- Will the ICO allow us extra time to respond to a Data Subject Access Request (DSAR)?
Generally, where an individual submits a Data Subject Access Request (DSAR), organisations must respond without delay and at the latest within one month, starting on the day the request is received. The Information Commissioner’s Office (ICO) has confirmed that while it has no power to change this statutory timeframe, organisations will not be penalised for delays stemming from the need to prioritise other actions in view of the pandemic. In addition, in a recent blog, the ICO informed individuals of the possibility of delays in view of the pandemic.
If your charity receives a DSAR, you should still aim to comply within the one-month timeframe where possible. For instance, the information requested may be stored electronically and be easily accessible by staff working from home. However, if it becomes apparent that delays are likely, you should communicate this to the requestor as soon as possible and let them know when they can expect to receive the requested information.
Although DSAR’s usually have to be complied with within one calendar month, there is a legal provision to claim an extension of a further two months (providing a total of three months) where necessary, due to the complexity and/or number of requests. Whether a request is complex depends upon the specific circumstances of each case. For example, it could be complex because of technical difficulties in retrieving the requested information from a system or applying an exemption that involves large amounts of sensitive information. We have certainly been advising clients to consider claiming this exemption because of difficulties in retrieving manual records from buildings which are effectively locked-down due to COVID-19.
Where you are unable to comply with the statutory timeframe, it is important to keep a written record of the reasons for these delays. (i.e. “Comply or Justify”) This will help demonstrate compliance and accountability, in the event that the ICO receives a complaint from a requestor.
- In order to comply with a DSAR, we need to go into the office to collate manual records. Is this essential working?
The importance of reducing day-to-day contact with others is essential to prevent the spread of COVID-19, and people are advised to work from home wherever possible. Individuals may travel to work providing that they, and members of their household, are free from COVID-19 symptoms and social distancing guidelines are observed.
As a first step, staff members working from home may easily be able to provide electronically accessible information in response to DSAR’s. If employees are already at work, or able to travel to and from work safely, then they may be able to search the charity’s records to comply with the request (though noting the need to prioritise other tasks as appropriate). Charities should exercise caution in this respect, and ensure that staff are appropriately safeguarded.
Where compliance with a DSAR is only possible by attending the charity’s offices to review physical files, care should be taken to minimise risk to staff. For example, by converting the relevant files into an electronic format to send out, or undertaking the review over a period of time (and explaining any delays to the requestor in relation to the same) so as to minimise risk to staff and the requestor.
- More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Protecting personal data is probably the biggest challenge facing organisations. Keeping data secure is difficult, even when that data is handled within the charity’s own offices, but that task becomes even more difficult when it is handled offsite.
In accordance with the Data Protection Principles, organisations have a legal obligation to implement appropriate technical and organisational measures to ensure that personal data is adequately protected. This is particularly important where staff are working remotely. Use of personal devices for work purposes, unsecured WiFi networks, and scams targeting remote workers, to name but a few, all pose potential threats and must be considered.
There are a wide range of measures that charities can implement to ensure compliance with the Data Protection Principles, and to help protect personal data. We have set out some key example considerations below:
- Staff training: charities should ensure that all staff working from home have had (or are directed to) appropriate training to ensure that they understand their data protection obligations and how to reduce security risks.
- Awareness of the environment: care must be taken when working from home to prevent any inadvertent data breaches, for example by using laptop privacy screens; locking computers when away; and taking care when speaking on the telephone or in video conferences that virtual assistant listening devices, such as Alexa and Google Assistant, are not “listening” or “recording”.
- Restricting access: requiring two-factor authentication to access records and systems.
- Encryption of portable and personal devices: if staff are working from personal devices you should ensure that all of those devices have encryption enabled.
- Additional protection: charities should ensure that where staff are working from personal devices, they have adequate and up-to-date internet security arrangements in place.
- Third-party video conferencing software: if using third-party software such as Zoom, ensure that privacy settings are configured to protect personal data and to mitigate the risk of exploits, e.g. only the meeting host is able to share screens and files.
- Look out for phishing emails: the COVID-19 outbreak has unfortunately led to a surge in phishing scams targeting home workers, and staff should be provided with information to help identify such scams so as to protect personal data.
The current situation provides charities with a good opportunity to review its remote working and Bring Your Own Device (BYOD) policies, to ensure that adequate arrangements are in place.
Our Information Law Team, working together with our Charity lawyers, are on hand to help provide you with GDPR-compliant policies and remote staff training as required.
- How can we make sure our organisation is resilient to cyber-attacks or breaches at this time?
