Covid puts privacy compliance to the test

This article appeared on the Daily Business website, and the online version can be viewed here

Sean Morris, Navigator Law

News headlines in recent weeks highlighted how a number of large UK employers, including IKEA and Next, have changed sick pay entitlements for unvaccinated staff but, as yet, not much attention has been given by the media to data protection implications when businesses gather information about vaccination status.  However, health information is special category personal data, and ICO guidance makes clear that businesses are required to comply with all the UK GDPR requirements whenever processing vaccine status. 

For employers collecting and using this information without completing the necessary steps to ensure data protection compliance, 2022 could be a difficult year should John Edwards, the new UK Information Commissioner, make this an enforcement priority.  Public consultation on the ICO’s new Regulatory Action Policy will close on 24 March 2022, after which some indication of the ‘direction of travel’ can be expected.

Data security and breaches are very likely to remain a key area of the ICO’s enforcement activity, with the health sector having reported the largest number of breaches to the regulator in Q2 2021/2022. Already the ICO has published a preliminary paper on specific issues such as end-to-end encryption, and in the coming months further publications of its work on data security, such as online safety, are expected. 

For UK businesses, keeping up-to-speed with a succession of updates from the ICO will probably be the main challenge in 2022, particularly given the likelihood of detailed new guidance on data protection issues relating to marketing and employment.  It was back in March 2020 that the ICO consultation on the draft direct marketing code of practice ended.  Also, a separate consultation on updating the Employment Practices Code concluded in October 2021 which addresses various issues including employment records with information about health, and monitoring of workers, where there have been considerable changes to business practices because of the Coronavirus pandemic.  As we all know, advances in technology have facilitated increased home working, and hybrid working arrangements are ‘the new normal’ for many UK businesses.  But inevitably this model produces additional data security risks.  On the one hand, businesses are required to have appropriate security arrangements in place for when home-working staff access customer personal data, for example, and at the same time, businesses must consider privacy, and balance these security measures with safeguards that protect against inappropriate monitoring of staff.  

Updated guidance, it is hoped, will be more of a help than a hindrance for management, given the considerable upheaval which they continue to deal with arising from the pandemic.  But inevitably, however beneficial the new guidance proves to be in the long run, its publication will in the short term require reviews and (most probably) updates of operational practices and policies, and further training for staff to ensure compliance, imposing additional strain on limited resources for businesses.  

For better or worse, it may be that before issuing updated guidance, the ICO await outcomes from last year’s government consultation on changing UK data protection laws following Brexit.  The Department for Digital, Culture, Media & Sport (DCMS) consultation, titled “Data: A new direction,” prompted the ICO to acknowledge that the government’s freedom to adapt laws could enable UK businesses to employ risk-based, practical approaches to meeting their GDPR data protection obligations, for example when transferring data from the UK.   The objective of the DCMS announced package of global data protection plans is to boost growth, increase trade and improve healthcare and public services.  It includes new multi-billion pound global “data adequacy” partnerships, initially with six priority territories (the USA, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia) with potential future partnerships with other fast-growing economies (such as Kenya, India, Brazil and Indonesia).  

As yet, no announcements have been made about when outcomes from the DCMS consultation will be published.  Certainly some of the DCMS proposals would likely be welcomed by most UK businesses: for example, they have consulted on whether to introduce a fee structure (modelled on the Freedom of Information Act 2000) for subject access requests.  But other proposed changes, such as bespoke UK standard contractual terms (SCCs) for personal data international transfers (which DCMS refer to as International Data Transfer Agreements (IDTAs)) will yet again require businesses to take legal advice before updating and/or reviewing operational practices to ensure data protection compliance.  

However much the current government is keen to pitch those changes as post-Brexit opportunities which are pro-business, in the short term they are likely to be viewed by many UK businesses as further challenges to be overcome in the year ahead. 

So much to think about.