We are feeling the damaging impact of the rapid spread of the coronavirus (COVID-19) pandemic. As a result, government, public and private organisations are urgently taking measures to contain and mitigate the virus, some of which have implications on the processing of personal data.
Whilst with no hesitation it is in the interests of humanity to curb the spread of such diseases, there is still an obligation for data controllers and processors to protect the personal data (including special categories of personal data) of data subjects.
To support organisations, the European Data Protection Board (EDPB) and the UK Information Commissioner's Office (ICO) have both issued guidance in which the processing of personal data in a COVID-19 context is considered. It has been stressed that whilst emergencies may legitimise restrictions of freedoms, it is still important that these restrictions are proportionate and limited to the emergency period with any measures taken respecting the general principles of the General Data Protection Regulation (GDPR) and being reversible.
Ensuring lawful processing: What legal basis is likely to apply?
The GDPR permits public authorities and employers to process personal data, including health data, during epidemics without the need to obtain individuals' consent and rely on other derogations available in Article 9 GDPR.
Competent Public Authorities will be most likely to be able to justify the processing as being of substantial public interest in the area of public health. On this basis, it will be possible for government, the NHS and even other health professionals to use the latest technology to monitor, contain or mitigate the spread of COVID-19. These activities may include geo-locating individuals, sending public health messages in a specific area by phone or text message (which does not constitute direct marketing) or facilitating safe and speedy consultations and diagnoses.
Employers may need to process personal data including health data in order to comply with a legal obligation to which the employer is subject. Examples of such processing activities include ensuring health and safety at the workplace, carrying out measures for control of diseases and other threats to health as necessary for reasons of substantial public interest in the area of public health or in certain cases where they need to protect the vital interests of the data subject.
It is relevant to note that in every case the processing must be based on one of the legal grounds set out in Article 6 in addition to an Article 9 GDPR derogation. For example, it must be necessary to comply with a legal obligation, to perform a task carried out in the public interest or when the data controller has a legitimate interest on the processing that is not overridden by the interests or fundamental rights and freedoms of the data subjects.
Ensuring compliance: What core obligations should you consider?
In addition to relying on an appropriate lawful ground, it is also relevant to consider how the processing will be carried out in compliance with the GPDR and Data Protection Act 2018 (DPA).
Complying with all the requirements may be challenging to organisations due to the urgency in which measures need to be implemented - which may evolve on a daily basis. While it seems reasonable to expect that the most relevant measures, such as finding a legal ground, ensuring that only the minimum data is used, and informing individuals accordingly are taken with immediate effect, completing compliance with other obligations, such as drafting and approving an Appropriate Policy Document, may take a bit longer.
On this point, the ICO has taken a sensible approach and clarified that in this unprecedented time, compliance will need to be balanced with the extreme urgency of some actions involving processing of personal data. In their own words: "We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It's all about being proportionate - if something feels excessive from the public's point of view, then it probably is".
In our view, organisations should consider the core obligations and have an ongoing plan for implementation as soon as practicable. These core obligations include the following;
- Processing of personal data must be necessary to attain the objectives pursued;
- Processing of personal data must be for specified and explicit purposes;
- Data subjects must receive transparent information on the processing activities including:
- the retention period for collected data; and
- the purposes of the processing;
- Any information on the processing activities provided must be easily accessible and provided in clear and plain language;
- There must be adequate security measures and confidentiality policies in place to prevent disclosure of personal data to unauthorised parties; and
- Organisations must appropriately document any measures implemented and the decision-making process. In particular, if one of the Article 9 GDPR legal grounds is applied along with the DPA, to avoid breaching the DPA, organisations must consider:
- Putting in place an "Appropriate Policy Document" (Pt 4 of Schedule 1 DPA), which should only deal with the collection and processing of health data for this particular COVID-19 purpose;
- Updating the organisation's "Records of Processing Activities" (Art. 30 GDPR) as required by the DPA in these circumstances; and
- Carrying out a "Data Protection Impact Assessment" in particular if the processing of data for COVID-19 purposes represents a high risk to individuals affected by this processing activity.
By way of example, it is accepted that employers may be under an obligation to inform staff about a particular staff member having COVID-19 symptoms and/or testing positive in order to take protective measures. However, this obligation must be carried out in compliance with the data protection laws, meaning that:
- Any information disclosed should be kept to the minimum necessary for this purpose; and
- If any employee is to be named:
- the employer should ensure that the relevant employee is informed in advance; and
- in any case, the dignity and integrity of the employee must be protected.
More information can be found on the ICO's and EDPB's websites. We recommend checking them out on a regular basis since they are subject to continuous updates during this challenging time.