Processing personal data related to COVID-19

What's the issue?

The spread of COVID-19 may result in data controllers having to begin new processing operations, many of which will involve sensitive personal data (which includes health data). The important thing to remember is that while some jurisdictions have passed specific legislation to permit the sharing and other processing of health data, the GDPR and DPA18 continue to apply in the UK. While the GDPR was never designed to defy common sense and block data usage whenever businesses and countries face such major public issues, neither was it intended to be swept aside entirely and, in fact, the legislation does provide for these sorts of circumstances subject to the usual safeguards.

Key GDPR considerations

In particular, there must be a lawful basis for each processing operation and a condition for processing special data must apply where appropriate. DPIAs may need to be carried out quickly, and transparency requirements must be fulfilled. As with all areas of GDPR compliance, you must be able to demonstrate accountability and, owing to the sensitive nature of the data being processed, data security is vital. The data protection principles will, of course, apply as usual so continue to observe principles of data minimisation, purpose limitation and data retention.

Clinical trials and research

For those involved in clinical trials or research into the virus and its effects, again, the GDPR will apply as usual (see here for more on GDPR and life sciences), but data controllers should pay particular attention to implementing appropriate technical and organisational measures such as pseudonymisation and anonymisation.

Lawful basis

Any processing of personal data relating to COVID-19 is highly likely to include sensitive personal data. This means that an Article 9 condition must be met in addition to the application of an Article 6 lawful basis.

The most likely Article 6 lawful bases will be:

• Article 6(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
• Article 6(d) – processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Article 6(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In certain circumstances, legitimate interests or consent of the data subject may also be valid lawful bases but the decision will not necessarily be straightforward and data controllers should take care to select the most appropriate lawful basis.

Conditions for processing special data

As far as the Article 9 conditions for processing special data (which includes health data) are concerned, the most likely options are:

• Article 9(2)(a) - Explicit consent provided – where an individual is well enough to give consent, this may be sought from them but the balance of power is relevant to the validity of that consent. If explicit consent is to be relied upon it should be properly recorded and care taken to ensure that no undue pressure has been placed on the individual. They should understand how their information is to be used or shared and the potential implications for them.
• Article 9(2)(b) - Carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment – this will only apply to the usual processing of employee data in relation to sick leave, benefits processing etc. It will not be appropriate to use this exemption to share personal data about an individual.
• Article 9(2)(c) - Necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent – this exemption is only likely to apply in cases where an individual cannot consent to the sharing of data for themselves due to incapacity, for example, providing information about a pre-existing condition to a healthcare professional treating them.
• Article 9(2)(h) - Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment – this is likely to be the most relevant exemption in the case of a serious outbreak, where information needs to be disseminated quickly.
• Article 9(2) (i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Practical steps

• If you have a DPO, involve them as well as, or in addition to, legal counsel (internal and/or external).
• Review policies and procedures.
• Carry out DPIAs and update Article 30 records.
• Ensure that, as far as is possible without compromising the safety of others, any communication you need to send out about COVID-19 does not include any data that could identify an individual who is unwell. This will require case by case analysis because an identifying disclosure may be necessary in some cases and is permitted even without the consent of the individual who has been diagnosed, if the circumstances are serious enough (eg because other members of a team in close proximity to the sick individual need to be tested or isolated).