How do I ensure my use of video conferencing calls complies with GDPR?
With the loss of face-to-face meetings in the current situation, video conferencing has taken centre stage. But how do you do that in a compliant way? Here are some of the main high-level data protection issues to consider when selecting and implementing a new third party provider’s video conferencing system.
- Make sure you do your due diligence on the security measures offered by the provider. Clearly you can’t visit them, so look at the information offered publicly by the provider and read good quality, reliable, third party sources and ask the provider questions directly. Also ask any other organisations you know that use the provider. Document all this.
- If personal information is being sent outside of the UK/European Economic Area, make sure that transfer complies with GDPR. If it’s a US provider, is it registered in the EU-US Privacy Shield list or does it offer a model clause contract (you’re likely to need the 2010 version)? Or is the service provided from a country whose data protection laws offer equivalent protection to those in Europe? Look at the support service as well as the hosting. Document this.
- Make sure you put a compliant processor agreement in place. The provider should offer one as part of the contract terms. Check it meets GDPR requirements.
- You’re likely to need to update your privacy notice, particularly if you’re going to record calls. Provide participants with a short message and link to the privacy notice in the meeting invite and on any registration page.
- Create or update other GDPR-mandated documentation – for example, depending on your use, you may need a legitimate interests assessment and to update your record of processing.
- Finally, configure and use the system in a secure and compliant way. Look at the settings/options carefully and think through the security and compliance implications of each. That could include deciding who in the meeting can share their screen; whether or not you use passwords for participants; whether or not to record, and if you’re going to record, where to store the recording. Document your decisions and the reasons for them.
The ICO has said it understands that resources, whether they are finances or people, might be diverted away from usual compliance work during the pandemic. However the last thing you need at the moment is to create a bigger problem than the one you are trying to solve. So do the best you can, ask for help from one of our specialists if you need it, and keep the whole thing under review.
On 16 April 2020, Ian Hulme, the ICO’s Director of Assurance, posted a blog for business owners, employers and managers about how to safely roll out the latest video conferencing technology.
On 21 April 2020, the NCSC published security guidance for organisations on choosing, configuring and deploying video conferencing services.
Related FAQs
The formal Government position relating to construction sites is that construction work should continue on site if it can be conducted safely, and the Business Secretary, Alok Sharma, has written an open letter to the UK Construction Industry thanking it for all its help in the current crisis. The letter also confirms the Government’s current official policy of keeping construction sites open. The full text of the letter can be downloaded.
This also remains the formal position of the Construction Leadership Council (CLC) with the qualification that sites should operate in accordance with Public Health England instructions; without compromising health and safety; and in accordance with the Site Operating Procedures issued last week by the CLC.
In practice, many construction sites have been closed by national developers and house builders due to difficulties with staffing and supply chain, and practical issues with compliance with the social distancing and site operating procedures.
The Scottish Government has recently issued guidance that all non-essential construction sites, which includes housing, office, leisure, schools and retail sites, must close to reduce the risk of the spread of Covid-19.
The Government’s Corporate Insolvency and Governance Act introduces amendments to the current rules for companies on holding meetings, to address the difficulties companies are facing due to the Covid-19 pandemic.
The new provisions apply to meetings held between 26 March 2020 and 30 September 2020 (referred to as the “Relevant Period”). Subsequent regulations by the Government can be used to shorten this period or extend by up to 3 months but not past 5 April 2021.
The provisions will have retrospective effect, so meetings that were held after 26 March 2020 that may not have met the usual legal requirements due to lockdown, will be validated under these new provisions. These provisions under the Act make amends to relevant legislation and override a company’s articles of association.
For general meetings and certain other meetings of companies, the Act states that:
- The meeting need not be held in any particular place;
- The meeting may be held, and any votes may be cast, by electronic means or other means;
- The meeting may be held without anyone being in the same place
- Persons attending the meeting no longer have the following rights: the right to attend in person, the right to participate in the meeting other than by voting, or the right to vote by particular means.
The aim of these changes is to facilitate virtual meetings, and remove the need for a physical venue.
Where a company was required to hold its AGM between 26 March and 30 September 2020, it can be held at any time before 30 September 2020. The Secretary of State has the power to make regulations to further extend the deadline.
Yes.
An employer which is aware that a worker or agency worker is or ought to be self-isolating, should not knowingly allow that worker or agency worker to leave the place that they are self-isolating in (“the designated place”). To do so without reasonable excuse would amount to an offence which could result in the employer being issued with a fixed penalty notice.
The value of the fixed penalty varies depending on if it is the first or subsequent fixed penalty notice to be issued:
| First fixed penalty notice | £1,000 |
| Second fixed penalty notice | £2,000 |
| Third fixed penalty notice | £4,000 |
| Fourth, and any subsequent fixed penalty notice | £10,000 |
Obtaining an employee’s Covid-19 test result will amount to processing personal data for the purposes of the General Data Protection Regulation 2016/679 (GDPR) and information about an employee’s health is a special category of data (sensitive personal data under the Data Processing Act 2018 (DPA)).
In accordance with the GDPR and DPA, there must be lawful grounds for processing such information. Most employers rely on employees’ consent to obtain medical information and process sensitive personal data and if the employee is unwilling to give consent, you will not normally be entitled to the information.
Special category data can be processed lawfully if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Employers may be able to require an employee to disclose their Covid-19 test if there is a substantial public interest, such as ensuring that the employee self-isolate if they have a positive test. However, there is a risk that this measure could be considered disproportionate particularly if it is enforced on all employees as a blanket measure.
Yes, but as a last resort. In summary, the law requires employers:
- to assess the workplace risks posed to new or expectant mothers or their babies;
- to alter the employee’s working conditions or hours of work to avoid any significant risk to them;
- where it is not reasonable to alter working conditions or hours, or would not avoid the risk, to offer suitable alternative work on terms that are not “substantially less favourable”;
- where suitable alternative work is not available, or the employee reasonably refuses it, the employer should consider whether it is appropriate to suspend the employee on full pay.