a filing system, the security and confidentiality of such records should be considered by the organisation when staff is working remotely. The DPC recommends that, for example, such records be locked in a filing cabinet or drawer when not in use and shredded when no longer needed. Particular attention should be paid when dealing with records that contain special category data. Good governance practices also mandate that the organisation keep track of and document what records and files have been taken home by its staff.
B. At employee level:
In addition to the above guidance, the DPC published on the 26th of March a list of tips on how to stay safe online during the pandemic.
This guidance is relevant for organisations seeking to raise awareness within their staff as to the risks of COVID-related scams circulating online and potential data breaches that might arise as a result when working remotely.
In the guidance, the DPC reaffirms the importance of double-checking the identity of the intended recipient before the employee shares personal data. This is especially relevant when sharing special category data such as data concerning health with recipients that present themselves as government departments, public health officials or healthcare professionals.
The DPC also warns against the risk of malicious links and/or attachments being spread via email. In that respect, organisations should adequately train their staff so that potential threats can be identified and reported at management level.
C. The use of video-conferencing platforms:
As a consequence of the restriction measures taken to contain the pandemic, companies offering online video-conferencing and video-calling services have seen a surge in their number of users both domestic and professional. One of the most commonly used platform, Zoom, indicated that the company reached 200 million daily meeting participants last March, up from 10 million in December 2019.
Such a sudden increase resulted in a number of privacy concerns being raised with regards to how the use of such platforms impacts both the personal and professional lives of participants. For instance, security researchers have recently highlighted a number of weaknesses in Zoom’s security features, enabling them to by-pass such features and find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans. A practice known as Zoombombing, whereby unwanted guests invade a meeting, has also started developing and resulted in the Company recently announcing a 90-day feature freeze to fix privacy and security issues.
In light of the above, the DPC published a helpful guidance on 3 April 2020 setting out tips to assist both individuals and organisations use video-conferencing and video-calling services in a secure manner. The guidance was followed on 9 April 2020 by a publication from the CNIL (the French supervisory authority) outlining particular areas a user should focus on when deciding to avail of such services. Both guidance notes constitute helpful complements to previous publications on remote working and will assist employers considering to introduce new or increased videoconferencing arrangements for employees.
At organisation level, the DPC lays emphasis on the need for employers to discourage ad-hoc use of apps or services by their employees. Organisations want to avoid having employees coming up with their own arrangements when it comes to remote working and clear, understandable, and up-to-date organisational policies and guidelines should therefore be provided to those using video-conferencing. Before deciding to use a specific platform, the CNIL’s advice is to opt for service providers who are transparent about the information they collect, what they do with it and the security measures they have in place. Organisations should therefore look for specific details in that respect before signing up with a provider and the provider’s privacy notice will play an important part in that respect.
Appropriate security controls should also be put in place (such as firewalls, antivirus, multi-factor authentication and strong unique passwords). Information should be provided to employees as to the controls the service provides to protect their security, data, and communications (e.g. how the camera and microphone can be turned off).
Data sharing should be limited to what is necessary. To the extent possible, company data, document locations or hyperlinks should not be shared in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways. Awareness should be raised within staff as to what personal data will be shared when using such platforms. The use of work accounts, email addresses, phone numbers rather than personal information should be encouraged. Here again, robust passwords will play an important part.
Data protection legislation should not hinder an organisation’s attempt to adapt to unprecedented circumstances such as the current pandemic. A practical and risk-based approach should therefore be taken when implementing remote working.
As a general rule, any arrangements should be made in line with the organisation’s policies regarding the use of IT equipment/infrastructure and personal devices by its staff. Any potential security risks should be identified as well as steps that can be taken to address them. At management level, effective communication between the organisation and its staff should be fostered so that the employees know what is expected of them in terms of working arrangements, practices and procedures. In practice, this will potentially mean providing adequate training and having sufficient technical support available to facilitate any queries an employee might have while working from home.