Data Protection UpdatePosted in : Supplementary Articles NI on 10 September 2020
In this webinar recording, Anna Flanagan, Senior Associate at Pinsent Masons joined us to discuss the following topics:
- Update from Regulators and enforcement action during/after the pandemic
- Working from home: risks associated with employee behaviour, employee monitoring, managing supplier contracts;
- Returning to work: health monitoring, contact tracing, adjustment on a phased basis, mission creep as the emergency eases;
- Cyber risks: increase in COVID-19 related scams, risks in employee behaviour, PM white paper including attacker trends;
- International Transfers and Brexit: transferring personal data to third countries including the US following Schrems II decision.
Scott: Good morning, everybody. My name is Scott Alexander. I'm from Legal-Island. Welcome to this "Data Protection Update", in association with Pinsent Masons. If this is your first time on our webinar, you'll be able to listen back. We'll send you a link afterwards, and we'll also get it transcribed.
Now, today our guest is Anna Flanagan, who's Senior Associate with Pinsent Masons in the Litigation and Regulatory Compliance department. She's also going to be speaking at the Annual Review and delving into data protection issues. A lot more detail come November the 4th and 5th when we have our Annual Review this year online.
As you can see, I'm Head of Learning and Development here.
Just before we move on to a poll, just to let you know we're doing eLearning Training Courses. And we do many training courses, but as you can see, £10 plus VAT per person for data protection whilst home working. If you're interested in that, get in touch with us (Debbie Wilson, eLearning Client Executive, firstname.lastname@example.org), and we'll send links on after the webinar as well.
So I'm going to hand over now to Anna Flanagan from Pinsent Masons, and she's going to take you through the data protection update. Anna?
Anna: Thank you very much, Scott, for that introduction. Good morning, everyone. Just to quickly give you an idea of the agenda we're planning to cover in the next 45 minutes, firstly, just to give you a quick update about what the regulators are saying and the guidance that's there and available to you all in relation to data protection concerns around this time, just give you an indication of that.
A lot of organisations, my own included, are still at the working from home stage. We have not made a mass return to the office yet, nor are we likely to for some time. So there are obviously issues arising during this pandemic time and the "abnormal", if we call it. More people are working from home. So just to outline, I suppose from an employer and an employee perspective, some issues and potential solutions around that.
Obviously, also, organisations are going to be thinking about when we return to any degree of normality or the "new normal", whatever that looks like, and how to prepare for the return to work.
Also, just to flag, there are obviously cyber risks related to working from home and that kind of thing. I'll just flag what some of our experiences are recently.
And finally, just to give everyone a break from COVID-19, just to flag, there's been a recent and really interesting decision in a case called Schrems II. And that relates to the international transfers of personal data between the U.S. and the EU. So just to give you an indication of what that case is about.
And then also we will very briefly mention the Brexit word, which I know everyone is to a degree sick of hearing about, but I think given recent developments it's just worth flagging any sort of steps you can be taking now to prepare.
Regulation and Guidance
So firstly, just to cover regulation and guidance. I think this is a really particular .. . just to emphasise for businesses. Obviously we have some guidance out there from the various regulators within Europe. Pinsent Masons obviously are a global business, so we have liaised closely with some of our European colleagues, and one thing that is quite interesting is that the supervisory authorities within the member states are all sort of taking slightly different views in relation to publishing guidance and how specific they're being.
So it's really worth having a look at the ICO if you're based in the UK, or the Data Protection Commissioner's website if you're in the Republic of Ireland, just to see what's out there at the minute in relation to guidance.
Obviously, in any of this, the current law is the GDPR on the Data Protection Act 2018. That has not changed because of the pandemic. There have been no amendments to that legislation.
But what has changed is the approach that the regulator might take to any issues in relation to the legislation. And they also have produced some guidance as to how you deal with the delays that might incur with reduced resources and also any sort of extra information that you need to collect.
Additionally, the European Data Protection Board have given some guidelines. So for anyone who doesn't know, the European Data Protection Board has members from each of the member state's supervisory authorities, and they give some input into the guidance as a whole. They are specifically helping governments with things like contact tracing, that kind of thing, and they're given some guidance on that, which is interesting if you have a real interest in the subject, but not necessarily helpful, practical guidance for businesses.
I'd mentioned the Irish Data Protection Commissioner have released some guidance as well. One really interesting point that they've picked up on, and that come up in our poll there, is in relation to data subject requests. So I think they've been asked quite frequently, "Is that one-month timescale still the same?" As I've said, as the legislation has not been amended, the timescale has not changed. But the DPC have said, "Well, we recognise there's an unavoidable delay here".
