COVID-19 can only be defeated with the help of huge amounts of information. Whether you are trying to protect a workforce and customer base, or attempting to predict how the virus will respond to enhanced social distancing requirements, you need data – much of it personal data. Never before has medical data been so quickly gathered or so widely processed and shared. Serious times call for serious exemptions; finding a lawful basis to permit the disclosure of special category data, which receives special protection under the GDPR, is certainly easier in this time of emergency. However, just because data may be lawfully disclosed, does not always mean that it should be. The other requirements of the GDPR, particularly those relating to data minimisation, security and transparency, are not to be abandoned in a crisis (see our article for more).
For many organisations the most important concern will be the safety of the workforce and customer base. If an employee who is in close contact with colleagues or others falls ill with the symptoms of COVID-19, or tests positive for the virus, the first instinct will be to make sure that everyone who may be at risk is informed. This instinct is the correct one; employees as well as customers are entitled to information that could help them prepare for potential illness and limit their exposure to others who they might otherwise put at risk.
Even in an emergency, data protection laws should always be considered when sharing any information about a confirmed or suspected diagnosis or indeed potential symptoms of COVID-19 where there is a possibility of identification of an individual from the information. Identifying information could include information about an individual from a particular residence or, in the case of an employee, a specific team, even where they are not mentioned by name, if the information shared can identify them to others.
Sharing employee or customer medical data obviously involves processing which must be must be done under a permitted lawful basis. The GDPR (and the UK Data Protection Act 2018) expressly provide a number of conditions that, if fulfilled, will permit the processing of special category data, which would otherwise be subject to a blanket prohibition. Although explicit consent is often the first and most obvious basis for processing, it is important to apply caution when relying on it, particularly when it is provided by an employee. Consent will not be valid unless it is freely given and many factors, including any power imbalance between the parties, may influence the freedom with which that consent if given.
The options available for sharing medical data of employees under the GDPR are:
It's also worth mentioning Article 9(2)(b) - Carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment – this will only apply to the usual processing of employee data in relation to sick leave, benefits processing etc. It will not be appropriate to use this exemption to share personal data about an individual.
If data is essential to winning the fight against COVID-19, cooperation is going to be crucial to the process. In addition to medical data needed to develop medical solutions and potentially contact trace, governments can manage the impact of the outbreak and ensure the availability of resources with greater efficiency, by working with the private and voluntary sectors to understand the human responses to both the virus and the restrictions put in place to combat it.
Many private organisations may be sitting on information about their customers, members and employees that could be put to use in the national interest, predicting travel needs, shopping trends or planning the allocation of digital resources as well as the spread of the virus itself. However, it is essential that data controllers remember their duty lies with the individuals whose data they control, as well as to society at large. If an agency of the state, such as an NHS trust, a police force or a government department, requests information that contains personal data, it should not simply be handed over because of the status of the requestor.
The fact that an organisation asking for personal data to be shared is a public body does not make the request legal. If the information sought includes health data or other special category data about identifiable individuals, one of the conditions of Article 9 GDPR must be satisfied to make the sharing permissible. Before handing over personal information a data controller must:
Whatever exemption is relied on when sharing medical data, it should be documented. Whenever a decision is made that the sharing of personal data is lawful, other requirements of privacy law must still be followed.
A widespread medical emergency places unusual responsibilities on all areas of society. The duty owed to individuals whose data is entrusted to an organisation may become strained in the face of duty to society and the interests of the public bodies seeking to manage the emergency. Whenever data controllers use or otherwise share data, in the fight against COVID-19, they must remember that privacy laws exist to protect everyone and, in a time of emergency, those who benefit from the law's most stringent protections may be at their most vulnerable and, therefore, most in need of such protection.
Sally Annereau provides a dos and don'ts checklist to help with data protection compliance during the COVID-19 outbreak.
1 von 3 Insights
We give top tips for ensuring cybersecurity is maintained while people work from home.
3 von 3 Insights
Zurück