DATA PROTECTION AND CORONAVIRUS
This is a live document and was last updated on the March 26th 2020
Important information about Coronavirus and data protection.
Coronavirus is already beginning to change the way we run our organisations. It is not only highly contagious, but those infected may not show any symptoms during its early infectious stages. This makes it very important, for public health reasons, that people who are potentially exposed to the virus are informed and that steps are taken to mitigate the spread. Despite the comments in a Tweet from Matt Hancock, The Health Minister, on the 18th March, this is where the General Data Protection Regulation ("GDPR") and public health might be at odds. How do you protect the privacy of people who have been infected or potentially infected, while still keeping individuals informed about the risk? Health information is sensitive information. With the potential for social values to change in a time of crisis, the danger of identifying those diagnosed with Coronavirus include the potential for intimidation or humiliation and even becoming the victim of fraud. So, during this public health emergency, how do you balance your obligations?
As organisations struggle to get new procedures and process in place, you need to focus on how the data protection laws apply to this unusual event. Here are some top tips for ensuring data protection compliance during and after the coronavirus pandemic:
1. The law remains the same.
It is inevitable that organisations may need to collect and use personal information about their employees, volunteers and service users in order to best advise them on how to limit the risk of exposure. It is equally important not to forget that, although this is an emergency, the requirements of data protection law still apply to any personal information that an organisation uses for these purposes.
2. Health information is sensitive information: Don’t collect more information that is strictly required.
The GDPR says that information about health is a "special category of personal data", requiring a much higher level of protection. This means that to lawfully process such information about its employees, the organisation will need to satisfy the requirements of Article 9 GDPR.
The most useful basis for processing which will enable an employer to protect its people in relation to coronavirus will most likely be Article 9(2)(b) ("employment, social security and social protection"). This is because there is a requirement under the Health and Safety at Work Act 1974 for organisations to take all reasonable steps to look after the health, safety and wellbeing of staff and other people who maybe affected by the actions of the organisation. As such, it is reasonable for organisations to collect certain information (such as information about a diagnosis) as part of the organisation's general duty to safeguard staff.
However, there is still a limit as to what information employers should try to collect about its employees or volunteers for the purposes of health and safety. The guidance makes it clear that, although employers will undoubtedly need to interact with their staff and volunteers in relation to coronavirus, this is typically more to do with information provision and assistance to staff, rather than collecting information for any kind of preventative strategy. Instead, it is for the NHS and other health professionals to be responsible for identifying cases and advising on the appropriate steps that should be taken.
Therefore, it seems that organisations cannot oblige employees or volunteers to disclose information about the presence of coronavirus symptoms. Instead and for the purpose of preventing the spread of coronavirus, data required must be processed by individuals who have the correct qualifications to do this such as doctors or nurses.
As the spread of this virus continues, make sure you are up to date on government advice, the government may introduce additional measures, laws or guidance in relation to how you are permitted, or expected, to operate in relation to coronavirus.
3. Does this mean that I can't collect information about coronavirus to guide my organisation through the crisis?
No. If an organisation is collecting information to help it respond to the coronavirus crisis in order to protect the health, safety and wellbeing of its staff. This will typically be possible under 9(2)(b) grounds and can be done with an "act now, worry about it later" mentality, or in rare circumstances, under Article 9(2)(c) ("the vital interest condition"). Employers may also be able to rely on Article 9(2)(h) GDPR ("health and social care") to help it manage employee absences resulting from coronavirus. This will inevitably increase the organisational compliance burden.
For example, if attempting to rely on substantial public interest grounds under Article 9(2)(g) GDPR in order to use health related information about coronavirus, an organisation would be expected to carry out a legitimate interests assessment ("LIA"), to ensure that its legitimate interests are not in conflict to the rights and freedoms of the individuals concerned. The organisation is also likely to have to carry out a Data Protection Impact Assessment ("DPIA") as this type of processing may be considered to be a new activity.
In addition, as ever, if the organisation is subject to the UK Data Protection Act 2018 and intends to rely on certain provisions of Article 9 of the GDPR, then the organisation will also need to satisfy a condition in the act. When using these grounds to justify processing of coronavirus information, the organisation should be sure to keep its "appropriate policy document" and Article 30 GDPR records of processing activities up to date, to reflect the requirements of the Data Protection Act 2018.
4. Who needs to know? Protecting personal data.
An organisation must protect the personal information that it holds to an appropriate way. For example, where information collected about its employees or volunteers in relation to coronavirus is concerned, the organisation will be expected to protect this information to a higher standard than the ‘normal’ information. Access to this information should be restricted on the "least privileged" basis.
5. Data minimisation – set a clear protocol to collect only the data you need.
A fundamental principle of the GDPR is data minimisation; no more information than is required, should be collected to fulfil the required task. In relation to coronavirus, it could be tempting to ask for all sorts of information about your employees – for example, details about their friends', family members, children, locations and venues they may have visited and information about their social activity. Be sensible when asking employees to provide personal information, don't ask for more than you genuinely need. If you receive information from an individual that is not relevant appropriate or reasonable, delete it.
6. Fair and Transparent.
As with any use of personal information, it should be clear to the individual why the organisation is collecting the information, how it will be used and what the data subject's rights are in relation to the processing. If the organisation finds that it needs to collect new types of data specifically to deal with a coronavirus issue, do ensure you notify your employees about this prior to collecting such data unless you are relying on an exemption to the law. Provide regular updates to them as the situation develops explaining what new information may be required and how it will be used, apply a ‘reasonable expectation rule’.
7. Keep your information accurate and up to date.
Another of the underlying principle of the GDPR is data accuracy. In relation to coronavirus information, make sure that you keep accurate records. Not only is this a required by the GDPR, but inaccurate information is more likely to undermine the effectiveness of your procedures.
8. International data transfer.
Organisations that operate internationally may also want to share information collected about their employees and the coronavirus risk across the organisation in order to establish a more holistic view of risk. The GDPR requires that personal information that is transferred outside the EEA be protected by appropriate safeguards.
9. Delete what you don't need without delay.
GDPR requires that personal information is deleted once it is no longer required for the purpose for which it was collected. The organisation should be sure to delete any information it has collected in relation to coronavirus including all versions and duplications, once the threat has subsided.
10. Unsupervised staff & volunteers
If you normally supervise staff, for example when taking donation payments over the phone, think about how to ensure a secure environment. An increase in fraud is almost inevitable at times like this. Ensure staff are clear about their responsibilities and the new processes you may have instigated.
11. Breach management plan
Make sure that staff understand what a data breach is and how to identify one. What to do and how to report it. Training staff in how to work from home will help you to avoid breaches. Remember, any loss, unauthorised disclosure or access to data is technically a breach of the regulation.
In summary, there is much to consider during the coming weeks and months. In many settings, data will be processed in a new and unprecedented way. Wherever there is any doubt, there is no doubt that you should seek appropriate professional advice and guidance before proceeding.
Data Protection Practitioner