For example, some businesses might not even have physical access to their buildings where hard-copy documents are. So, if that is the case for your organisation, what you can think about doing is responding to requests to the extent possible. So that is responding with what electronic documents you can and then following up with any hard-copy stuff. And I think that's a really practical solution to any businesses that are struggling with the practicality of it.
The thing I would just flag is document all of this for your own records and keep the data subject informed as to why they are only getting certain documents in certain times. So that's what the DPC are saying.
Obviously, here in the UK, we are dealing with the ICO, and it's important to think about what they say. Now, the ICO always have indicated that they are a pragmatic regulator and they will take into account the circumstances businesses are operating in, and they have some flexibility in carrying out their rule.
It's important to bear in mind the approach the ICO are taking to businesses, because that will impact any dealings you might have with them.
They've been very firm in relation to personal data breaches, that you're still to report those within 72 hours of becoming aware of the breach. That's something to bear in mind if, for example, you still have some staff on furlough, where maybe your personal data breach reporting policy is out of date to the extent that the key contact is on furlough or otherwise unavailable.
So keep an eye on all of that and make sure that even with remote working and any other changes to your business, you can still comply with that very important 72-hour window.
The other, I think, really interesting point in relation to ICO activity is obviously last July you might remember the ICO published their intention to fine British Airways and Marriott with two huge fines. I think the British Airways fine was about £183 million, and the Marriott was about £99 million. Now, they said all along that any fines issued under GDPR will take account of what the business can pay.
British Airways, obviously aviation sector. Marriott is a tourism sector. Those sectors have been impacted more than most in relation to this pandemic. The ICO have yet to publish a notice of the penalty, i.e., that it is definitely happening and it's definitely happening in that level. So we think there is a good chance here that for no other reason other than perhaps the ability of the organisations now to pay, we might see those fines coming a way down. So it will be something that will be very interesting to keep an eye on.
But what I would say, the sort of key takeaway from dealing with the regulator, is obviously businesses are under a lot of pressure, and when organisations are under pressure, things like data protection can sometimes take a bit of a back seat.
But if your organisation is using this pandemic as an opportunity to innovate and maybe have monitoring tools going forward, make sure that data protection is a key point in that, because if you can get that rolled into the process at an early stage, that will be really helpful.
Also, look back at any things that you've done in the immediate move to going home. If you've moved to using new technology and there wasn't a DPIA done at the time, think about doing that now and document any sort of on-going challenging pressures you have, because you might need that down the line.
Remote Working and Data Protection
So that's sort of an update in relation to the regulators. Moving on then just to during the pandemic and the "new normal" and working from home.
Obviously, my organisation, anyway, lockdown happened at a very rapid pace, and many changes just had to be implemented straight away. We all had a queue in my organisation of about two weeks to actually get MS Teams downloaded on your laptop so that we were able to keep in touch. And the speed at which all of that happened meant that some of the data protection considerations may not have taken place for all organisations.
So just moving on to the next slide, again back to the point that the actual GDPR and Data Protection Act, the language in those pieces of legislation has not changed. You're still under an obligation to take the technical and organisational measures to ensure the security of personal data. And that has not changed just because of lockdown or the pandemic.
What has changed is that those security considerations are likely to have changed. For example, your organisation might have started at using Zoom at the outset. Now is your opportunity to have a think about, "Is that a secure method of communication? Do you want to do DPIA to think about doing that? Do you want to think about what devices your employees are using?"
So, on this slide here, you'll see we've picked sort of three key employer considerations. The first is obviously BYOD, so employees using their own devices. Have a think about is that the case, and do you have a policy?
Bear in mind if they are working on their own devices, if the employment should end, either because they happen to leave or if maybe there are redundancies taking place in your organisation, have a think about how you're going to get that corporate information back, and be really careful about it.
As I said, make sure you have your policy and also some kind of audit or an idea of what the employees are using and what they're saving there.
Think about remote desktops and what privileges you can put in place. We've seen a real increase in phishing-related emails from attackers and threat actors. And a lot of those are actually tailored to COVID-19 to try and make people click on the links. So have a think about whether there are admin facilities you can put in place to prevent that.
And also, cloud storage I think is an important point to bear in mind. Where are your employees actually saving things? If it is going to a cloud, do you know where it's going and do you have access to it?
So those are the kinds of things you want to think about from an employer perspective.
From an employee perspective then, just on the next slide, have a think about what policies and procedures you can put in place. So does your staff know what they should and shouldn't be doing?
