30 June, 2021
Regardless of your thoughts on the actions of the government over the previous week, the tales have certainly given us some good examples of data protection in play in the workplace.
There are a number of questions that arise from the disclosure of CCTV from Matt Hancock's office to The Sun newspaper.
Some commentators are questioning whether or not CCTV should have been operating in the first instance. The use of CCTV in the workplace is not prohibited under the GDPR. However, organisations must make people aware that they may be recorded, control who sees recordings and ensure the system is only used for its intended purpose - usually for the prevention or detection of crime. It is very rare that the use of covert recording will be justifiable and covert recordings should only be used in exceptional circumstances.
Secondly, there are questions being asked about how the footage ended up being provided to The Sun newspaper. Regardless of the rights and wrongs of the disclosure, the incident highlights the importance of limiting access to CCTV to a small number of operatives, subject to contractual confidentiality requirements.
Additionally, there is also a question over whether or not the individual responsible for providing the footage to The Sun has committed a criminal offence under the Data Protection Act 2018. It is an offence under section 170 of the Data Protection Act 2018 to 'knowingly or recklessly, without the consent of the data controller, to obtain or disclose personal data'. However, it is likely that the individual in question would have a robust defence to this offence on the basis that the disclosure was in the public interest and/or the disclosure was for journalistic purposes with the belief that the disclosure was justified as being in the public interest.
The next data protection example to be taken from the saga, are allegations that Matt Hancock reportedly used his personal email account to conduct government business. Many organisations will prohibit staff from using their personal email accounts to conduct business (e.g. they are prohibiting from forwarding work to their personal email address or contacting clients/customers via their personal email account). Personal email accounts are outside of an organisation's control - they are not secure, backed up, archived or subject to any of the security and compliance measures implemented by an organisation's IT team.
The use of personal email accounts to conduct business means that an organisation has no control over the data stored in that account. An organisation will have no way of knowing where in the world that data is being stored or where it has been transmitted to (e.g. an organisation may have restrictions in place to prevent data being sent outside the UK or the EU but if it is held on a personal email account, these restrictions will not be in place).
Additionally, if data is held outside an organisation's control, it will be undiscoverable in the event the organisation has to conduct a search of its data. Organisations have a number of legal obligations which may involve the search of the organisation's email system (for example subject access requests, freedom of information requests and discovery in the event of a claim being made or defended).
In order to manage these risks, organisations should have in place an ICT Acceptable Use policy which includes the prohibition on the use of personal email accounts for work purposes and consider what technical measures can be put in place to prevent staff from using personal email accounts for work purposes.
Finally, we heard at the weekend that classified Ministry of Defence documents were found at a bus stop in Kent by a member of the public.
Whilst the loss or theft of paperwork is decreasing, as more information is sent electronically, we still hear of serious incidents where there has been a loss or theft of confidential paperwork. These incidents commonly occur where information is held in paper files rather than electronically and kept secure by encryption. Staff then carry around the paper files (e.g. for visits, court attendance, appointments etc) and then store them at home whilst not in the office. This increases the risk of the documents becoming lost or stolen.
Organisations should consider whether paper files are the most secure method of record keeping. If paper files are required, they should not be left unattended (e.g. in a car overnight) and should be locked away when not in use. Wherever possible, personal data should be stored electronically and properly encrypted.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.