The spread of COVID-19 may result in data controllers having to begin new processing operations, many of which will involve sensitive personal data (which includes health data). The important thing to remember is that while some jurisdictions have passed specific legislation to permit the sharing and other processing of health data, the GDPR and DPA18 continue to apply in the UK. While the GDPR was never designed to defy common sense and block data usage whenever businesses and countries face such major public issues, neither was it intended to be swept aside entirely and, in fact, the legislation does provide for these sorts of circumstances subject to the usual safeguards.
In particular, there must be a lawful basis for each processing operation and a condition for processing special data must apply where appropriate. DPIAs may need to be carried out quickly, and transparency requirements must be fulfilled. As with all areas of GDPR compliance, you must be able to demonstrate accountability and, owing to the sensitive nature of the data being processed, data security is vital. The data protection principles will, of course, apply as usual so continue to observe principles of data minimisation, purpose limitation and data retention.
For those involved in clinical trials or research into the virus and its effects, again, the GDPR will apply as usual (see here for more on GDPR and life sciences), but data controllers should pay particular attention to implementing appropriate technical and organisational measures such as pseudonymisation and anonymisation.
Any processing of personal data relating to COVID-19 is highly likely to include sensitive personal data. This means that an Article 9 condition must be met in addition to the application of an Article 6 lawful basis.
The most likely Article 6 lawful bases will be:
In certain circumstances, legitimate interests or consent of the data subject may also be valid lawful bases but the decision will not necessarily be straightforward and data controllers should take care to select the most appropriate lawful basis.
As far as the Article 9 conditions for processing special data (which includes health data) are concerned, the most likely options are:
A lot of us are thinking about (or being asked about) whether COVID-19 is a 'force majeure' event for the purposes of English law contracts. Unfortunately, the answer is far from straightforward, but we look at some of the most commonly raised issues.
1 of 3 Insights
English contract law is built around the notion that parties are free to agree the terms of the contract and are then bound by those terms.
2 of 3 Insights
Return to