People are very diligent these days. They're aware of data protection and security concerns. And generally, if you give them a firm view, they will hopefully follow it.
Have a real think about confidentiality. Again, from a personal perspective, one of the first things our business addressed was printing and hard-copy documents. And a lot of our clients are financial institutions who don't permit their information to be printed in an employee's own home.
So have a think about how that works and educate to the degree you can that actually a lot of things don't need to be printed and a lot can be done just electronically. Or if things are being printed, make sure they're being disposed off securely, or ideally, see if the employees can in some way attend your premises to shred them securely.
And then emphasise secure communication. Obviously, there's a real reduction in those of us going to coffee shops to . . . confidentially if employees are in sort of flat chair scenarios. Bear that in mind when you're giving advice in relation to secure communications.
Remote Working – Data Protection Risks
And then just on to the next slide and what sort of risks there can be. So employee stress, this is something that we've seen as a big point. Hopefully most employees at this stage have been able to get childcare again or their children back to school. But I can only imagine the stress involved in trying to look after young children and concentrate on your job, as a lot of people were having to do for some months there.
One thing I've seen a lot in working on cyber cases is incredibly diligent employees, when they are overworked or stressed, can accidentally click on a link that is a phishing email, can accidentally send something really confidential to the wrong place. So just bear in mind that there is more of a risk of that, and have some extra maybe training and resources there to help employees.
Any leavers or rogue employees. There are some contentious issues for businesses, especially for HR at the minute, around furlough, around potentially redundancies. Just bear in mind that if your employees have been working from home for some time, they're likely to have personal data relating to your business in their possession. Have a think about how you're going to get that back securely before there is any kind of contentious issues arising, if that is at all possible.
I've already mentioned sort of device sharing, flat share issue, and storage.
And then finally, just to flag use of personal email accounts. Not ideal at all from a security perspective or a corporate risk perspective. Again, this is back to the "We appreciate that there may have been some things that you had to do in a very sort of last minute way to keep your business going at the start of lockdown, but now is your opportunity to take a step back about how things are being done, and think about what extra policies you can put in place".
A link to that then just on the following slide is the increase in cyber risks that we've seen. I have to say our cyber team has literally never been busier than they have over the last few months. That is due to a whole host of reasons. There are some incredibly realistic COVID-19 scams going around, and it is a fact that when individuals are more stressed out about sort of pandemic situation, you're not necessarily thinking rationally when you receive an email asking you for details to assist the government with some survey or that kind of thing. So just keep your organisation aware that these are massively on the rise.
I read an interesting statistic that according to the UK government, 46% of businesses reported having a cyber attack in the last 12 months, with 32% of businesses having experienced attacks more than once a week. That's something that our cyber team is not remotely surprised at.
Obviously, with remote working, we also are seeing difficulties. With one case we had there recently, there had been a phishing email which resulted in an attacker accessing a business's system.
The first thing that everyone recommends that you do when that happens is a password change across your whole system. In this instance, the employee in question wasn't working off the employer's VPN, and thus, the forced password change didn't actually work, which resulted in the attacker having a further week's access than really should have been possible.
That is something that occurs because of this pandemic without a doubt, because it was working from home issue without the appropriate policies and guidance being provided due to the speed.
So, if you spend a bit of time now updating training, it can really pay off down the line.
We also saw an increase in critical businesses who were very under pressure being the victim of cyber attacks. So logistics businesses, food businesses, manufacturing that were keeping going and keeping us all fed and well during the pandemic had an increase in cyber risks.
I think our IT team for the first sort of three weeks of lockdown could not be reached for love nor money because of just being completely overstretched. So just bear in mind hopefully there is more of sort of normal now, but your IT team will be stretched as a result of this. Talk to them about resources they might need or matters that you can help take off their plate so that they can focus on the really important bits. And that also links into them being stretched in monitoring for these cyber attacks.
Just to mention, Pinsent Masons' cyber team are about to release our Cyber White Paper of 2020, which is a really interesting report going through the cyber cases we've dealt with over the last year across the business as a whole, so taking into account the European offices. If anyone wants to get a copy when it's released later this month, please just give me a shout, because it's got some really interesting interactions in there with the regulators and also statistics around how these attackers are actually getting into your system.
Remote Working – Policies for Protecting Data
So just going on to the next slide, as I said, it's never too late with data protection. Prevention is better than cure. Have a look at these policies, and think about what technological measures can be put in place.
If resources are stretched in terms of putting new technologies in place, which is understandable in the current circumstance, think about organisational change, because that can be just as effective, if not more effective. If people are driving the right behaviours, which doesn't need to necessarily cost a lot in resources, that can really affect the quality of your security.
