As governments and organisations put COVID-19 response plans into action, it’s highly likely that most, if not all, will be processing personal information. Although attention may be focused on the many practical issues that arise, it’s important that the protection of privacy is also considered. Regulatory requirements need to be met even in these highly unusual circumstances.
The European Data Protection Board (EDPB) recently issued a helpful statement, which concluded that privacy regulation (such as the General Data Protection Regulation (GDPR)) is not there to hinder actions to tackle the COVID-19 outbreak.
Nevertheless, governmental, public and private organisations still need to act with care: when processing any information as a data controller or data processor, they must continue to ensure the protection of the personal data of the data subjects. In addition, and as for any processing activity, there must be a fully justified lawful basis for the processing of the personal information, especially given that the information is likely to relate to health or special categories.
The GDPR does cover the processing of personal information in a scenario such as COVID-19. In the context of an epidemic, in the interests of protecting the health of the public, health authorities are allowed to process individuals’ personal data without having to obtain their consent.
There has, however, been a lot of debate around the use of personal information in the context of employment. Employers are prohibited from processing special category information (i.e. health information) unless a derogation can be triggered. Substantial public interest reasons, such as protecting public health, would trigger such a derogation, as would reasons based on union or national law, or the need to protect the vital interests of the data subject. Employers therefore can process personal information without having to obtain consent.
The guidance produced by the EDPB also provides some useful tips for employers when thinking about processing personal information in respect of COVID-19:
- Employers can only ask employees to provide specific health information in relation to COVID-19 to the extent that national law requires it
- Employers should not be carrying out medical checks on employees specific to COVID-19 unless their own legal requirements linked to national laws on employment or health or safety require it
- If any employee tests positive for COVID-19, the employer has a responsibility to inform fellow employees so they can take protective measures. When disclosure of employee identity is required, national law must allow this and employers must inform individuals in advance, while protecting their dignity and integrity
- Employers can only request and collect information in respect of COVID-19 in order to fulfil their organisational responsibilities in line with national legislation.
It is also important that data controllers and data processors (whether they are public authorities or public or private organisations) remember the core principles of data protection regulation. For example, it’s important to ensure that the processing of personal information collected in relation to COVID-19 is for a specific purpose.
It is also imperative that all data subjects receive transparent information around the processing of their personal data. This information should be provided to the data subject at the earliest point possible and remain easily accessible.
The emergence of COVID-19 does not change the fact that an organisation should have a strong privacy control environment in place when processing individuals’ personal information. Despite the unusual current circumstances, it is imperative that organisations understand the regulatory requirements to avoid unnecessary interactions with regulators in future.
BDO has a specialist privacy team who can advise your organisation about the processing of information in respect of COVID-19. For further help, please contact Christopher Beveridge.
View our COVID-19 hub