For smaller businesses, such as a shop, a pub, a restaurant, a trading company or a sports club, the situation is even tougher. They have been used to transactional data in the system may not have a privacy or retention policy in place for the kind of personal and health data suddenly arriving in the business.
Here are 8 types of personal data to be aware of:
1. Data collected on entry to premises
It’s normal for businesses to collect the name of visitors or vendors when they visit the office, but now coffee shops, restaurants and leisure facilities are having to do the same.
Visitors are increasingly asked a wider range of questions, too. Travel history, body temperature, family members, whether said person has been in contact with anyone high risk and more.
This is the data that organizations have never collected before – and many companies don’t know how to handle it. Who is responsible for it? How should it be stored? When should it be destroyed? What is important to know is that all this information is considered personal data.
2. Data collected from employees
It would not be unusual for employees to be asked about personal health, the health of their families, having had contact with someone who has been tested positive for Covid-19 or has shown symptoms, where they have traveled recently and whether they live with anyone who is vulnerable.
All are vital questions, but they are questions which result in highly sensitive data being recorded – and that’s risky. Who is responsible for this data? Storing it alongside routine data collected by HR and failing to treat it differently could lead to long-term problems.
3. Track and trace information
Different countries are developing different applications to track people’s movement. We don’t know how much information the authorities in different countries keep or where they keep it. Do they use a third party like Google, for instance? And do partners have access to the information?
It’s a basic principle of information management that you collect only the minimum information required for the purpose you want to use it for. However, this is not a static situation and the regulations keep changing. Perhaps today a country might require only the minimum information, but later it may need more. Companies need guidance because they don’t know how long to keep track and trace data or whether it is legal to ask for information that goes behind a ‘yes or no’ tick list.
For global companies, the situation is tough. There could be vast differences in the type of data they are expected by government to collect in different countries and varying rules around how long they must store it. A global retention schedule for this data requires attention.
4. Physical data
For businesses not used to collecting data, many have opted to collect it on paper. This creates a different problem.
Most data systems are designed around digital data. The system seeks to collect, store, and access data or information in a legal way and then to set a retention program which ensures data is not kept too long and not deleted before it is legal to do so.
Logbooks are an example. Visitors are asked to write down their name, their company, who they are visiting and often a contact number and car registration. That information is visible to the next person who signs in after. In terms of data privacy, there has already been a breach before your visitor even gets to see you.
Some large office blocks where reception duties are performed by an outsourced facilities management company. Who is responsible for that data? Visitors may be asked to provide information at a reception and then required to repeat similar information when getting out of the elevator. Where do those forms go? How long should they be kept? Who can see or has access to them? Are they secure and do they have a retention schedule which explains when the information should be destroyed?
5. Office data
This might be cleaning and hygiene schedules, staff rosters, PPE allocations or new seating plans. Data which seems routine, but which includes Personally Identifiable Information (PII) needs to be classified.
6. Cashless payments
Many businesses already have systems set up for cashless payments but for others it is new. Cash, because of innate hygiene issues, has become almost taboo during the pandemic and many businesses are offering cashless payments for the first time – creating sensitive financial data they haven’t had to handle before.
7. Online communication data
With business moving online, companies are collecting an increased volume of communications data – for instance through chatbots or online conferencing tools such as Zoom.
This data should already be caught in the document management routine and categorized accordingly. But keeping up to date with technology is important – if the latest version of a video conferencing app automatically records conversations and saves them into the cloud, you need to know. This can be very different to the written minutes of a meeting. The same goes for information stored on company WhatsApp or Teams as people begin to communicate in a different way – and emails from personal as well as corporate accounts.
8. Work-from-home (WFH) data
The trend of working from home is here to stay, even post-Covid. This is a challenge for information management systems. Sensitive data can exist outside of the system, on personal computers, printouts or apps. For employees using office laptops, if GPS or location services are switched on then employers could track their movements; and staff find it impossible to resist using the office laptop for personal browsing too – even storing banking details there.
Read our full whitepaper ‘Data privacy in a pandemic: The challenge for business’