And then just finally, obviously a lot of people here are HR managers. You will know that it's important to have the policy. You need to inform the employees about the policies, have it, and then demonstrate that they were aware of it if you need to.
Data Protection – Suppliers
So I actually finally in this section . . . just to mention managing suppliers. Obviously, a lot of your suppliers, if you have processors working in your behalf, you might have extensive audit rights in those contracts. But just have a look at those. Are they still realistic?
For example, is part of the audit right to go into people's offices and have a look? That might not be possible right now. If the supplier staff are working from home, are you are you comfortable that they are still able to treat your personal data securely?
So I think we were just going to take a quick break here just to check if there are any particular questions arising from that initial bit. I'll just pass over to Scott.
Scott: Thank you very much, Anna. If you've just joined us, folks, you're listening to Anna Flanagan from Pinsent Masons, and she's going through various data protection updates and things that have been happening. You've heard there about things about checking whether your current methods of communication that you had used in the office are still safe and so on.
Do you know where your data is going to when people are working from home? Is it going to their cloud storage capacity or into your own? You've looked at bring your own device. We even had a picture of a BlackBerry there, which is a remarkable thing.
So we have one or two questions that have come in, Anna. I know that we're going to be looking at health monitoring in a moment, and maybe you're going to cover this, but what system or protections do we need to have in place if we're taking and storing temperature check information? Is that going to be dealt with in the next session or do you want to handle that . . .
Anna: It will be dealt with in the next section, yeah. So I'll be covering that in a moment anyway. That's a very . . . a lot of people are asking that question.
Scott: Okay. Well, that listener is going to stay on. Don't worry about her.
And the next one. "We've received a few fraudulent emails", it says here. Now, this could have come from Legal-Island. We've been getting a whole load today saying, "Your password has been compromised. Please change". Obviously, we're sending a thing around saying, "Ignore this. Ignore this". But if somebody clicks, we have a problem I think. So it just shows you how easy those phishing emails are.
So this question here,
"We've received a few fraudulent emails, and most of them are requests from what appears to come from a member of staff requesting change of bank details. We've taken measures to prevent this. For example, variable confirmation designed from unrecorded email address and blocking email addresses. Are there any other measures we should consider taking?"
Anna: I think the first point to check is, is it being generated from your employee's inbox? Because if it is, that is potentially an inbox that has been compromised. So it would be worth, if you have an IT team, them just checking logs to make sure there's been no unauthorised access to that inbox. If you don't have an internal IT team, I would suggest you get an external person to have a look, because it'd be really important just to make sure there has been no compromise to the mailbox.
And just in case there has been, I'd also recommend a forced password change across your whole IT estate just to be careful.
If it is just sort of a phishing email that is being designed to look like it's coming from one of your employee's mailbox, I mean, other than continually sort of deleting the emails and reminding people not to click on the link, there's not a lot you could do. You can report it to action fraud or those kinds of organisations if you want, but I would just be really careful that there's been no actual compromise.
And if whoever this is wants to give me a shout, I can pass on some details of friends at IT companies that can have a look for you.
Scott: Well, thank you very much, Anna. Now, if you've just joined us again, or you missed bits at the start, you'll be able to listen back to this afterwards. But you can contact Anna at Pinsent Masons, and her contact details are coming up at the end. And they'll be forwarded on in any case.
Health Monitoring and Sensitive Personal Data
So we're going to move on to the next section, which is health monitoring. We had that question, but if there are any other questions and you want to send them in, the little question box on the right-hand side of your screen, and we'll deal with them at the end of the next section. Anna?
Anna: That's great. Thanks, Scott. And thanks for the questions. Keep them coming in, please. We can deal with a few more shortly.
So, firstly, to cover health monitoring and privacy, this is obviously really key for organisations that either have to have staff members working on their premises at the moment or indeed whenever your staff start coming back to the office en masse.
Obviously, employers have a legal obligation under the Health and Safety Order in Northern Ireland to ensure a safe working environment. And also, I think ethically and morally, obviously we all want to stop any spread of the COVID-19 virus.
To flag, a lot of the language coming out of the ICO and indeed from the UK government is that data protection law, the GDPR, none of this is designed to prevent that. And expect the ICO to have a lot of sympathy with the ultimate objective of preventing the spread of coronavirus.
However, just be really careful about either completely disregarding privacy either during the pandemic or, as I'll deal with in a moment, mission creep where the pandemic has started to ease but you're still sort of excessively monitoring or intruding on people's policy.
