April 20, 2020
As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. This article discusses key data protection considerations for businesses in connection with the COVID-19 pandemic, including the processing of personal data for healthmonitoring purposes, crisis management and cybersecurity preparedness, and steps businesses may take to ensure the business continuity of privacy compliance programs.
I. PROCESSING OF PERSONAL DATA FOR COVID-19 DETECTION AND PREVENTION PURPOSES
Over the past weeks, data protection authorities in the EU and the European Data Protection Board (EDPB) have issued guidance on the processing of personal data, including health data, for COVID-19 detection and prevention purposes. The general message of the authorities has been consistent: the EU General Data Protection Regulation (GDPR) does not prevent the processing and disclosure of personal data that is necessary to fight the COVID-19 pandemic.
Nonetheless, it is important that the general data protection principles set forth by the GDPR are respected, even during a crisis. In terms of lawfulness, several legal bases of the GDPR can be relied upon to legitimize the processing of personal data for COVID-19 detection and prevention purposes, including the legitimate interests legal basis. In addition, for the processing of health data, which is considered sensitive personal data under the GDPR, EU data protection authorities have identified various legal bases on which companies may be able to rely. For example, companies may be able to assert that the processing of health data of employees is necessary for companies to carry out their obligation under local labor law to ensure health and safety in the workplace or for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
All data processing operations, however, must be proportionate to the purpose that the data controller is seeking to achieve. In addition, the data processing must respect the other data protection principles and requirements set forth by the GDPR, such as the principle of data minimization (i.e., avoiding excessive information collection) and the requirement for transparency (i.e., ensuring that data subjects are fully aware of the processing of their personal data for COVID-19 detection and prevention purposes).
EU data protection authorities, among others, have issued recommendations for a number of practices involving the processing of personal data for COVID-19 detection and prevention purposes, including:
Although there is a certain level of consistency in the COVID-19-related issues addressed by regulators, guidance of EU data protection authorities around these issues varies by country. As a result, when designing COVID-19 detection and prevention measures involving the processing of personal data, companies operating in multiple EU Member States should examine requirements and regulatory guidance at a national level.
II. CRISIS MANAGEMENT
A. Cybersecurity Preparedness
The number of cyberattacks to company systems have increased and likely will continue to increase as a result of businesses’ and workforces’ moving online in response to COVID-19 confinement measures. Cyberattacks can cause disruption to company systems and expose personal data to unauthorized access by third parties. In light of these concerns, it is important to review and, if necessary, revise the company’s cybersecurity preparedness measures and incident response plans to ensure that they are adapted to the new reality of doing business remotely. This can include, for example, the following measures:
B. Safe Teleworking
As businesses continue to rely heavily on teleworking, companies also should consider setting up, or finalizing the setup of, employee remote working practices to ensure the safety of company systems, including the protection of personal data residing on those systems. For example, allowing employees to use personal devices to connect to the company’s network may pose particular risks for system security and unauthorized disclosure of personal data. These risks typically should be addressed in a robust bring-your-own-device (BYOD) policy. Companies also should consider providing appropriate training to educate employees and raise awareness about safe teleworking issues, such as which cloud-based resources employees may use when working remotely, using a secure internet connection, the importance of using strong passwords, implementing firewalls and anti-virus protection on any personal devices, and securely transmitting or disposing of documents containing personal data. As a best practice, companies should establish guidelines regarding handling files at home where required, such as for HR managers who may need to transfer employee files to their home office during the teleworking period.
To the extent that the teleworking situation is likely to last for a long period or become the company’s standard, the company should consider developing and maintaining a safe teleworking policy. Alternatively, updates to relevant parts of existing policies, such as an IT system’s monitoring policy or acceptable use policy, could achieve the same result.
A practical way to raise awareness internally about safe teleworking is to provide examples in the relevant policy or communication regarding unsafe behavior that puts information security and personal data at risk when employees work from home (e.g., changing laptop settings, letting others at home use the company device for personal use, sending confidential documents to personal email accounts or allowing others to overhear business conversations). Updates to other company policies also may be required because of the novel teleworking situation and the particular risks related to teleworking, such as information security policies. Directing employees to the relevant resources and issuing updates or reminders in stages, to manage priorities effectively, would be useful. Teleworking also may raise new challenges for existing employee monitoring practices or create a need for additional employee monitoring measures, which should be assessed from a national labor and data protection law perspective.
C. Vendor Management
As the implications of COVID-19 continue to evolve, identifying the vendors that are critical to the company’s business, services or communications (e.g., video conference vendors) is recommended for business continuity purposes. For key vendors, companies should consider (i) listing the relevant contact persons and their respective contact details and (ii) identifying alternative resources that may be used if necessary to mitigate an immediate data protection issue involving the vendor.
Vendor data protection issues may vary depending on the vendor’s type of business, but such issues could include, for example, (i) disruptions in individuals’ availability and workflow continuity due to the unavailability or technical inability of the vendor to provide a service or fix an issue, (ii) data security issues, (iii) issues deleting personal data after the termination of the service or (iv) a delay in notifying customers in the event of a data breach. In anticipation of potential issues, contracts or relationships with key vendors may need to be reviewed to strengthen protections such as data security and incident notification or to identify alternative contacts in case certain contact persons become unavailable.
III. ORGANIZATIONAL MEASURES FOR BUSINESS CONTINUITY
In times of uncertainty, ensuring the ongoing availability of resources within an organization is important to limit disruption to daily business operations and maintain appropriate internal governance.