COVID-19: Data protection risks and mitigation strategy

Many companies have been monitoring employees’ personal and health data because of the COVID-19 outbreak. Others have been adopting flexible working arrangements to minimize the health risks associated with employees and customers being in close physical contact, resulting in millions of online interactions and transactions taking place.

These activities have created additional data security risks that, if not properly managed, could result in breaches and consequential loss of reputation and business, regulatory enforcement actions and litigation.

In this article, we set out our recommended approach to managing the additional COVID-19 data security risks.

Designing data protection protocols to mitigate data security risks

The first step in designing a data protection protocol is to identify the types of data that are being collected, processed and used. 

In the context of COVID-19, there are at least four types of collected data that need to be protected:

• Personal data of employees: This includes employees’ name, employee ID, address, relatives, and location data.
• Health data of employees: This includes health data and health history of employees, such as collecting information as to whether the employee has specific symptoms.
• Customers’ personal and confidential data: This includes customers’ personal and confidential information, such as customers’ name, identity card / passport number, work and residential address, email address, phone number, and bank account details.
• Company’s sensitive and confidential information: This includes proprietary trade secrets, sensitive information that may be considered information of critical information infrastructure and/or state secrets under mainland China law, and all other sensitive and confidential information.

Once the types of data that are being collected, processed and used have been identified, it is advisable that companies develop dedicated confidentiality and security protocols or revisit the existing protocol to ensure mitigation of risks to data breaches arising out of the COVID-19 outbreak. 

We recommend that these protocols take into account the five key considerations set out below.

Key consideration 2: Implement confidentiality measures for work-from-home arrangements

The second area of equal importance is having protocols with confidentiality measures for your work from home employees to protect your company’s sensitive and confidential information (which could include customer and employee data) which is now being accessed through a work from home environment that may not be as secure as an office environment, particularly if your employees are living with and working in close proximity with other people who are not also your employees. Some additional precautionary measures to consider implementing include:

• Using mandatory privacy screen shields for laptops.
• Taking calls away from other people and where possible, in separate rooms.
• Using headsets for confidential calls.
• Making sure that hard copies of your company’s confidential information are securely disposed of and/or kept after its use.

Key consideration 3: Implement data security measures

The third critical area which your protocols should address is having security measures for the protection of all kinds of data, including personal data, health data, customers’ data, company’s sensitive and proprietary data, etc. These measures should include considering the following issues:

• The technical measures in place to guard against unauthorized or accidental access, processing, use, erasure or loss of data, bearing in mind that in a work-from-home arrangement, employees are accessing your company’s network without the security measures that are in place at the office.
• Appropriate data backup measures in place to guard against any accidental loss of data due to security issues or system breakdowns.
• Measures to guard against internet fraud, scams, phishing emails, etc., including verification procedures for verifying identities of requests for money transfers.
• Emergency and action plans for data breach.

Key consideration 4: Comply with cross-border data transfer laws and regulations

The fourth area which your protocols should cover is compliance with cross-border data transfer requirements, taking into account the jurisdictions where you are hosting the data and the jurisdictions to which the data is being transferred. Jurisdictions such as mainland China and Europe have particularly stringent data transfer requirements. Some key issues to consider and address are: 

• Have cross-border transfers become or are they likely to become necessary and more prevalent due to the COVID-19-driven closure of borders and travel restrictions?
• Have you complied with all applicable foreign laws and regulations concerning cross-border data transfer? For example, have you considered the applicability of the personal data protection, processing and transfer rules under the European Union General Data Protection Regulations and complied with the same?
• Have you considered whether your company’s services may be covered by and considered “critical information infrastructure” under the mainland China Cybersecurity Law, and if so, have you complied with the relevant regulations concerning cross-border data transfer?  
• Have you considered whether you may be handling information and documents which may be categorised as state secrets, and is it permissible to take the relevant processes online in light of compliance with state secrecy provisions?

Key consideration 5: Comply with sector specific regulations

If your business is regulated, you will also need to ensure that your protocols comply with sector-specific regulations. Additionally, if you are turning to innovation as a means of overcoming and/or easing the disruption to the provision of your services during COVID-19, you need to be aware that specific regulations may apply to certain areas of services provided, including those involving non-face-to-face approaches to clients’ businesses. Some key issues to consider for your protocols are:

• Have you checked and complied with specific regulations concerning non-face-to-face approaches to client’s businesses? 
• Have you checked and complied with specific regulations concerning electronic signing of documents as well as other sector-specific regulations such as those concerning non-face-to-face identity verification?