Bear in mind that there may be a degree of sensitivity from your employees about this. They may feel that . . . people in the workplace knowing that they have tested positive for COVID-19 may be, for example, an indication that they are attending house parties or doing the things that they're not supposed to be doing, which may not at all be the case, but just be careful that there may be a bit of a social stigma attached to it. So it's even more appropriate to be careful with their privacy.
Temperature Checks – Data Protection Issues
So I think temperature checks is a really good example of a type of action that employers might be taking on the return to the workplace or right now. I think what we would be saying is, firstly, keep data collection to a minimum. You only are obviously checking temperatures of those who cannot work from home.
It also should be part of a package of health and safety measures, because we all know that simply making sure that no one with a high temperature is in your office does not equate to no spread of the virus. So make sure there are other measures there, like cleaning communal areas, rotation of shifts, that kind of thing.
Have a think about at the start how often you're going to check and keep that consistent. So is it every day when people come in? Is it twice a day? That kind of thing.
Consider very importantly what you're going to do if someone fails that test. So, if they do have a high temperature, are you going to immediately send them home? Are you going to take account of the fact that maybe they've cycled or run to work, and then had a shower, and that's why their temperature is up? So have a think about that.
If there are underlying health conditions that mean that they may have raised temperatures or may mean they need to be extra cautious in terms of the virus, think about do you need to involve occupational health?
At all times, limit the spread of the information. So make sure HR are involved in this, and it's not just line managers unilaterally deciding, "My team are going to be temperature checked, because my mum isn't well and I'm not risking bringing it home to her", that kind of thing. That is obviously a very reasonable position for one of your employees to feel, but it's important that it is a business decision.
I know I've been speaking to managers of clients who have been coming under pressure from their own team members about temperature checks, and it's really important that it's a joined up approach by the business.
From a practical perspective, I would just say make sure you're only checking those you need to. And think about retention. I don't see a circumstance where it's massively reasonable to be holding on to those results for longer than a period of, say, 14 days. I don't think it's necessary.
I'm also not convinced it's necessary to record the actual temperature other than it is below 38.5 or whatever the current government guidance says. So I would say that's what you're recording. And unless you need to know about underlying health conditions, don't collect that information. So that's sort of how I think practically you take the steps.
In terms of the documents that you need to put in place to respond, just on the next slide, firstly I would say this is pretty intrusive. It's not dissimilar to sort of drug and alcohol testing. So think about doing a data protection impact assessment around the collection.
And then, very importantly, update your fair processing notice. If you happen to anticipate this at the time you did your privacy notice, then well done. But I think you would be very much in the minority. So you want to update those to reflect what you are collecting, for both your employees and if you are, say, a hotel or a restaurant, for any customers or third parties. And proactively bring it to people's attention, so make sure that they can see that and know that it's been updated.
And when you're updating that, you want to be telling them how long you're going to retain it for and that kind of thing. And think about your lawful basis. It's likely you can meet one of the special category lawful bases for processing conditions. But just be careful you've thought about that and made a record of it.
So moving on just to the sort of mission creep, this is really just to flag to be careful about retention. We've obviously seen the steps that the governments will loosen lockdown may come forward and back. And just be careful you're not still taking sort of steps that you took when we were at the highest level of lockdown whenever we are, if ever, out of the lockdown or at the lowest level of it. So keep an eye on it, because there could be a tipping point where it's not acceptable to be monitoring your employees to the degree that you are.
So, for example, we've seen CCTV regularly initially put in by employers for security purposes, and then used after that to look at what time employees are in for work, that kind of thing. So that's a classic example of something being installed for a particular reason, but then the use of it evolving. At all times, stop and think about whether or not that's reasonable.
The other point just to flag is to be really careful about any recordings and monitoring of your employee when they're working remotely. I know we use MS Teams and there is a record function on that. You really want all parties to know if you're recording anything on that, and all the sort of extra information they need to know when they're being recorded. Just to flag that as an issue.
Returning To Work – Data Protection Issues Arising
And then just the next slide, so returning to work in the long-term, I would just say bear in mind if your organisation does make sort of systemic changes from this, have a think about how you manage your security and controls and where you invest your resources. And if you're maybe decreasing your office space and have extra resources stemming from that, think about what you can put in to improve the security of remote working.
And with any suppliers you have, have a think about do you need to amend your contracts to reflect the fact that the security provisions will have all changed because a lot of us are all working from home?
Maybe just pause to check if there are any questions in relation to that subject, Scott?
