COVID-19: Data Protection and Information Security: Frequently Asked Questions (FAQs)

The council recognises the unprecedented challenges we are all facing during the COVID-19 pandemic.  We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that.  It's about being proportionate - if something feels excessive then it probably is.

Data protection and electronic communication laws do not stop the council from sending public health messages either by phone, text or email.  These messages are not direct marketing as they are being sent in the public interest to protect vulnerable individuals so therefore the normal rules around consent do not apply.

When sending personal, sensitive or confidential documentation employees must use their CCC Email Account at all times.

Use of personal email addresses were only authorised whilst the VPN issues were being addressed at the start of the COVID-19 emergency.   Performance of the VPN has significantly improved therefore the use of personal email addresses is no longer permitted.

In future, if you are experiencing issues with your email account in the first instance you should:

  • try to access your account using webmail
  • contact the ICT Helpdesk for advice on 01228 226000

If the ICT Helpdesk cannot fix your access issues, you should discuss the issue with your line manager.  

On a case by case basis you should use the following questions to help you assess the risk associated with sending the documentation. 

Purpose: why is the information required? 

Necessity: is the information required urgently?

Impact: what will happen if you don't send it?

Alternatives: can the information be sent in a different way?  

Safety: even if you are under pressure to share data quickly you should always:

After you have discussed the issue with your line manager, in exceptional cases you may be permitted to use your personal email account.  Exceptional cases are:

  • where personal, sensitive or confidential personal data is required urgently i.e. direct threat to life
  • ICT have been unable to fix the issue remotely
  • there is no other alternative

Personal email addresses that contain offensive or inappropriate terms should not be used under any circumstances. 

All managers must log, in their own decision log, when they have approved the use of personal email and stating very clearly the rationale /special circumstances for doing so.

Emails sent from your personal email account should be added to the appropriate system or network folder whenever you reconnect to the council's network and when they have been stored securely they should be deleted.

Council employees should use Egress at all times for sending personal, sensitive or confidential documentation.  

If you are experiencing issues with your Egress account you should contact the ICT Helpdesk for advice on 01228 226000.

If the ICT Helpdesk cannot fix your access issues, you should discuss the issue with your line manager.  

If Egress is unavailable you should follow the steps outlined in - The email system is unavailable - what should I do? to assess the risks associated with sending the personal, sensitive or confidential documentation.  

Where documentation is required to be sent urgently and Egress is not available:

  • confirm who the documentation is being sent to
  • password protect all attachments containing personal data
  • send passwords to recipients in a separate email or text
  • use read receipts or ask for confirmation that the email has been received safely

Emails sent from your personal email account should be added to the appropriate system or network folder whenever you reconnect to the council's network, when they have been stored securely they should be deleted.

The council's Data Breach Reporting process remains the same throughout the pandemic and CCC employees should continue to report concerns via the Online Reporting Tool.  If the form cannot be accessed concerns can be emailed to: dataprotection@cumbria.gov.uk.

Working from home can present some challenges but you should observe the same approach to protecting council data that you would in the office.  

  • Find a quiet place: if possible work in the same place to avoid losing papers, position devices/files away from windows and make sure they are stored out of view if you need to leave the house
  • Keep it confidential: avoid having confidential telephone or skype conversations near family members, open windows or in the garden
  • Transferring documents: confidential council information should not be transferred to  personal devices as connections may not be secure and lead to interception
  • Social Media: should never be used to communicate confidential council information, except by those who are authorised to do so
  • Destroy paperwork: if you have copies of confidential paperwork that are not required to be retained for business purposes - either destroy them securely at home i.e. log burner, cross shredding or store them until they can be deposited in a confidential waste bin (Never dispose of papers in household bins or at Household Waste Recycling Centres).

Employees are responsible for taking care of council information in printed files and documents at all times.  You should:

  • Discuss it: if you need to remove files from the office always discuss with your line manager first so alternatives can be discussed
  • Document it: record the type and number of records, who has them, where they will be stored and when they are returned
  • Secure it: records should be kept out of sight during transit and stored securely at home
  • Return it: as soon as you have finished with the paper records ensure they are safely returned to the relevant council office and checked back in.

Yes. The council can keep employees informed about the number of COVID-19 cases that have occurred within the organisation.  The council has an obligation to ensure the health and safety of its employees, as well as a duty of care.  Data protection law does not prevent the council from publishing the number of cases but detailed information including names, underlying health conditions and location should withheld unless the individual, their next of kin, family, guardian or personal representative has given express consent for release.

Yes. The council has an obligation to protect the health of its employees, visitors and customers, but that doesn't include the collection of large quantities of irrelevant data.  Under the circumstances it is reasonable for the council to ask employees, visitors and customers if they have:

  • visited a country affected by the COVID-10 pandemic recently
  • called 111 for advice if they have experienced COVID-19 symptoms
  • considered the latest government advice before attending meetings or appointments.

The collection of more detailed health information will be considered and recorded on an individual basis.  In all cases only relevant data will be collected and care should be taken to store and share the data securely.

Yes. It's unlikely the council will have to share information with authorities about specific individuals, but if it is necessary then data protection law does not prevent you from doing so.  Before sharing data you should consider:

Purpose: why is the information required? 

Necessity: is the information required urgently?

Impact: what will happen if you don't send it?

Safety: even if you are under pressure to share data quickly you should always:

  • send it securely by email using Egress (if Egress is unavailable see: Egress isn't available - how can I send confidential information?)
  • ask for contact details for a named individual or secure mailbox
  • confirm that the data has been safely received

Yes. The ICO understands that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. The ICO won't penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period.  Updates on the council's approach to managing requests.

Skype is the only secure video conferencing software that has been approved for use at Cumbria County Council. Content remains secure and is not made available on the internet. 

Video conferencing apps like ZOOM, record the meetings and there is nothing to prevent the content then being shared in an uncontrolled manner over the internet now or in the future. Some video conferencing apps have also been designed to capture information from the devices they have been installed on. This information could include text messages, email contact lists, location trackers and even photographs. When invited to use another video conferencing solution either for work and at home for personal use you need to be mindful of this.

If you have any immediate data protection concerns please contact the council's Data Protection Officer dataprotection@cumbria.gov.uk  or the Information Security Team security@cumbria.gov.uk

The latest advice can be found on the Information Commissioner's Office - Data Protection and Coronavirus Information Hub.