Corporate & Commercial legal expert, Caroline Armitage explains why you must review your Privacy Policy in the light of COVID-19.
There are some things in life which we ‘need’ rather than ‘want’ and I would hazard a guess that Privacy Policies fall into that category. But in a world where so much is conducted virtually, and where a lot is going to depend on the ability of the authorities to Trace and Test for Covid-19, this is something we need to either think about again. Or maybe address for the first time.
Online businesses have become used to the fact that they need to have a Privacy Policy, but when did you last look at it? For many businesses that might not have been since the introduction of GDPR and the Data Protection Act 2018. But the world has changed since then and it’s worth making sure your policy is up to date.
Many more businesses are keeping personal information – names / addresses / phone numbers. I went into a little café on the Downs recently, and was asked to fill in my details for Trace and Test. Did they have a Privacy Policy – or had they updated the one on their website to allow for this new use? I suspect not. I didn’t ask them – but it did cross my mind! The fact that the information was in a simple book doesn’t mean they don’t need a policy.
So here is a brief checklist of what you might need to think about in the context of the COVID-19:
- Are you a business which didn’t previously keep details – but do now need to? If so you should look at preparing a policy and putting it on your website and direct people to it in simple notices in your premises.
- Add some wording to your existing policy to explain why the information is needed.
- Explain the lawful basis for keeping the information and the fact you will be revealing it.
- If you are a faith-based organisation remember you need explicit consent because by visiting faith-based buildings or visiting religious websites you may have revealed your religious beliefs. As this is a protected characteristic explicit consent is needed.
- Think about how long you will keep the data for. You should keep data for the shortest reasonable time given the use it is being put to.
- As you may use the data for other purposes such as marketing, if you haven’t previously kept marketing lists think about the other uses you might put the information to and make that explicit.
- If you have employees check your employee privacy policy in particular.
- Don’t forget to check that any health or other tests you are asking staff to take / reveal also need dealing with.
- Check you have updated the purposes to include public health disclosure and updated the third parties to whom you may disclose data to include health authorities and agencies.
- If you are processing health data, or any other type of special category data, then you are legally obliged to have a data protection policy and a data processing record setting out how you will deal with the various types of data you process, as well as a privacy policy.