Scott: Thank you very much, Anna. If you've just joined us, I see people are still coming onto this webinar, you're listening to Anna Flanagan from the Litigation and Regulatory Compliance team at Pinsent Masons. I'm Scott Alexander. I'm from Legal-Island. Very interesting points there, actually. You're pointing out do people know we're being recorded? You are being recorded, Anna. I thought we told you that, but there you go.
Anna: Don't worry. You let me know.
Scott: You chat about the people who know what they're going to do because they're bringing in all those policies. I was chatting to my daughter in London yesterday, and she was out for a meal with a friend, and they came along and took her temperature and they said, "It's 39 degrees", or something. And they said, "Well, what do you want to do? Do we have to leave?" And the staff didn't have a clue. They just said, "No, you're okay". So it's all very relevant a policy, but a bit of follow through with that.
We've got a few questions that have come in there. One of them is,
"Any thoughts on the recent ruling that an oral statement is not a data breach?" I don't know where that came from. I don't know what that case says.
Anna: Yeah, I'm not sure what the case is. I mean, it is possible that, if you say something out loud and it's overheard, there is a breach of confidentiality in relation to whatever you've said, but it's obviously very dependent on the circumstances.
I'm sorry. I'm not familiar with what the case is, although if you want to send me the link afterwards, I would be very happy and interested to read and have a quick chat if that would help.
Scott: No problem. I suppose there are other things. It was the Alex Salmond's QC or advocate was up on a disciplinary charge because he was talking about the case when he was on the train home and such like, apparently, allegedly. Maybe I should put that, allegedly.
So there are other breaches that can happen as well as data breaches. But maybe if you want to get in touch with Anna there, she can follow that one up with you and we can get an update.
Can we ask staff to provide us with a copy of their COVID test results?
Anna: This would be back to thinking about necessity. So do you need to? I find it hard to believe if a staff member has tested positive that they wouldn't tell their employer, but obviously, maybe there is a circumstance where that would occur.
I think if you can demonstrate that there is a necessity for you to know, and also think about how long you're recording it for, it is possible that you can do so. But just again, it's the kind of thing I would do a DPIA on and I would make sure and update the fair processing notice and think about getting rid of the information quite quickly after you know.
But it should be possible. There should be a process and condition that you can do it, or worst-case scenario, it could be a consent thing. But of course, then you have the issue of what you do if they won't consent. I think it should be possible if necessary.
Fair Processing Notices
Do we need to update our fair processing notice if we are holding lists of names of people entering and leaving each of our premises, staff plus visitors?
Anna: I mean, I don't think it would do any harm if you just went on the website to add it, if it can be done quickly. I think you would anticipate that your employer will know if you're in the building or not. So I don't think it would be of a surprise to people, but I don't think . . .
It would be best practice to include it, because at the end of the day, it's personal information about people that you're processing. So, yeah, I would update it.
Scott: Okay. How would Pinsent Masons advise a company that has a line manager that has requested IT to go through excessive emails of an employee without a policy allowing this? The line manager was on a fishing expedition against the employee.
Anna: So employee mailboxes you do need to be quite careful about, because obviously some information there can be personal, i.e., not corporate. So, firstly, I assume in this scenario that it is a corporate mailbox. Again, you would want to be proportionate.
So you've obviously said it's a fishing expedition, so I'm not sure you would have any sort of basis for doing so. If you were concerned about some specific activity, it could be proportionate to run a targeted search. So that would be search for certain keywords in the mailbox that could provide evidence of whatever act this is supposed to be. And you could also be proportionate in terms of who's reviewing it. So, again, you would limit that to as few people as possible.
You need to have a think about whether this would be in the anticipation of the employee, though. I know, for example, in my organisation we have a policy that says, "We will not as a matter of course look at your inbox. If we have to, we will. If you mark things personal, we won't look at that, but in exceptional circumstances, we will". Again, it's up to you to think about the exceptional circumstances, whether that is actually met and how you can do it in a proportionate way.
But if it is an activity you're carrying out, I would start with targeted searches of keywords rather than the whole mailbox.
Scott: Okay. Thank you very much, Anna. There are other questions coming in, but we're going to hold them back. We'll run over a little bit, but again, if you've been on Legal-Island before, certainly subscribers, you can listen back to this afterwards, or you can stay on for another few minutes.
International Data Transfers
But anyway, we're going to move on to . . . I think it's the last section here, international transfers and that man there, who is Maximilian Schrems. On you go, Anna.
Anna: Thank you very much, Scott. I'll run through this quite quickly, because I appreciate there's a lot going on with the data protection world, but this case has just landed in the middle of the pandemic and also Brexit. So it's all happening.
