COVID-19 can only be defeated with the help of huge amounts of information. Whether you are trying to protect a workforce and customer base, or attempting to predict how the virus will respond to enhanced social distancing requirements, you need data – much of it personal data. Never before has medical data been so quickly gathered or so widely processed and shared. Serious times call for serious exemptions; finding a lawful basis to permit the disclosure of special category data, which receives special protection under the GDPR, is certainly easier in this time of emergency. However, just because data may be lawfully disclosed, does not always mean that it should be. The other requirements of the GDPR, particularly those relating to data minimisation, security and transparency, are not to be abandoned in a crisis (see our article for more).
Employers: protecting the workforce and customers
For many organisations the most important concern will be the safety of the workforce and customer base. If an employee who is in close contact with colleagues or others falls ill with the symptoms of COVID-19, or tests positive for the virus, the first instinct will be to make sure that everyone who may be at risk is informed. This instinct is the correct one; employees as well as customers are entitled to information that could help them prepare for potential illness and limit their exposure to others who they might otherwise put at risk.
Even in an emergency, data protection laws should always be considered when sharing any information about a confirmed or suspected diagnosis or indeed potential symptoms of COVID-19 where there is a possibility of identification of an individual from the information. Identifying information could include information about an individual from a particular residence or, in the case of an employee, a specific team, even where they are not mentioned by name, if the information shared can identify them to others.
Sharing employee or customer medical data obviously involves processing which must be must be done under a permitted lawful basis. The GDPR (and the UK Data Protection Act 2018) expressly provide a number of conditions that, if fulfilled, will permit the processing of special category data, which would otherwise be subject to a blanket prohibition. Although explicit consent is often the first and most obvious basis for processing, it is important to apply caution when relying on it, particularly when it is provided by an employee. Consent will not be valid unless it is freely given and many factors, including any power imbalance between the parties, may influence the freedom with which that consent if given.
The options available for sharing medical data of employees under the GDPR are:
- Article 9(2)(a) - Explicit consent provided: where an individual is well enough to give consent, this may be sought from them but the balance of power is relevant to the validity of that consent and it is difficult to achieve in an employment context. If explicit consent relied on, it should be properly recorded and care taken to ensure that no undue pressure has been placed on the individual. They should understand how their information is to be used or shared and the potential implications for them.
- Article 9(2)(c) - Necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent: this exemption is only likely to apply in cases where an individual cannot consent to the sharing of data for themselves due to incapacity, for example, providing information about a pre-existing condition to a healthcare professional treating them.
- Article 9(2)(h) - Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment: This is likely to be the most relevant exemption in the case of an outbreak, where information needs to be disseminated quickly.
- Article 9(2)(i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health: the EDPB cites this as the most likely lawful basis in an employment context.
It's also worth mentioning Article 9(2)(b) - Carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment – this will only apply to the usual processing of employee data in relation to sick leave, benefits processing etc. It will not be appropriate to use this exemption to share personal data about an individual.
Sharing data with the government and public authorities
If data is essential to winning the fight against COVID-19, cooperation is going to be crucial to the process. In addition to medical data needed to develop medical solutions and potentially contact trace, governments can manage the impact of the outbreak and ensure the availability of resources with greater efficiency, by working with the private and voluntary sectors to understand the human responses to both the virus and the restrictions put in place to combat it.
Many private organisations may be sitting on information about their customers, members and employees that could be put to use in the national interest, predicting travel needs, shopping trends or planning the allocation of digital resources as well as the spread of the virus itself. However, it is essential that data controllers remember their duty lies with the individuals whose data they control, as well as to society at large. If an agency of the state, such as an NHS trust, a police force or a government department, requests information that contains personal data, it should not simply be handed over because of the status of the requestor.
The fact that an organisation asking for personal data to be shared is a public body does not make the request legal. If the information sought includes health data or other special category data about identifiable individuals, one of the conditions of Article 9 GDPR must be satisfied to make the sharing permissible. Before handing over personal information a data controller must:
- Be satisfied that the purpose for which it is requested meets a condition set out by the law, not forgetting the provisions of newly introduced emergency legislation like the Coronavirus Act 2020.
- Agree that the data need to be presented in the form requested for the purpose to be fulfilled (eg that anonymised data or a reduced amount of data would not meet the same requirements).
- Receive assurances that the personal data will only be retained by the recipient organisation for as long as needed and only used for the agreed purpose or one compatible with it.
- Be satisfied with any security arrangements made for the transfer and processing of the data.
- Ensure, if possible, the individuals whose data is shared are informed as soon as possible. Ideally this would be at the point of collection of their data, though that will be impossible in many situations.
Following the law in difficult times
Whatever exemption is relied on when sharing medical data, it should be documented. Whenever a decision is made that the sharing of personal data is lawful, other requirements of privacy law must still be followed.
A widespread medical emergency places unusual responsibilities on all areas of society. The duty owed to individuals whose data is entrusted to an organisation may become strained in the face of duty to society and the interests of the public bodies seeking to manage the emergency. Whenever data controllers use or otherwise share data, in the fight against COVID-19, they must remember that privacy laws exist to protect everyone and, in a time of emergency, those who benefit from the law's most stringent protections may be at their most vulnerable and, therefore, most in need of such protection.
