In the wake of the increasing spread of the COVID-19 pandemic, organisations across all spheres of public and private life have adopted measures to mitigate harm caused to their employees, customers, and other stakeholders faced with this public health emergency. Many organisations are attempting to carry on business-as-usual, or as close to that as they are able to do during these unprecedented times. In doing so, they are processing new forms of personal data, including health-related data.
This data might concern the health status of individuals and the status of other individuals sharing a household with them, the results of any COVID-19 data, body temperatures, and travel plans and location history for the same persons.
In a post-GDPR era, it is clear to many that this information is likely classified as personal data, and indeed may also fall within the categories of "special categories of personal data", which is subject to stricter compliance requirements within the European Union ("EU").
This piece sets out an overview of key EU data protection issues for organisations to consider during this unusual time.
Respect the general principles of data processing
The European Data Protection Board ("EDPB"), together with a number of most European national data protection authorities, have demonstrated in recent press releases that they are mindful that during this period, a large volume of information may need to be shared and extraordinary data practices may need to be adopted in order to deal with this emerging public health crisis. However, as highlighted in a statement issued by the EDPB on the processing of personal data in the context of the COVID-19 outbreak, data controllers and processors must ensure that the processing of personal data is still carried out lawfully and the general principles enshrined in the GDPR are duly respected.
Data minimisation & purpose limitation
Organisations are collecting and processing significant amounts of sensitive personal data in order to satisfactorily mitigate public health risks. Employers may well be collecting health data from employees or visitors of their organization which they would not normally request in ordinary circumstances. In doing so, organisations should strictly adhere to the principles of data minimisation and purpose limitation. In practice, this means that employers should only collect information that is necessary to safeguard the health and safety of other employees, visitors and other personnel at their premises. Furthermore, such data should only be processed in accordance with the specific purposes for which it was collected.
Transparency in processing
The principle of transparency in data processing remains key to organisations collecting personal data. It is important to continually keep data subjects informed about new processing activities that have been adopted. This should include transparent information on the purposes of the processing, and the applicable retention periods of the data in question. If so required, organisations should review their existing privacy policies and notices, ensuring that any amendments called for by changing circumstances are carried out if necessary, and any required consents obtained. Considering the rapid increase in the uptake of remote working arrangements, the importance of establishing comprehensive policies that account for data and privacy interests of data subjects cannot be overstated.
Integrity and Confidentiality
In light of the current context, organisations should maintain a close watch on security measures adopted when implementing new processing. Due to the sensitive nature of the personal data being processed, organisations should carry out effective monitoring of their system's security and of any developing cyber threats, and security measures might need to be more robust than usual. Considering employers' duty of care towards the health and safety of their employees, it is may be appropriate to inform other employees in the event of any staff member contracting the coronavirus. More often than not, such information would not require the disclosure of the name of the relevant employee. However, if this case does arise the employee's dignity and integrity should always be respected, and the employer should endeavour to inform the employee in question that it intends to circulate this information amongst his/her colleagues.
Ensure data is collected under an appropriate legal basis for processing
The GDPR caters for this present reality by establishing specific derogations for the processing of health-related data, the latter being classified as a special category of data under article 9 of the GDPR. Nevertheless, it is crucial for organisations to rely upon a valid legal basis for their processing activities, particularly considering the principle of data minimization highlighted earlier.
In the context of the current pandemic, the processing of health-related data may become necessary for compliance with a legal obligation or for the safeguarding of public health. In such cases, organisations would not have to rely on the consent of the data subjects as a lawful basis for processing. Moreover, employers might be contractually bound to process such data in order to fulfill their obligations relating to the health and safety of their employees under their employment contract. However, prior to collecting such personal data from individuals, employees should ensure they do this with a specific purpose in mind and with a clear understanding of precisely what data is required to fulfill this purpose, in order to not obtain more data than is strictly necessary to meet its obligations.
Adopting such an approach is beneficial from a data minimization point of view, which could otherwise lead to potentially significant compliance exposures.
General Compliance Obligations
From a GDPR compliance perspective, it is understandable that the effects of COVID-19 will also have an impact on data controllers' ability to fulfill certain obligations in a timely manner. In this respect, it is important to note that in a statement issued by the UK Information Commissioner's Office ("ICO") regarding data protection and the coronavirus, the ICO acknowledged that in such circumstances delays in the fulfillment of data subject information right requests would be expected and it would not take regulatory action against organisations in this respect.
During this unprecedented time, it is key for organisations to apply the principle of proportionality in the processing of health-related data. With this principle in mind, organisations should consistently assess the current risks as well as any other legal obligations to which they may be subject.
The Office of the Information and Data Protection Commissioner in Malta has encouraged organisations to continue to bear in mind the strict requirements imposed by public health authorities, and to not utilise data protection law to justify non-compliance with public health rules. This is a welcome concession from the Maltese data protection authority, however we would caution organisations to continue to heed the real importance of data protection rules, which remain in place. As more guidance is issued by data protection authorities across Europe, we advise data controllers and processors to remain alert to these issues and to consider to continue to meet obligations towards data subjects in a rapidly evolving climate grappling with an unprecedented global health threat.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.