So, Mr Schrems, if anyone is not familiar with him, he came to sort of fame in the data protection world in 2013, when he initially made a complaint about the mechanism whereby personal data is transferred from the EU to the U.S.
So, if anyone's not familiar with what the GDPR says about international transfers, basically it says that you cannot transfer personal data outside of the EU unless you have additional protections in place.
And there are a number of additional protections that you can have in place. It was the same under the old legislation, the Data Protection Act of 1998. One of the additional protections back a few years ago was something called Safe Harbour. And that was an agreement between the U.S. and the EU, which effectively said organisations that are part of the Safe Harbour regime can be deemed to have adequate protections so that the transfers can take place.
So back in 2013, Mr Schrems complained to the Irish Data Protection Commissioner in relation to . . . it was related to his Facebook account. He was primarily concerned about the fact that U.S. state security agencies like the CIA can ultimately get access to his personal data once it goes to the U.S., and he doesn't think that complied with the protections in the European legislation.
As soon as I think GDPR came into law . . . sorry, I should say that Safe Harbour was thereafter declared invalid. And the EU and the U.S. then come up with the concept of the Privacy Shield, which was a similar idea.
The Privacy Shield is a self-certification mechanism businesses could sign up to, to say, "We have this badge effectively, which means you can securely transfer your personal data to us in the U.S. without any additional protections". And initially, that was deemed to be acceptable.
However, as soon as GDPR came into law, the first thing Mr Schrems did was resubmitted his complaint to the DPC so that it would be viewed in light of the GDPR. And the decision then in Schrems II was released on the 16th of July 2020.
So the CJEU decision was that the Privacy Shield is now invalid. So that is a big blow for the Privacy Shield. And what that means is if you as an organisation have any personal data transfers that have only the Privacy Shield as your mechanism for transferring from the EU to the U.S., you need to have a look at those. You need to get an additional protection in place.
The ICO have come out to say, "We're obviously considering this decision, but in the meantime don't start using Privacy Shield". So that's not something you should ever start doing at this point.
And just on the next slide, I've covered that. What you can do at the moment is put in place what are called SCCs. So that is an alternative protection that you can put in place to transfer personal data to the U.S. It stands for Standard Contractual Clauses, or they're often called model clauses, which are effectively a contract you append to any data processing agreement outside from the EU to the U.S. or vice versa, which adds these additional protections.
Now, it's never straightforward in the world of data protection, because the CJEU also raised some concerns around the SCCs themselves, and they also suggested that you need to have a think about the laws in the individual countries before you transfer.
So SCCs are not restricted solely to the EU/U.S. transfers. They can get you transferring personal data anywhere in the world, but you need to have a think about firstly what protections there are in the country you're sending them to.
So, just on the next slide, as I've said, the ICO guidance is you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.
So the advice we are giving to clients is, "Know where your personal data is going to the U.S. and know on what basis it's being transferred". If you're relying on Privacy Shield alone, think about putting SCCs in place. But equally, make a note of where you've put SCCs in place, because if that guidance changed, you want to be able to move quickly. And the key to moving quickly is knowing what contracts you have.
And then just on the next slide, I've put what the other options are now that Privacy Shield doesn't work. There are standard contractual clauses. There are binding corporate rules, which is for multi-located groups. For example, if you have headquarters in the U.S. and a subsidiary in the UK, you can use that. And there are a couple of other specific ones.
So, as I've mentioned briefly on the next slide, what you could be doing now is assess and audit your suppliers in third countries.
Data Protection Implications of Brexit
I'm just going to mention the Brexit word very briefly because I know people are to a degree fed up hearing about it. But at the end of the transition period, without an agreement, or a deal as they call it, between the EU and the UK, we need to watch personal data flows coming from the EU to the UK, because the UK is effectively a third country as far as the GDPR concerns. So personal data flowing from the EU to the UK will need one of those additional protections in place, and anything you can do now to protect against that will be helpful.
There are some countries that have adequacy decisions. For example, Japan. You don't need to worry about anything with them. And Canada is another example. But any countries without an adequacy decision, you need to have a think about.
There was some hope from the UK government that what the EU would do would be give the UK an adequacy decision following Brexit to avoid the need for additional protections. But given how the negotiations are going at the moment, I can't see that that's particularly likely.
And then have a think about additional safeguards.
That brings us to the end of my slides. So, again, Scott and I are very happy to take any questions. Scott, I'll hand it back over to you.
Scott: Thank you very much, Anna. We had a couple of sound issues here I think, so the recording . . .
Anna: Oh, sorry about that.
