Data protection and coronavirus

The Information Commissioner's Office has issued guidance for data controllers on their data protection compliance obligations during the coronavirus outbreak. Euros Jones, Alexander Gorst and Natasha Jordan look at the key points.

As we continue to acclimatise to our new working environments, the Information Commissioner's Office (ICO) has issued guidance for data controllers on their data protection compliance obligations during the coronavirus pandemic.

The guidance stresses that data protection is not a barrier to increased and different types of homeworking. Data protection law does not prevent staff from working from home more frequently than usual or using their own computer device or communications equipment.

However, the guidance also states that you will need to consider the same kinds of security measures for homeworking that would be used in normal circumstances. Most employers will already have data protection and flexible working policies in place and it is critical that employers communicate the importance of such practices. This should include policies about confidentiality, information management and having IT facilities at home.

In practice, whilst keeping data safe and secure inside an office is one thing, keeping it safe outside the office can be more challenging. Here are some useful tips on how to keep yourself and your organisation safe from a data protection and cyber security perspective when working from home:

Use an encrypted, password-protected laptop

When working out of the office, the best practice, whenever possible, is to use your work laptop. Make sure it is encrypted with a strong password in case it gets lost or stolen. Avoid sending any sensitive data to your own personal email address, where it is more vulnerable to data breaches

Make sure you are protected

Whether using a work or personal laptop, ensure that they are protected with the latest anti-virus and anti-malware software. Doing so will protect you from the latest threats and ever-changing array of viruses and malware that can attack your computer.

Use strong passwords

Make sure your computer and all accounts are protected with strong passwords and/or a two-step authentication process.

Avoid downloads use intranet instead

Avoid downloading sensitive data to your laptop, in case the laptop gets lost or stolen. Accessing data by securely logging into the organisation’s intranet is the best option.

Keep your work hidden

Never leave a screen on when there is a risk that sensitive data could be seen by others. Printing out personal data is also not a good idea, as papers can go missing or fall into the wrong hands.

Remember to report

Always report potential data breaches as soon as they happen. Data protection law requires you to notify the ICO of a breach within 72 hours from when it happened.

Reasonable and pragmatic approach

The take-away point from the guidance is that the ICO will take into account “the compelling public interest in the current public health emergency” and will take a “reasonable and pragmatic” approach to enforcing data protection obligations.

Most importantly, although the guidance states that the ICO cannot modify statutory timescales, such as the duty to report a breach within 72 hours, it will not take regulatory action by penalising organisations that it knows need to prioritise other areas or adapt their usual approach.

Euros Jones is a partner, Alexander Gorst is an associate (employed barrister) and Natasha Jordan is a solicitor at Weightmans. Euros can be contacted on 020 7822 1928 or This email address is being protected from spambots. You need JavaScript enabled to view it., Alexander can be reached on 0207 822 1949 or This email address is being protected from spambots. You need JavaScript enabled to view it. and Natasha can be contacted on 0161 214 0663 or This email address is being protected from spambots. You need JavaScript enabled to view it..