Last year, the government’s Cyber Security Breaches Survey 2019 revealed that around 20% of charities have experienced some form of cyber-breach or cyber-attack in the past 12 months, highlighting the vulnerability of the sector. The Charity Commission has highlighted the importance of taking a proactive approach, prioritising detection and prevention of cyber-attacks, including:
- Regular reviews: a charity should regularly review the personal data it has stored and ensure that personal data is only retained where necessary (in accordance with the Data Minimisation Principle). This both reduces the risk that the personal data becomes irrelevant, excessive, inaccurate or out of date, and ensures such data is stored appropriately to reduce vulnerability to a cyber-attack.
- Back-up systems: ensure that back-up systems are stored separately and safely, so that malicious software cannot prevent all access in case of a cyber-attack.
- Protection: ensure that all firewalls and anti-virus software is up to date and working optimally. In addition, staff should be appropriately trained in how to deal with spam emails and downloads safely.
As home-working becomes more and more common, ensuring that adequate cyber-security measures are in place is all the more important. The National Cyber Security Centre has published some useful guidance on how to ensure organisations are prepared for home working, available here.
- Can I tell my staff that a colleague may have potentially contracted COVID-19?
The ICO recommend that organisations keep staff informed about confirmed and suspected cases of COVID-19, as this is vital to ensure that staff who may have come into contact with an infected individual take appropriate measures to self-isolate. This is in-keeping with the charity’s obligations to look after the health and safety of employees.
Please note, in many cases it may not be necessary to name a specific individual and you should ensure to only provide the minimum information that is necessary. This may be satisfied by informing staff that a colleague in the office had symptoms of COVID-19 and so all staff within that office are advised to self-isolate to prevent the potential spread of COVID-19.
- Can I share employees’ health information with authorities for public health purposes?
If it becomes necessary to share details of confirmed or suspected cases with authorities for public health purposes, then you will be able to share employees’ health information. Remember, you should only share information that is necessary and so it may be possible to withhold the name a specific individual. For example, where the charity is asked for the number of confirmed cases and symptoms displayed, this information could be provided without naming the affected individuals.
- We are planning a fundraising campaign. What are the latest data protection rules on direct marketing?
In the midst of the COVID-19 pandemic, charities are facing a complex crisis. Rules around social distancing have resulted in the suspension of person-to-person fundraising and a consequent dip in charities’ funds. Conversely, the crisis has also led to an increase in demand for the services of many charities. Clearly, charities need to be able to continue with their important work and continue to raise funds to enable them to do so. If you are substituting face-to-face fundraising with postal or digital campaigns using email or telephone, remember that you still need to comply with data protection rules as you will be directing advertising or marketing material to particular individuals (direct marketing).
- Does the EU General Data Protection Regulation (GDPR) apply?
GDPR applies to any postal, email or telephone campaign that involves the processing of personal data such as an individual’s name, telephone number, email address or postal address. The method you choose to communicate with your supporters as part of your direct marketing campaign may vary but the GDPR rules will stay the same. Essentially you must tell individuals that you are processing their personal data and the reasons why and have a legal basis from GDPR in place.
If you are relying on consent you need to ensure that it meets the GDPR standards, i.e. fully informed, unambiguous, positive affirmation of agreement (do not use pre-ticked “opt-in” boxes), freely given, capable of being withdrawn, specific to the purpose for which it is given, and evidenced appropriately. Under GDPR, individuals have an absolute right to object to direct marketing so you should have procedures in place to deal with this.
- Are there additional rules for email and telephone direct marketing?
Yes. In addition to GDPR, if you send an individual unsolicited direct marketing (i.e. marketing that has not been specifically requested) via email, telephone (including automated calls) or SMS/text or fax, then in addition to GDPR, you also need to comply with the Privacy and Electronic Communication Regulation 2003 (PECR).
PECR rules vary depending on the mode of communication but in brief terms, they are as follows:
- Live telephone calls: you can call numbers that are not registered on the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) without the subscriber’s consent, but only if there is no previous objection. If you want to call a number registered with the TPS or CTPS you must have the subscriber’s consent in order to override their general objection to direct marketing calls.
- Automated Telephone calls: you can only make these with consent.
- Emails and SMS/Text: in general, you need an Individual Subscriber’s consent before sending them direct marketing by email or SMS/text. The rule can apply differently to Corporate Subscribers depending on the context.
If you are planning to carry out profiling or data enrichment, you should ensure that this is carried out fairly and transparently and consider whether you need to carry out a Data Protection Impact Assessment (DPIA).
