During the government lockdown due to Covid-19, the ability to work remotely has proved essential in protecting staff, safeguarding customers and saving businesses.  Whilst many organisations have been carrying out ‘business as usual’, others have had to adapt quickly in an ever-changing environment to continue to provide services to clients and those in need.

People are spending more time at home and online, and cyber criminals are taking advantage of holes within internet security systems and the lack of face-to-face interactions. Cyber criminals do not discriminate in who they target, and no organisation is safe.

It is now more important than ever to be vigilant about data protection and cyber security. Personal Data is defined by the ICO as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.

With job losses, ill-health and domestic violence on the rise, and elderly and vulnerable people within the community becoming increasingly isolated, many are turning to charities, community groups and religious organisations for support. It is likely that the information obtained relating to Covid-19 will be deemed as ‘personal data’ or ‘special categories of personal data’.

This article outlines the guidance offered from the ICO on data protection, and a list of tips on how to protect your organisation while working from home.

• Privacy Notice

Organisations should have a written and up to date privacy notice that is clear and transparent. It should outline how personal data will be used, why it is needed and who it will be shared with. If your organisation does not have a written policy notice, you should ensure that there is someone in the organisation who can share this information verbally if requested.

• Sharing of Information

During this crisis, it may be more harmful not to share information than it is to share it. For example, where there are vulnerable people self-isolating in the community and their local council need to be informed. However, you should only share data to the minimum extent necessary.

Data protection legislation does not prohibit the sharing of information when it is appropriate.

• Legal

If you have consent to use personal data, a legitimate interest in using the data in a way which one would expect or if it is in the vital interests of an individual that you use their data, then it is likely that you can lawfully handle and share personal data. 

You should take extra precautions when using ‘special category data’.

• Security

Organisations should ensure software is up to date, review operating systems and ensure staff communicate securely.

Employees working from home should use strong passwords, back up information regularly and be vigilant when opening attachments in emails.

• Delete and Destroy

Employees working from home should work from softcopy where possible and delete personal information as soon as legally allowed.

Staff should dispose of all hard copy documents confidentially.

• Record Keeping

Organisations should keep a record of all decisions made that involve using personal information.

Where there has been a breach of data protection, this should be reported to the ICO and individuals concern. We encourage organisations to be vigilant and stringent in safeguarding personal data and internet security.