Coronavirus (COVID-19) is having a significant impact on workplaces globally as governments and organisations are encouraging employees to work from home. But as organisations expand and embed their remote working capabilities, the overall surface area of risk widens.
Precisely at a time when your responsibilities for the health and welfare of staff and clients are in the spotlight, mobile working and remote access may be increasing threats to the security of the personal information you manage.
The Information Commissioner’s Office (ICO), the independent data protection regulator in the UK, is taking a proportionate approach to the pandemic and organisations are being urged to do the same.
In short, there are no barriers in data protection law to prevent more frequent remote working by your colleagues, or the use of their own electronic devices. However, it’ll be expected that you’ve considered the security implications of homeworking, and the need for any risk mitigation, as you would in normal circumstances.
Informing employees and clients
In the event that a staff member may have potentially contracted COVID-19, you should inform their colleagues as required, but you should consider carefully whether it’s necessary to identify the individual concerned.
Firms will also have a duty of care to any prospective customers, clients, or others the colleague may have come into contact with and alert them if indicated by the incubation period for the disease. Again, you’ll need to think carefully before naming the individual involved.
Any extraordinary information about the health status of staff or visitors to your firm you collect to comply with health and safety obligations should be proportionate for that purpose. You should not collect more than you need, and it should be managed appropriately.
As with other aspects of good data protection practice, you should record the decisions you make and the rationale for them if possible.
In the long-term, the impact of coronavirus may be a milestone in increasing opportunities for collaboration, technological adoption, and flexibility in how you undertake your legal services business.
I’ll have more to say on the policies, procedures and contingencies solicitors should put in place to maintain the highest standards of data law and professional responsibility in future articles.
For now, keep up to date with the latest guidance from the ICO.
Andrew McWhir is the GDPR and lawtech policy adviser at the Law Society.