Scott: No, I don't think it's your fault. I think it's just sometimes technology gets in the way. So we'll stick around for another couple of minutes just to deal with some questions. And we'll get the link out to the recording afterwards.
Going back to your last section, if an employee has tested positive, and you have to advise other employees that they have been in contact with a positive person, how can you limit the knowledge of the positive case without the employee's name being spread further across the company?
Anna: Yeah, I think that's a really difficult one, again, depending on the size of your company and how frequently people are talking about it. I know, for example, the trace and track app that the government are running, it just tells you you've come in contact with someone who's testing positive. It doesn't give you any name or details.
In so far as is possible, I think that's the approach you want to take. You want to let people know that an employee's tested positive, and just don't be drawn into speculation as to who that person is.
Again, back to the point where the ICO are not going to let data protection issues come in the way of helping the country deal with this pandemic. If there is an accidental slip or employees are able to work it out, it is better that you run the risk of some kind of very minor personal data breach than you let COVID-19 spread around the organisation because you're too worried about breaching data protection laws.
Again, you want to sort of document all the steps you took to keep the information as secure as possible. But if there's if there's no way to do it, the important thing for all of us at the minute is to deal with the pandemic.
Scott: Okay. Thank you very much. Now, there are a few questions that are coming in just about the standard contractual clauses, so I'm going to amalgamate them so that . . . A lot of them seem to be saying,
International Data Transfers – Standard Contractual Clauses
"How difficult is it to set up standard contractual clauses? And do you need to notify every employee, every vendor, or every third party?"
So presumably when we're looking at those, we're looking at either an organisation in Northern Ireland, in our case, that might have a head office in Dublin or across in America or somewhere else, or you're maybe looking at somebody where you've contracted out services, maybe your finance services or your payroll, and it's being dealt with in another country, so you're transferring personal data. How difficult is it to set up standard contractual clauses and so on?
Anna: Yeah, it's actually really straightforward. It's a set of model clauses that can't be amended or negotiated, which makes it really straightforward, because it's just a set document that each party has to sign.
If you need any assistance with setting them up, please do let us know because we do this on a regular basis for clients.
The first thing you want to do is get the actual contract in place. And as I said, that's a literal set of set clauses that can't be negotiated. In terms of notifying employees, of notifying third parties, your obligation here is to ensure that your fair processing notice tells employees if their personal data is being transferred out of the EU, and tells them what protections are in place.
So you just want to include a line . . . if it's in preparation for Brexit, if it's because of the Schrems decision, if it's because you've started a new arrangement, whatever the reason, a line saying, "Your personal data is being transferred outside of the EU, but we have the appropriate protections in place", and whatever those are. For example, standard contractual clauses.
The key point you need to tell the people about it is that you are transferring outside of the EU, and what protection you have in place, and the standard contractual clauses are one of those protections.
Scott: Okay. Thank you very much. Thank you very much, everybody, for listening. That's been Anna Flanagan from Pinsent Masons. She's one of the many speakers . . . there are 20-odd speakers at the Annual Review of Employment Law on the 4th and 5th of November. It's all online.
If you haven't done it before, there's a fantastic networking roulette where you can hop on this little platform, one of the badges on the thing that we're using, and you meet people for three minutes. It's like a kind of fancy dating thing, but it's actually for networking.
Or you'll be able to contact . . . I don't know if you have any thoughts on this, Anna. You'll be able to contact delegates directly. Once they register, you can go in and find them, and if they want to take your call, then you can chat to them when you're networking as well and have a coffee during the conference.
It's on for two days, and you get all the usual stuff, all the speakers, all the notes, all the checklists, and such like as well. But they'll all be dealt with electronically.
So that's it. And you've got Anna's details there in front of you. If you have any questions, go to Pinsent Masons.
I'm Scott Alexander. Hopefully we'll see you again. Our next webinar will be on the 2nd of October, I think, with Employment Law at 11, the normal one. So if you have any employment questions, you can send those in to me or Rolanda at Legal-Island.
Thank you very much for listening. I hope to see you soon at the Annual Review or before. Take care. Bye. Thanks, Anna.
eLearning Training Resource | Protecting Data when Home Working
This Protecting Data when Home Working course will help your employees understand the essential elements of protecting data when they work outside the office.
It is important that your employees are at the centre of driving a privacy culture across the organisation to ensure protection and compliance.
More on Data Protection & Freedom of Information
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
- Covert Recording in the 'Workplace' - When Might it be Lawful?
- New ICO Guidance on Subject Access Requests and Education Data
- Black Friday & Cyber Monday Alert: Issues for Employers While staff are WFH
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.