If you collect data directly from individuals you must give them privacy information (usually in the form of a Privacy Notice) at the time you obtain their details. However, some charities obtain personal data from third party sources such as public sources or third parties. If you are obtaining contacts from sources other than the individuals you must provide them with privacy information within a reasonable period of time and no later than 1 month from the date of collection.
Data protection issues associated with fundraising and direct marketing is a complex area so be sure to watch out for our specific updates, webinars and podcasts.
- Can we send COVID-19 related emails to our contacts or is that caught by the Privacy and Electronic Communications Regulations (PECR)?
COVID-19 emails may be caught by PECR if they fall within the definition of unsolicited direct marketing carried out electronically. Whether an email communication is a service message or a direct marketing communication can be a minefield, so tread with care. If you are using COVID-19 as a reason to publish details of a fundraising campaign, or to promote goods or services to potential new supporters, or to persuade existing supporters to upgrade or purchase additional services, then the chances are your email will amount to direct marketing, in which case PECR will be engaged and you are likely to need consent. However, if you need to communicate with customers or supporters to let them know that a service or an event has been affected by COVID-19 then PECR is unlikely to apply.
As tempting as it may be to tack on fundraising and other direct marketing messages to essential and ordinary service messages, don’t. The ICO has adopted a firm line on this, as demonstrated when it fined the telecommunications company “EE” £100,000 last year, for sending over 2.5 million direct marketing messages within a service message to existing customers without consent. The simple message here is if your email contains customer or supporter service information and also fundraising or marketing information, it is no longer a service message and PECR will apply.
- One of our legal bases for processing is consent and we usually obtain this in writing. Can we rely on oral consent?
You can obtain oral consent but you need to be careful to retain evidence that it has been provided, the date it was provided and what they were consenting to. This is because under GDPR, where you are processing personal data on the legal basis of “consent” you are legally required to be able to demonstrate that the data subject has consented to processing of his or her personal data.
For example, if you take a telephone call from a supporter and during that call they consent to you sending them direct marketing by email and post, you should carefully document:
- the date and time of the telephone call
- the name and contact details of the data subject
- the name of the relevant member of staff
- confirmation that you have informed the data subject of their legal right to withdraw their consent at any point in time and how to do this
- confirmation that the data subject has been directed to the charity’s Privacy Notice, and
- details of what the individual was consenting to, e.g. to receive emails but not telephone calls.
- We are a community charity and have got together a big group of volunteers to help the vulnerable. This means we are collecting information about these vulnerable people and we are using WhatsApp / Facebook to coordinate a response. What are our obligations from a data protection perspective?
Provided your charity complies with the Data Protection Principles, it may collect information and coordinate a response. For instance, you should identify a lawful basis for the collection and use of personal data such as “consent”. You should also ensure that personal data obtained is only used for the purpose for which it was collected, and so you should make it clear to data subjects why their personal data is being collected before doing so. The charity will also need to ensure any personal data being stored is accurate and that appropriate measures are in place to protect personal data.
In addition, the collection, use and retention of any personal data must be limited to what is necessary in relation to the purposes for which it is being processed. This means that you should identify the minimum amount of personal data needed about vulnerable people in order to provide help, and not ask for or use surplus data. For example, where a service may be to telephone vulnerable people in isolation to provide company, necessary personal data to be retained may consist of names and telephone numbers, contact preferences, and records of calls made (e.g. number, frequency, duration), so as to allocate resources appropriately.
- What are the data protection issues around counselling over social media (i.e. what processing of personal data is involved in maybe giving health guidance over a webcam conversation)?
The issues of data security, personal privacy and the overarching role of the internet are rarely out of the news. Counselling and preventive services might be thought to be less at risk of censure from data protection issues, given its strong professional and ethical commitment to protecting client confidentiality. However, respect for confidentiality is no guarantee for understanding the fine detail of data protection.
Neither GDPR nor the Data Protection Act 2018 prevent the use of online platforms for Counselling and or advice, but they do require the Data Controller to consider the security implications with such use and then implement measures to ensure the information is appropriately secure. The issues covered above in relation to data security while staff are working from home and using personal electronic devices will be key considerations.
It is important that charities take reasonable steps to ensure individuals are in a safe physical environment and are informed about the safe use of technologies, e.g. adequate security measures are needed to protect sensitive information held electronically and that it is inadvisable to place confidential data on publicly accessible sites.
Please do get in touch with a member of our Information Law Team if you would like further advice or assistance.