To perform more successful treatment of the infected patients and spread awareness about the coronavirus and protection methods, data concerning the health of citizens is more exposed than usual. In this blog, we will take a glance at the issue of conflict between the two fundamental civil rights: the right to healthcare and the right to the protection of personal data.
In the previous few weeks, the coronavirus – COVID-19became the burning topic on newspaper cover pages all around the globe. The state of emergency declared on a global level, caused the need for adjustment to the new circumstances, evoked by the pandemic. In only a couple of days, national government authorities issued numerous decisions in order to suppress the virus and preserve the public health. Along with those which are widely familiar due to the media attention they attract, such as shutting down the hospitality businesses or curfew, some of the introduced measures are especially significant from the privacy law aspect.
Article 9 of the General Data Protection Regulation (GDPR) classifies health-related data into the special category of personal data, which is under a higher level of protection. Whereas the processing of data not labeled as “special” is allowed as long as one of the six legal grounds are fulfilled, processing of this type of data is prohibited. There is an exception to every rule, so GDPR previses when this one can be bypassed.
Processing of sensitive data can be performed, for example, if it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, for the protection of vital interests of society or to comply with another legal obligation.
If we consider the matter of data protection from the aspect of employment, it is indisputable that the employers around the world implement various protection measures in order to secure their employees and business premises. Due to the aspiration to fulfill the requirements in this direction, employers meet the challenge concerning lawful personal data protection. Personal data treatment might change during a state of emergency, which inevitably raises the question: what types of data can be collected and how can they be used?
European Data Protection Board (EDPB) answered this question by issuing the Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak, which implies the importance of the European Data Protection Law application even during the state of emergency. Hence, the EDPB Chair emphasizes that provisions regarding this matter by no means interfere with the performance of exceptional measures aimed at mitigation of the coronavirus. Therefore, data processors (including the employers) are obliged to preserve a certain level of collected data protection, independently of the state of emergency.
GDPR declares essential principles which have to be implemented when collecting health-related data, as listed below.
Lawfulness: legitimate legal ground.
Consent of data subject for data processing, in the context of COVID-19, does not play an important role. Therefore, the employer is obliged to identify the legal basis for data disclosure in every particular case, i.e. to examine whether the exceptional measures are justified.
The “compliance with a legal obligation” ground will be appropriate if the collecting is necessary for complying with EU law or national law of the member state. Or, “legitimate interest pursued by the controller or a third party” would be considered as convenient if applicable in a particular case.
Vice versa, the simple use of ‘protection of vital interests’ as a legal ground most likely would not be enough.
Transparency: notifying employees.
In accordance with this principle, the data subjects which personal data refer to shall be informed by the employer on which data is disclosed to whom, what is the purpose of data collecting and how long is the retention period.
Besides that, the employer is authorized to share the information on the presence of the virus within the company but shall avoid naming the infected employee, unless that is unavoidable. Furthermore, it is advisable to set up a special corona virus-related hotline, which would likely encourage the employees who suspect that they might be infected to seek help privately and without spreading panic among the rest of the personnel.
Minimization: collecting and processing only necessary data
Every employer shall collect only indispensable data, in order to assess the risks of the virus spreading and to implement safety measures.
To clarify, we provide some examples.
However, a company shall delete all collected data related to the coronavirus once the pandemic passes and the virus itself no longer represents the threat.
As mentioned, health-related data requires a higher level of protection, in accordance with their nature and sensibility. This raises the question of the usage restriction regarding this type of data, as well as the justification of their revelation to third parties. In this respect, the majority of the national data protection authorities agree – infected employee’s personal data can be disclosed only if it is necessary, in order to protect public interests and public health, for instance:
1. Sharing with subjects required to be involved in order to implement certain health and safety measures, or
2. Sharing with government authorities and organizations, when mandatory.
- UK complied their actions with the Statement by EDPB: the employer shall undertake all the necessary measures to protects the employees and holds the right to be notified if an employee is potentially infected. Furthermore, employers whose businesses include direct contact with the clients may demand from all the visitors to comply with instructions by the competent authorities before entering the business premises of the employer.
- In France, the employer has the authorization to collect corona virus-related data referring to the employees, only upon the request of competent authorities, but not before implementing all the prescribed measures of protection and work organization during the epidemic.
- Italian authorities prescribe that the detection and repression of COVID-19, by all means, is the exclusive mission of the civil protection subjects and professional healthcare institutions, in accordance with the legislation. Therefore, employers shall refrain from performing self-initiated measures regarding data collection.
- Spanish data protection authority issued a statement entirely in accordance with the one by EDPB, highlighting which requirements need to be fulfilled, in relation with data collecting and processing during the coronavirus epidemic: a) legitimate legal ground – referring to article 9 of GDPR, Spanish Data Protection Law and Labor Law, and b) data minimization.
Chinese authorities prescribed the employer’s obligation to obtain the prior consent of the data subject for collecting its personal data regarding its health condition. Similarly, Australian law requires that the data subject has to explicitly approve collecting of its health-related data, with a particular regulation regarding the use and disclosure of the collected data. On the other hand, in Hong Kong, personal data can be processed without data subject’s consent if that is necessary to avoid physical or mental harm to third persons.
The Statement by EDPB regulates the specificities regarding electronic communication data, such as location data. Privacy and Electronic Communications Directive (hereinafter: Directive) regulates this matter, by explicitly prescribing that location data can be processed solely when they are made anonymous, or with the consent of the data subjects. In cases when it is not possible to only process anonymous data, the Directive authorizes the state members to establish specific measures in order to protect national and public security.
Not only European countries used this possibility, but some parts of Asia, also. For example, Italian authorities cooperate with mobile operators, who share location data with the Ministry of Health, providing it with information on the number of citizens violating prescribed movement restrictions. Polish government launched an app intended to quarantined citizens. From time to time, the app requests the mobile phone owner to take a geo-located selfie, so that authorities can be sure that their orders are not being violated.
An interesting measure was implemented in Hong Kong, in relation to citizens recently arrived from other countries – the authorities provide them with wristbands that record the individual’s location and inform the competent authorities if the person does not comply with the quarantine order. Singapore made all the data about infected citizens public, the next step was launching an app which makes the location of the victims of coronavirus visible, so they can be tracked. It is redundant to say – this legitimacy of this kind of measure is definitely questionable.
When it comes to domestic emergency legislative, no measures prescribe any exceptions in the area of data protection. Unlike the above-mentioned countries, Serbian authorities did not issue any explicit statements regarding personal data – except for the appeal to the citizens to comply with the instructions issued by the authorities. It is questionable whether the lack of reaction is accidentally delayed, or the government did not realize the need for such regulations. The answer from the Serbian authorities should be provided as soon as possible.
Once the pandemic of COVID-19 is over, many aspects of life surely will be significantly affected, but data protection does not have to be. Employers shall timely ensure that all the safety rules and procedures are in place so that the effects of the epidemic on employment relationships are reduced to a minimum. The personal data of the employees shall remain highly protected by following the GDPR rules, as well as the emergency instructions issued by the government authorities.
In other words – keep your employees safe, in every way.