One unanticipated consequence of the COVID pandemic has been the huge increase in the collection of personal data.
With much of the world's population working remotely for extended periods, people have had to quickly sign up to digital tools and communications platforms often without fully understanding how those tools may be collecting their personal data, or worse, knowing that the companies behind those platforms will harvest their data, but having no alternative but to accept. At the same time, their smart home devices are capable of recording confidential conversations and their phones are able to track their movements with increasingly accurate precision. Should these workers venture outside their temporary home offices, new surveillance and tracking measures to monitor "lockdowns" and public health authorities are increasingly sharing medical data, all in an attempt to keep the virus under control.
The invasiveness of these measures varies from jurisdiction to jurisdiction. While governments may be able to rely on national security or public interest exemptions under local data protection laws to collect and share personal data during times of crisis, individuals are increasingly concerned about how their personal data may be used, with whom it may be shared and the impact on their rights. The spectre of stigmatisation has already been evident. There is also a longer-term concern around how some of these increased collection measures will be "rolled back" once the crisis ends or if they will be reduced at all.
Data Protection Rights and Obligations
Under Cayman's Data Protection Law (DPL), personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so which has been notified to the affected individual.
The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Businesses are obliged to cease processing personal data once the purposes for which that data has been collected have been exhausted. Data retention periods are not prescriptive but each data controller must determine for how long data should be kept and ascertain how it might be securely deleted once the purposes for holding it have been satisfied, in this case, once the crisis ends.
Where personal data is shared between parties, contractual or other provisions should be put in place between the data controller and the third party processor to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that incident response plans are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the data controller, particularly where international transfers of data are involved.
As lockdown restrictions are eased and workplaces and other locations begin to reopen, employers and organisations will need to put appropriate measures in place to keep people safe. Those measures are likely to further impact the use of personal data. Some of the most frequently asked scenarios are considered below.
Can I use temperature checks or thermal cameras to monitor staff and members of the public for symptoms?
The DPL does not prevent you from taking steps to keep your employees and the public safe but it does require you to be responsible with people's personal data and ensure it is handled with care. As you will be processing information that relates to an identified or identifiable individual, you need to comply with the DPL. Personal data that relates to health is classed as 'sensitive personal data' so it must be even more carefully protected.
When considering the use of more intrusive technologies, especially for capturing health information, you need to give thought to the purpose and context of its use and be able to make the case for using it. Any monitoring of employees needs to be necessary and proportionate, and in keeping with their reasonable expectations. You should also think about whether you can achieve the same results through other less privacy intrusive means. If so, then the monitoring may not be considered proportionate.
Protecting legitimate business interests and providing a safe working environment for employees are likely to be appropriate legal grounds for carrying out testing as long as you are not collecting or sharing irrelevant or unnecessary data.
How often should I check for symptoms?
This will depend on the social distancing and other measures that your organisation needs to put in place. Any testing of your staff, and subsequent processing of their health information, should be reasonable and proportionate to the circumstances including their role.
As an employer, and a data controller for your employees' health information, you will need to decide the appropriate timescale between tests. For front line staff who interact with the public, more regular testing may be appropriate.
You also have a responsibility to ensure that you hold accurate personal data. The health status of an individual may change over time, so if you record the test results, you should ensure those records are accurate by including the date and time of the result. Any decisions to send staff home or otherwise impact their employment should be based on factually accurate information.
Can I keep lists of employees who have symptoms or have been tested as positive?
Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purpose. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual's health status changing over time.
These lists should only be retained for a short period and should not be used for any other purposes.
How do I ensure I don't collect too much data?
For sensitive personal data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.
In order to not collect too much data, you must ensure that it is:
- enough to properly fulfil your stated purpose;
- relevant and has a sensible link to that stated purpose; and
- limited to what is necessary – you should not hold more data than you need to fulfil that purpose.
Can I use recorded CCTV footage to assist with contact tracing?
The analysis of CCTV footage could assist with contact tracing. You should assess whether this is necessary in the specific circumstances and consider speaking to the individuals who would be affected and to provide advice on appropriate measures such as self-isolation. Analysis of CCTV footage could reveal sensitive aspects of an individual's behaviours and relationships. Employees have legitimate expectations that they can keep their personal lives private. This approach for employees should therefore be considered in the context of your existing employee monitoring policy.
Privacy should not be a casualty
As a result of the coronavirus, most people accept and appreciate the need for extraordinary measures to protect the vulnerable. The measures being developed in response to the virus must take privacy issues into account, have one eye on the long term use of the data being collected, and ensure privacy is not another casualty of the crisis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.