Data Protection at a time of vital interest: By Jennifer Brook and Katie Tomashevski
This crisis is bringing into sharp focus issues that are not always thought of as business as usual in an organisation. For those of us who believe privacy compliance is an essential organisational ingredient for both empowerment and privacy this is an especially interesting and challenging time.
Here is an account from a trusted Venn Group partner on what challenges are currently being faced across data protection and data privacy and some advice on how to tackle them....
I am the DPO for UNISON, the biggest public sector union in the UK as well as a GMB shop steward and women’s officer for my branch. In November last year I organised the first Union DPO Forum meeting to develop and share best practice, increase the union voice in the privacy community, horizon scan and share experiences and solutions. We had our second forum in early February before the Covid-19 crisis developed into what it is now. Just this past week I have had contact with three union DPOs to share information and support each other. These are stressful times and the job of the DPO of any organisation can be very lonely even at the best of times.
As you read this, union members are literally saving lives and continuing their essential frontline services and their unions are working very hard to support them. They are the same people who until recently you probably never really thought about. The cleaners, cooks, utility workers and bin collectors. The silent army doing the most difficult jobs and many of them are working for the minimum (but not a living) wage. The unions of this country support their members daily on important job security and safety as well as data privacy issues.
The privacy compliance team has an important role to play supporting union members. Some employers use data privacy as a tool to empower their workforce. On the flip side, we sometimes see the veil of data privacy used to bully and victimise employees. I have had a few examples of both approaches come across my desk during the initial panic and transition to lock down.
I would like to start with some positive examples of questions where members and staff were alive to privacy compliance issues. I had a question about transporting paper files as this is still a big issue. I advised on the appropriate safeguards if the files could not be converted and stored in a secure digital environment.
I have also been asked about the balancing act many organisations are struggling with. Does an employer need to identify a worker who has a confirmed or suspected case of Covid-19; and how much information can be shared? At first this seems a confusing issue but going back to privacy compliance basics makes the solution much more straight forward. Can we lawfully process this information? Well, yes because vital interest is the lawful basis used but it is also Article 9, Special Category (health) Data so it is high risk processing. We should then apply data minimisation. How much do people need to know?
I have seen examples of emails sent with people’s health status and other personal information shared with colleagues. You can work next to someone for many years and never know they had an underlying condition. And now everyone in the organisation knows that the person sitting next to them has diabetes, is taking immunosuppressants for their infertility treatment or is HIV+. An employer might have had a vital interest to process the information, but they did not minimise the data being shared.
Some employers are taking this crisis as an opportunity to gather information that they are not normally entitled to. I was contacted for advice from an activist for advice for a member who was being asked to provide information that they normally would never give to their managers. I found this strange and alarming. Some of the requests being made are for emergency contact details for whole divisions.
When faced with requests for personal information that is not normally required, I usually have the following conversation:
“Sorry? What do you mean?”
“Can you tell me why you need (insert request i.e. the all emergency contact information for this division)? What is the purpose? I can help if I know why you need the personal data.”
“Well, you know. Covid-19.”
As a DPO giving advice I am not trying to be obstructive, I just needed to know why personal data is being requested. Again, back to basics. What is the lawful basis for processing? If there is a procedure already in place, we need to ask what is the pressing matter that requires deviation from that procedure.
Take a moment. If you are not sure, speak to your DPO. Their sole purpose is there to advise you and support the organisation to comply with data privacy legislation.
I know people are panicked but no one wants to be the person responsible for a serious data breach. If you are notifying staff about the illness of a colleague ask yourself if is it necessary to include their name and full medical details? Probably not. I know that people will more than likely be able to figure out who the person is when they have been notified a colleague is ill or self-isolating but please be conscious of the data trail that you leave.
Another big question I am being asked is about agility and acting quickly to support members. When we are trying to be expedient, we must not forego security. Remember encryption and password protection are your friends. Simple mistakes are often the biggest to make.
Some employers may not be observing the principle of purpose limitation. Health status, disability and family responsibilities are not always something that a worker shares with their manager or employer. If an employer is asking these questions during the Covid-19 crisis they should be clear about the lawful basis for processing. If it is vital interest, then it needs to remain vital interest. It cannot then turn into legitimate interest or something else. Employees are entitled to their privacy but will share information in a crisis for the better good. They just do not want that private information to be used against them in the future.
I had a friend visiting from the States over Christmas. We met near my office in Euston for a meal. As we were walking to get a bus, I was trying to explain what I do for a living. My friend has never belonged to a union and did not understand. I saw the bin collectors pull up next to us. I walked up to them and I said, “GMB or UNISON?” The man I asked said, “I’m GMB but he’s UNISON,” pointing to his colleague, “Why do you ask?” “My friend here does not understand why unions are important. I am a GMB shop steward and I work for UNISON.” And for a few minutes my friend listened to these union workers explain to him why their unions were important to them. We said good night and shook hands when it was still allowed.
I am aware of many selfless acts that union workers are responsible for. For some, it is part of their business as usual. Others are volunteering to be re-deployed to serve their community. Union workers are the backbone of this country. Our unions are not only supporting their members but coming up with innovative solutions for employers. Together we will get through this crisis and I hope that there will be a growing understanding of how data protection is a powerful tool for both empowerment and privacy.
Many of the innovative law firms are providing webinars for their clients that address these three very important issues. Employment. Health and Safety. Data Protection. These are important ingredients to good business practice.
We, at Venn Group, could not be prouder to support unions, charities, NGOs, the public sector including both local and central government during this time, and continue to educate ourselves as well as others externally about how data protection gone wrong can impact any business or organisation.
We hope you found this not only insightful but a great and light-hearted reminder of the story we will tell once this is all in the past.
If you find yourself in need of any assistance over the next few weeks, we encourage you to reach out whether it's data protection, interim and/or long term resourcing strategy management or to secure your next role for the future.