Senior Manager | Cyber, Risk and Advisory
This article outlines the careful balance that public health authorities and employers are facing as they grapple with an appropriate and justifiable public health response to the escalating COVID-19 Coronavirus crisis against the backdrop of intrinsic data protection obligations that must be upheld within that response.
The current Coronavirus (COVID-19) crisis is unprecedented in living memory. Declared a pandemic on 11th March by the World Health Organization (WHO), the continuing spread of contagion across the world presents significant challenges to governments, businesses, and society at large.
As countries and governments wrestle with containment measures to stem the developing public health crisis, businesses - small and large - are alert to a “new normal”. Government ordered closures and social-distancing measures have visibly reduced high-street footfall, both in-country and international travel are severely restricted and vast schedules of leisure activities have been suspended.
The stark reality that the next number of weeks, perhaps months, could see our high-streets, city centres, shopping malls, travel and sports industries irreparably damaged is a sobering thought and one that could see many businesses permanently shuttered fast-tracking a global recession, if not depression.
Notwithstanding the commercial and business challenges, there are real security and data protection issues that organizations must also be alert to, especially in the struggle to maintain a semblance of business-as-usual against the backdrop of a reduced workforce, remote working challenges, supply chain issues, decreasing sales and strategic growth plans halted.
Is data protection just more red tape?
With the evolving COVID-19 situation, organizations may consider compelling employees or visitors to complete pre-screening health questionnaires in order to vet or clear on-site visitors, thus reducing the risk of spreading of COVID-19.
Management might also feel they are entitled to ask staff to provide detailed health information to vet for underlying conditions or disclose to their wider staff the diagnosis of COVID-19 in an employee. These actions, management could argue, are in the interest of staff, visitors and even public health. However, the French CNIL issued a short guidance note that expressly forbids this practice in light of the COVID-19 crisis, stating:
“It is therefore not possible to implement, for example:
- mandatory readings of the body temperatures of each employee/ agent /visitor to be sent daily to their hierarchy;
- or the collection of medical sheets or questionnaires from all employees/ agents.”
Data controllers must be certain that the fundamental principles of data protection law are adhered to and must ensure the protection of the personal data of the affected subjects. Specifically, the data controller must ensure that the processing of personal data:
- Has a clear lawful basis;
- Is transparent;
- Has a specific and explicit purpose;
- Is limited to what is necessary;
- Is kept for no longer than is necessary;
- It is processed in a manner that ensures the security of the data.
The GDPR actually expressly provides a clear lawful basis to enable employers and public health authorities to process personal data in the context of an epidemic such as COVID-19. Recital 46 unambiguously refers to the lawfulness of certain processing aimed at vital or public interest, “including for monitoring epidemics and their spread”. Provisions in both Article 6 and Article 9 also facilitate the collection, use and necessary sharing of personal data related to health in the context of a public health emergency.
However, the Italian Garante, whose country continues to be the centre of the European outbreak of COVID-19, issued guidance recommending that employers “refrain from collecting, in advance and in a systematic and generalized manner…information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside of the work environment”.
The Irish DPC advises that “data protection law does not stand in the way of the provision of healthcare and the management of public health issues”, and that “there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data”. The processing needs to be necessary and proportionate but critically “needs to be informed by the guidance and/or directions of public health authorities, or other relevant authorities.”
The Chair of the European Data Protection Board (EDPB) Andrea Jelinek, said “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects.”
Authorities may wish to use modern technologies in novel or innovative ways as global public health systems struggle to cope with the increasing number of cases. Electronic communication data, such as mobile location data, could be used to help monitor the outbreak, inform and improve response strategies and better support local resources. However, careful consideration of additional ePrivacy Directive obligations along with GDPR and national data protection laws is required so that fundamental rights and freedoms are protected and balanced with public and vital interests.
Accountability for Actions
The key compliance obligation under the GDPR is accountability, therefore documenting and keeping track of all decisions made in relation to COVID-19 processing activities, including the security, technical and organizational safeguards implemented is of utmost importance.
Data Controllers should take some comfort that although in the midst of an uncertain and truly global pandemic, Europe’s data protection regulators continue to discharge their duties in a sensible and pragmatic manner. Regulators have acknowledged that many organizations’ capabilities to meet mandated timelines and comply with their compliance obligations will be severely hampered during this period.
The UK’s ICO stated they will not “penalise organizations that we know need to prioritize other areas or adapt their usual approach during this extraordinary period”; providing some comfort to compliance-aware organizations who may be struggling to deal with data subject access requests or other data protection events during this time.
The Irish DPC supports the ICO’s position but stresses the importance of endeavouring to adhere to the fundamental principles of data protection: “For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organization and clearly communicated to the affected individuals. While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organization specific extenuating circumstances will be fully taken into account. Therefore, it is important to document all activities, and decisions taken during this period in order to demonstrate a defensible position.
Global efforts to respond to COVID-19 are as varied as interpretation of data protection laws. Governments, public health authorities and employers all have a vested interest in protecting and defending the public interest and vital interests of our global citizens facing this unprecedented crisis. Responding to, mitigating and recovering from this global crisis will require extraordinary strength, significant resources, solidarity and a collective effort to prove just how resilient we are as a global society and economy.
The protection of data protection rights may seem a secondary or even tertiary objective given the extent of the task facing the world in facing down a global pandemic. Nevertheless, fundamental rights do not obstruct the critical tasks of first responders or the public health authorities, help protect our society from gross abuses in a time of unprecedented societal challenges, and ultimately are paramount to our continuing humanity and resilience as a civilization.