The COVID-19 pandemic and national lockdown has resulted in a large number of businesses relying on staff working from home. This poses new and increased data protection issues.
The Information Commissioner’s Office (ICO) has issued updates and guidance for organisations to assist them in complying with their data protection obligations and to provide an indication of the ICO’s approach for those who encounter issues in the course of and/or as a result of the pandemic.
The ICO is looking to strike a balance between maintaining GDPR protection and acknowledging that organisations may be operating with reduced staff, resources and capacity and may be faced with new priorities (whether that be their involvement in dealing with the pandemic or simply surviving as businesses).
The ICO has also seen an increase in criminals using the current crisis for scams and the National Cyber Security Centre (NCSC) has also issued guidance on this.
The ICO has indicated that it will not penalise organisations which need to prioritise things other than data protection during the pandemic. The ICO recognises that the current reduction in organisations’ resources could impact on their ability to comply with aspects of the law.
As a consequence, when handling complaints about organisations the ICO has said that it will take into consideration the impact of the current crisis.
Organisations should continue to report personal data breaches within 72 hours of becoming aware of the breach. However the ICO acknowledges that the current crisis may impact on this timescale. When it is carrying out investigations the ICO may be prepared to reduce the amount of evidence it asks for and allow organisations an extended period of time to respond.
In taking enforcement action (including the imposition of fines) the ICO will take into account whether the organisation’s difficulties result from the pandemic and if the organisation has plans to rectify the breach at the end of the crisis. The ICO may also give organisations longer to rectify any breaches that predate the COVID-19 outbreak where the crisis impacts on their ability to take the necessary steps to rectify the breach.
All formal regulatory action in connection with outstanding information request backlogs will be suspended.
Any fines imposed by the ICO will take into account their economic impact and affordability. In the current circumstances that means the level of fines will be reduced.
The ICO will also recognise that the reduction in organisations’ resources could impact on their ability to respond to Subject Access Requests where they need to prioritise other work due to the current crisis.
Whilst the ICO cannot extend statutory deadlines it will tell individuals that they may experience understandable delays.
Organisations must consider the same security measures for their employees working from home as they would in normal circumstances.
COVID-19 and communicating with staff
It is reasonable to ask staff if they are experiencing COVID-19 symptoms. Staff can be informed about COVID-19 cases in the organisation but the members of staff affected should remain anonymous.
Cyber crime and COVID-19
The NCSC has said:
- There has been a wave of UK Government falsely branded scams. However, overall levels of cybercrime have not increased.
- The surge in homeworking has increased the use of potentially vulnerable services (such as Virtual Private Networks, some of which are known to have vulnerabilities).
- Threats include phishing emails with “Coronavirus” or “COVID-19” in the title or purporting to be from the World Health Organisation or a medical professional (eg “2020 Coronavirus Updates, 2019-nCov: New confirmed cases in your City”) andmalware with similar terms in links.
- Criminals have registered domain names with these terms in them.
- Criminals are attacking newly (and often rapidly) deployed remote access or remote working infrastructure.
- Malicious actors are also seeking to exploit the increased use of popular communications platforms to send phishing emails with links to malicious files that have, for example “zoom”, in the links.
- They have identified a malicious Android App purporting to be a coronavirus outbreak tracker.
- Criminals are using text scams suggesting that payments are going to be made to individuals by the Government.
- Further scams are likely to be linked to any Government compensation schemes.
- Health Organisations are a target due to the increased strain they are under.
The NCSC has issued detailed guidance on mitigating the risks (for individuals, organisations and cyber security professionals). This can be accessed at https://www.ncsc.gov.uk/section/advice-guidance/all-topics
The COVID-19 crisis has created new and increased cyber risks for organisations. The regulars have responded sympathetically and this is to be welcomed. However, criminals will seek to exploit the crisis and it s sensible to keep checking he guidance issued by the NCSC.