It is hard to comprehend just how much things have changed since we sent out our last newsletter at the start of March. In that time, we have continued to support our schools with any on-going data incidents that have occurred, held virtual audits and meetings online, as well as provided resources to help with continuity planning, setting up hubs and remote working. And we continue to be amazed by the fantastic jobs you are all doing in such testing and uncertain times!
This month’s newsletter features advice from the ICO about data protection and data security during the Coronavirus pandemic, our latest resources including advice for conducting interviews and recruitment virtually, and an overview of the security concerns regarding Zoom – the video conferencing app du jour!
If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools reopen, please get in touch via GDPR@schoolpro.uk.
Stay safe and healthy!
Data Protection During the Coronavirus Pandemic
During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
Can I tell my staff that a colleague may have potentially contracted COVID-19?
Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.
Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?
You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.
It’s reasonable to ask people to tell you if they are experiencing COVID-19 symptoms.
You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms. This approach should help you to minimise the information you need to collect.
If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
Can I share employees’ health information to authorities for public health purposes?
Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.
Data Security – Advice from the ICO
Download the ICO’s guide to the basics of data security here:
Further resources for data security can be found here including our Working From Home Securely factsheet:
Working From Home Securely Fact Sheet
Zoom – Privacy and Security Concerns
Zoom has become the most popular video conferencing app in the UK and US for socialising and conducting business. Some schools are also using it for streaming live lessons. However, some concerns have been raised about its privacy and security as can be seen in the following articles:
Coronavirus: Zoom under increased scrutiny as popularity soars – BBC
Zoom faces a privacy and security backlash as it surges in popularity – The Verge
Zoom is a big privacy headache. Here’s how you can lock it down – Wired
Privacy concerns grow over Zoom videoconferencing platform – Financial Times
Zoom sued for allegedly sharing users’ personal data with Facebook – CBS News
Zoom admits meetings aren’t really end-to-end encrypted – Trusted Reviews
Even Boris Johnson has come under fire for using it for Cabinet meetings – as well as publicly sharing the meeting ID…!
It is clear that the software is not free from some genuine concerns, especially if you are using it with your pupils. The Wired article above gives some handy advice as to how you can make Zoom safer such as setting passwords for your Zoom meetings to prevent ‘Zoombombings’ and removing data slurping settings as much as possible. Equally, it also suggests using different software that is more security conscious which would be our recommendation as well. Having said that, it is hard to find any product that is doesn’t have any privacy or security concerns at all!
The key thing is to risk assess your decision and record all of the actions you have taken to mitigate all of the risks.
Resources for Schools
Covid-19 Continuity Planning for School Closure
Covid-19 Continuity Planning for Hub Schools
Covid-19 Daily Risk Assessment for Schools and Hubs
Safe Remote Learning Infographic
Live Lesson Streaming Infographic
Data Protection in the News
Don’t get caught out when it comes to pupil photos – ICO
Smart camera and baby monitor warning given by UK’s cyber-defender – BBC
Rail station wi-fi provider exposed traveller data – BBC
UK Home Office ‘repeatedly breached GDPR’ – TechRadar
Amazon’s Ring logs every doorbell press and app action – BBC
UK data watchdog slaps a £500,000 fine on Cathay Pacific for 2018 9.4m customer data leak – The Register
Boots Advantage and Tesco Clubcard both suffer data breaches in same week – Which
Virgin Media data breach affects 900,000 people – BBC
Polish school hit with GDPR fine for using fingerprints to verify students’ lunch payments – VentureBeat
Dutch government loses hard drives with data of 6.9 million registered donors – ZDNet
Coronavirus-tracking smartphone apps don’t invade privacy says data watchdog – ZDNet
Using Zoom while working from home? Here are the privacy risks to watch out for – CNet
Council employee fined £400 for illegally deleted audio file – ICO
Marriott hit by second data breach exposing “up to” 5.2 million people – Verdict