How do you protect the privacy of people who have been infected by COVID-19, while still informing those who have been put at risk? At a time of global public health emergency, does the GDPR simply get in the way?
Businesses face an unprecedented challenge dealing with the outbreak of the COVID-19 virus. Dealing with data protection issues might be the last thing on many businesses’ minds but the data protection laws such as the GDPR still apply.
We set out below our top tips for ensuring data protection compliance during this crisis.
1. The law on data protection hasn’t changed, but many data protection authorities recognise the unprecedented nature of this crisis
The work that you need to undertake at the moment, such as the time-sensitive processing of information about employees, still needs to comply with data protection laws.
Public health needs don’t mean that data protection laws fall away, but it is clear that, for example, the UK’s ICO is aware of the unprecedent crisis that confronts us all. On 16 March the ICO reiterated that it is “a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern”. The regulator went on to say, “regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency”.
2. Don’t forget that health information is a special category of information under data protection laws
What does this mean in practice? Personal data on health is given a higher degree of protection, given its sensitive nature. Businesses need a lawful ground to process it under Article 6 of the GDPR. Businesses also need to satisfy one of the further grounds for processing it under Article 9 of the GDPR. Typically, employers looking to safeguard their workforce from threats to their health will rely on the ground set out in Article 9(2)(b) of the GDPR (employment, social security and social protection).
Non-employees are protected too under the ground in Article 9(2)(i) of the GDPR (“public interest in public health”).
Things are changing all the time, but it is important to check out government guidance (and any new laws) for business regularly. Businesses have a vital role to play in tackling the coronavirus although you should take care not to undertake activities which remain the responsibility of the NHS or other health providers (where they will have their own legal grounds to process information under data protection laws). If there a member of staff with the virus, guidance from the government says that the Public Health England local health protection team (or equivalent) will discuss the case with you, identify people who have been in contact with them and advise on any actions or precautions that should be taken. Of course, at that point you can determine the legal ground for processing and related personal data.
Great care needs to be taken if you are looking to adopt a pre-emptive strategy for coronavirus prevention and mitigation. Data protection authorities (DPAs) across Europe have taken slightly different approaches to what is and isn’t acceptable. While the UK is somewhat permissive, other authorities are less so faced with this crisis. The result? While it might be acceptable for businesses to undertake temperature screening in some countries, other countries may take a dim view of such activities. As always, check local guidance carefully.
3. Can I tell my staff about members of staff with the virus?
The UK’s ICO is clear on this point: yes, although you need to take care how you do so. In recent guidance it states, “you should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this”.
Other DPAs across Europe are taking differing views and so you need to be careful that in this case a one size fits all approach may not work.
What does this mean in practice? You need to look at each incident on a case-by-case basis. There might be a good reason why an individual needs to be named, although this doesn’t mean that it would be appropriate to send an email to all in your company saying Mr X or Ms Y has the virus. People should be told on a need to know basis (with, say, your email marked as confidential). As the guidance says, you shouldn’t provide any more information than is necessary. It is feels wrong to name an individual then it probably is.
4. What information can I ask for to help us manage the crisis?
Again, regulators make it clear that you can ask for information. The UK’s ICO states, “it’s reasonable to ask people to tell you if they have visited a particular country or are experiencing COVID-19 symptoms”.
The guidance goes on to say effectively don’t collect information unless you have to (to comply with the data minimisation principle), “You could ask visitors to consider government advice before they decide to come … This approach should help you to minimise the information you need to collect”.
If you still need to collect persona data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
5. What safeguards should I put in place to protect the information we collect?
Data protection laws don’t set out the specific requirements such as what IT protection is required or what type of lock on the filing cabinet you should use. As the ICO says, “the GDPR requires you to process personal data securely using appropriate technical and organisational measures. What’s appropriate for you will depend not just on your circumstances, but also the data you are processing and the risks posed. You must assess your information security risk and implement appropriate technical controls”.
In practice, given that much of the collected data will be health data, you need to make sure that a high level of protection is given to it. Recent action by the ICO, such as the (pre-GDPR) £275,000 fine against a pharmaceutical company in London shows that careless storage of such personal data can result in significant fines.
6. Don’t forget to keep your records accurate.
Some data protection principles seem obvious. However, in a large organisation you may well have people with the same name or similar names. Take care to not to mix data up, which can be common when information is collected quickly in a crisis. Staff will already be concerned about the virus and giving out incorrect information could undermine your efforts to manage the crisis.
7. Don’t just collect information just because you can (ie you think you might need it later)
Data minimisation is the principle that is often overlooked the most by businesses, particularly when they are collecting information in a hurry.
The law is clear. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Or in the words of the ICO: “you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more”.
So be sensible when asking for information. For example, it wouldn’t make sense to ask each of your employees to send in a copy of their medical records, but it is sensible to ask them to tell you if they have just come back off holiday from an area where there has been a significant outbreak.
More important still: if an employee gives you too much information, consider whether it is necessary to hold it and, if not, delete it.
8. Make it clear why you are collecting information
Data protection laws are all about transparency. Many employees will want to know why you are collecting their personal data and what you are going to do with it. Many privacy policies for employees will already set out that certain information can be collected and processed during a health emergency although you should look at your privacy policies to see if they are up to date and/or update them accordingly. If you feel that you don’t have time to do this, make it clear in any communications, such as emails, why you are collecting the personal data in question.
9. Don’t forget about international transfers
Much personal data flows across borders, particularly by multinational companies who will look to share personal data with other group companies to co-ordinate their approach to the crisis. Check what international transfer mechanisms are in place (eg, binding corporate rules, global DTA or standard contractual clauses (although the viability of those are in question)) to see whether they allow for the transfer across your businesses.
Nobody knows. Every hour brings breaking news that in a normal news cycle would be a top story for weeks. For most businesses, there is a lot to take in and do in a short space of time. The key takeaway is that data protection laws haven’t fallen away. While some data protection authorities, such as in the UK, Spain and Italy, are taking a more permissive approach in the fight against the virus, others such as CNIL in France, continue to state the importance of a high level of protection for personal data. The upshot?
The safest option is to continue with following best practice and using high data protection standards. Don’t collect and release more information than you need to.