COVID-19: Guidance on data protection

Information Commissioners

It is likely that COVID-19 will have a significant impact on the operations of many Jersey and Guernsey data controllers and data processors. However, the requirements of both island's data laws continue to apply in the usual way. The Jersey Office of the Information Commissioner (JOIC) has stated that it will take the relevant circumstances into account when assessing compliance with Jersey's data laws. It is likely that the Office of the Data Protection Authority in Guernsey (ODPA) will adopt a similarly pragmatic approach.

Confirmed cases of infection

You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection principles do not prevent you from adhering to such obligations.

You should keep staff informed about cases in your organisation. However, personal data concerning health is 'special category data'. If an employee has COVID-19, you can let other employees know that there has been a confirmed case within the business but you must not include any details about the individual who is absent without their express consent. It is unlikely that you will need to name individuals and you shouldn’t provide more information than is necessary. 

Data collection

You can lawfully collect information in order to help your business respond to the COVID-19 crisis.

As indicated immediately above, this is likely to involve the further collection of special category data and you should be clear as to the lawful basis upon which you seek to do so. Notwithstanding the basis that you consider to be most relevant to the collection, you should consider undertaking an assessment of the 'legitimate interests' (as between you and the data subjects in question) connected to this further processing.

In pursuit of the 'transparency' principle, you should be clear with your data subjects (ie your staff) about the additional data collected. Privacy notices should be reviewed and you may wish to consider the adoption of a standalone notice - specific to the data collection activities that are proposed in response to COVID19.

If your organisation is a data controller, the central record listing the processing activities it conducts should be updated with the details of the further processing activities undertaken.

External communications

Many businesses will want to advise or update their contact base in response to the COVID-19 situation. If your normal practices concerning client communications involve accurate databases containing up to date contact information, coupled with a clear understanding of the lawful basis upon which you are able to communicate with your clients and contacts, you should be wellplaced. However, it would be prudent to keep your communication practices under review to ensure, for example, that the nature and frequency of such communications does not extend beyond the bounds of the communication practices that you have agreed with your contact base or that they would reasonably expect. 

Remote working

With increasing numbers of employees likely to be working remotely, remind employees of your internet security, confidentiality and data protection policies when they are working outside of the office.

Any papers permitted to be removed from your place of business that contain personal data and/or confidential information should be transported safely and securely. You may wish to remind staff that any 'clear desk' practices employed at your offices remain in force and that all possible measures should be taken to lock information away at the end of each day. Any paperwork removed should be destroyed (eg shredded) or returned for destruction as soon as possible after it becomes surplus to requirements. Information, whether contained in hard copy or on screen, should be accessed in a place where it cannot be viewed by unauthorised persons, such as visitors to the property (eg contractors).

Whilst it is expected that staff take appropriate steps each day to secure their properties when they leave them, however temporarily, they should be encouraged to take even greater care in remote working circumstances.

Data law obligations such as the reporting of personal data breaches and responding to information requests must be actioned within specific timescales and through the appropriate internal and external channels. Review your policies that cover these processes and consider what if any adjustments need to be made. You must be satisfied that staff know what to do in these situations whilst working remotely.

Responding to data subject rights

The operational impact on business caused by COVID-19 will not justify non-compliance with key obligations, such as responding to requests from data subjects to access their information. Your business should do everything it can to adhere to its obligations in this regard. However, JOIC has indicated its understanding that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. It is unlikely to penalise organisations that can demonstrate the need to reprioritise, or adapt their usual approach, in response to COVID-19. It is likely that ODPA will adopt a similar stance. 

Data transfers

Alternative operational measures that you are considering or may have implemented, or additional data collection activities that you may have adopted in response to COVID-19 and that you wish to share within your wider business, could cause information to be removed from the jurisdiction. Care should be taken to assess where personal data will be processed and consider the relevant data transfer rules under both Jersey and Guernsey's data laws in order to ensure compliance. 

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice