The Jersey Office of the Information Commissioner (JOIC) recognises the unprecedented challenges our Island community is facing during the Coronavirus pandemic. We know that some of you have had to adapt the way you work and may be working from home. Some of you might need to gather and share information urgently. Data protection legislation will not stop you doing that but you must still only obtain what you need, share it with people who really need it, tell people what you are doing with their information and keep it safe. We are here to help. Please see below for answers to the most frequent questions we are being asked. If you need more help, email us at enquiries@jerseyoic.org or call us on 01534 716530.
TOPICS
Timescales & Legislation
Healthcare
Human Resources & Employment
Working from Home
TIMESCALES & LEGISLATION
Q: During the pandemic, we are worried that our data protection practices might not meet our usual standards or our response to information rights requests might be longer. Will the Jersey Office of the Information Commissioner take regulatory action against us?
A: We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We will not penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period, however we will examine each case on its merits. We cannot extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic. Data subjects will likely understand the difficulties that businesses are facing at this time and you should ensure that you continue to communicate with the data subject, explaining any delays and advising them when you hope to respond to their request. We will not take action against controllers that have tried to comply but are hampered in their efforts by the current situation. The key to success in these difficult times is transparency and communication with your customers.
HEALTHCARE
Q: As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?
A: Data protection law does not stop Government, the Health team or health professionals, from sending public health messages to people, either by phone, text or email. Nor does it stop you using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. We remain available to support any controller/processor that is looking to put in place measures to contact Islanders during this pandemic and to work with them to ensure that any measures they do put in place are compliant with data protection legislation.
HUMAN RESOURCES & EMPLOYMENT
Q: Can I tell my staff that a colleague may have potentially contracted COVID-19?
A: You should keep staff informed about cases in your organisation. However, you probably do not need to name individuals who have been affected and you should not provide more information than necessary. Whilst you have an obligation to ensure the health and safety of your employees, as well as a duty of care do remember that you also owe a duty of confidentiality to any employee suffering from COVID-19. Data protection legislation does not prevent you telling your staff that a colleague has contracted COVID-19 but you will need to carefully assess exactly how much information you need to disseminate and be able to justify why you have chosen to divulge that information.
Q: Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference or an event?
A: You have an obligation to protect your employees’ health but that does not necessarily mean you need to gather lots of information about them. It is reasonable to ask people to tell you if they have visited a particular country or are experiencing COVID-19 symptoms. You could ask visitors to consider Government advice before they decide to come. You could also advise staff to call the Jersey Coronavirus helpline on 01534 445566 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect. If that is not enough and you still need to collect specific health data, do not collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
Q: Can I share employees’ health information to authorities for public health purposes?
A: Yes. It is unlikely your organisation will have to share information with authorities about specific individuals but if it is necessary then there are provisions in the data protection law which will enable you to do so.
Q: I have had to let go some members of staff because I do not have the work for them. What do I need to think about in terms of their access to my organisation's data?
A: It is your responsibility to make sure that the only people have access to personal data within your organisation are those who need it. Ex employees should have no reason to hold on to personal data once they have left your employment and so you need to make sure that they do not have access to your systems/premises or any information they should not have. If your member of staff had remote access to your systems you need to make sure that you have disabled their access. If they had access to your physical premises, have you disabled any access that was granted by way of fob/pin code? If they had a key have they returned it to you? If you provided that member of staff with a phone/laptop or other piece of hardware has it been returned to you or, if you are happy for them to keep it, are you confident that there isn't any of your organisation's data on it? If they downloaded emails onto that device are you satisfied that they have deleted that information? Do you have the ability to remotely erase those devices? Are you satisfied that your staff member does not have any hard copies of your information? If they do, are you able to arrange for that information to be safely returned to you so that you can destroy it securely?
WORKING FROM HOME
Q: More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
A: Data protection legislation is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law does not prevent that but you will need to consider the same kinds of security measures for homeworking that you would use in normal circumstances. We have produced the below guidance for organisations and employees to advise on the Dos and Don’ts of working from home.
Security – Have you considered:
Domestic internet security
You must ensure your employee has a secure internet connection. Do staff have secure WiFi requiring passwords? Do they have anti-virus software installed? Is that software (and any other software) up to date and have all software 'patches' been applied? Is this a normal activity for your member of staff? If not brief and train them first about protocols set out below.
Think carefully about physical security of ALL documents, including paper records. Think carefully about how the paperwork is going to be transported, for example in a locked briefcase/not left in open view in a car.
Setting up homeworking – Recommendations:
Many of us share our homes with loved ones. Whilst working from home you will need to ensure that members of your household cannot access your laptop or work papers. Remember to keep virtual meetings and conversations confidential too.
Lock information away securely when not in use.
Have you considered how your staff will report a breach? Do they know who to contact and how to contact them? Are you able to report a breach to JOIC if you need to?
Who needs to know you are working from home? Recommendations:
The organisation must ensure work is being conducted in accordance with the organisation’s data security policies, bring your own device and homeworking policies. We also recommend:
Consider having a sign-in/sign-out procedure for when taking files and personal data home. For those working via a remote access platform, do you have an audit trail of what employees are accessing?
Contracts of employment should have compliant data privacy clauses and refer to appropriate security, homeworking and transporting data rules. Make sure all employees are aware of what to do if a file is lost and test that plan.
What are the risks of a data breach when working from home?
Whilst working from home, being distracted and leaving unlocked devices or paperwork loose or unattended, is easy to do. Please remember if an unauthorised person is able to access the computer or paperwork you are working on, this is a data breach.
Top Tips
We recommend working in a private, secure place in your home. Also, do not leave unlocked devices unattended or paperwork lying around.