Data protection and coronavirus – 11 measures for handling data during a crisis

Setting up a home office and processing health data

Many companies allow their employees to work from home due to the spread of the corono virus. As a preventive measure, companies also process health data to better protect themselves against the spread of COVID-19. However, both strategies can lead to considerable risks from a data protection perspective.

Many businesses are affected by the effects of the corona virus ( SARS-CoV-2 ). Some companies have already instructed employees to work from home or have documented their state of health. Even in such situations, GDPR or general data protection measures should not be disregarded, in particular precautions for organisational and technical safety. Some companies already have a home office policy for employees, others do not. This article will provide an overview of the steps that need to be taken. (How to set up Home Office in a week)

Measures to protect against corona virus

If information on the state of health of employees is collected, data is processed which, as health data, is subject to an increased level of protection under the GDPR. This data can be processed, for example, by taking fever readings at the entrance to the company premises or by interviewing the employees themselves. In view of the need to protect other employees or customers from infection, it is considered permissible to query the state of health, but not to obtain general health information. Whether or not a temperature reading would be justified has been discussed among data protection experts to date, although the voluntary nature of participation in such a measure plays a role here. Comprehensive fever measurements, systematic medical records, mobile phone tracking and excessive evaluation of the movement profiles of traveling employees, on the other hand, are generally considered to be excessive measures that could be achieved by less invasive means (such as surveys).

Thus, if health measures are taken to protect against the coronavirus and health data are processed in the process, data protection regulations (including legal exceptions or authorizations, consents) must be observed.

Home office and data security

If employees are encouraged to work from home, it makes more than sense to think about how the work processes can be made available so that it is possible and safe to continue working.

Arrangements for working from home can be made in individual or framework agreements. It should be considered in advance which documents are needed at home in order to be able to work at all. In addition, how the documents or databases (CRM applications) are given if they are saved. It must also be clarified whether it is possible to work with private or company-owned equipment. Do the private devices meet the same minimum technical standards? Can the data transfer be encrypted and secured?

Measures to ensure data security

Here are possible measures that can contribute to data security:

  • Lock the study (if available) and lock confidential documents in filing cabinets
  • Securing the Internet connection
  • Release sensitive data via card reader or user ID, use of 2-factor authentication
  • Connect to the company network via VPN
  • Encrypt data transmission
  • Connect printer locally (LAN)
  • If company-owned devices can be used, they should not be used privately
  • Paper printouts should be disposed of in household waste using a shredder
  • Ensure that other persons do not have access or access to the company data (e.g. family members, WG partners, visitors)
  • Use of secure collaboration tools (chats, video conferencing, etc.)
  • Remove private language assistants (Alexa & Co) from the workspace

Help your employees to set up the devices and inform them about the safety measures to be observed. Sensitize your employees about the danger of phishing mails and social engineering. It should also be clear that data breaches must continue to be reported to the supervisor, even in the home office. There are currently a number of stumbling blocks on the Internet on the subject of corona – virus (Article from Wired on current hacking wave).

Taking data protection risks into account when setting up home offices is an important component. If you have any questions or specific individual cases, please contact an expert or the MoreThanDigital community.

Mag. Karin Dietl ist selbständige Unternehmensberaterin und Spezialistin für Datenschutz-Compliance. Sie startete ihre Ausbildung als Textilchemikerin, absolvierte neben der Anwaltsprüfung mehrere Jahre in internationalen Wirtschaftskanzleien und beschäftigt sich seit 2010 mit der Digitalwirtschaft. Derzeit berät sie Unternehmen zu den Themen Informationssicherheit, Datenschutz, Risikomanagement sowie Digitaler Ethik und Corporate Digital Responsibility. Sie führt zudem Datenschutz-Audits durch und wird für Unternehmen als Datenschutzbeauftragte tätig. Darüber hinaus ist sie Fachvortragende bei Veranstaltungen und Autorin zahlreicher Fachpublikationen.

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More