As of today, the coronavirus COVID-19 is affecting 124 Countries and territories around the globe, calling governments and businesses worldwide to face an emergency situation that might continue for longer than expected. During these troubled times, with the perspective of a global health crisis ahead, privacy and the protection of personal data surely do not seem like a priority. Nonetheless, data protection authorities across Europe are urging everyone to take appropriate measures to ensure that the measures taken to contain this pandemic do not unnecessarily impact everyone’s right to privacy. This short article aims to provide an overview of the relevant data-protection aspects in the management of this situation, providing a useful list of do’s and don’ts for data controllers and processors.
Repeat with me: personal data and privacy rights are NOT absolute rights
Let’s start with one consideration that should be conscientiously in the mind of privacy experts in this moment of great uncertainty: privacy and the right to the protection of personal data are not absolute rights. Indeed, not all fundamental rights are absolute rights: a right is absolute when it outweighs every other element, including other rights and freedoms, including the imperative of saving human lives, and the protection of the efficiency of an economic system. States of emergency, national interest, and exceptional circumstances have in the past allowed for temporary limitations of fundamental rights such as the right to privacy. Having been defined as “a threat for every country, rich and poor” by the Director-General of the World Health Organisation, the COVID-19 pandemic is clearly an exceptional circumstance with the potential of leading countries into a state of emergency.
According to Article 52(1) of the Charter of Fundamental Rights of the European Union, limitations on the exercises of the rights and freedoms recognised by the Charter may be made only if they genuinely meet objectives of general interest recognised by the Union. Concerning privacy, Article 8(2) of the European Convention on Human Rights enumerates the legitimate aims that may justify infringements upon the right to respect for private and family life: ‘in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health and morals, or for the protection of the rights and freedoms of others’.
Furthermore, the GDPR adds details to these considerations. Recital 4 provides that data protection should always be considered in relation to its function in society, and balanced against other fundamental rights.
In addition, Article 23(1) GDPR allows Member States to restrict data subject rights, as well as the principles outlined in Article 5, by way of a legislative measure and respecting the essence of fundamental rights and freedoms. These restrictions, provided that they are embodied in necessary and proportionate measures of a democratic society, should aim to safeguard, among other things, ‘important objectives of general public interest […] including monetary, budgetary and taxation matters, public health and social security’.
The need to process personal data to contain a pandemic
In the case of a pandemic like this one, processing personal data is necessary to take appropriate measures to contain the spread of the virus and mitigate its effects. First, the processing of certain personal data (such as name, home address, workplace, travel information) can be useful to understand whether an individual might have visited affected areas or met with other exposed people. Second, the processing of special categories of personal data (such as health data, including body temperature) is crucial to understand whether an individual shows infection-related symptoms.
While government acting in the exercise of their sovereign powers, including that of protecting the health of their citizens, are not subject to standard data protection rules, public and private organisations must be well aware of what they can and cannot do.
The existence of a legal basis remains essential even in emergency circumstances. In this context, relevant personal data other than special category data can be processed in accordance with both Article 6(1)(d) and (e) GDPR. These legal bases allow to process personal data that are either a) necessary to protect the vital interest of individuals (i.e., to save lives) or to safeguard the public interest or in the exercise of official authority vested in the controller. Keeping in mind that public interest can only be determined by the law of the Union or of a Member State, Recital 46 GDPR explicitly mentions the monitoring of epidemics as circumstances in which the processing may serve both important grounds of public interest and the vital interests of data subjects.
Concerning health data, a legal basis can be found in Article 9(2)(i) GDPR, and further guidance is provided by Recitals 52 and 54 GDPR.
According to the GDPR, the processing of special categories of personal data is permitted when it is necessary for reasons of public interest in the area of public health, ‘such as protecting against serious cross-border threats to health’. To make this legal basis actionable, not only guidance and directions shall be provided by public health and other relevant authorities, but also suitable, specific safeguards should be implemented due to the sensitivity of these categories of data. Among the possible safeguards, controllers shall take measures aimed at: a) limiting the access to the data, b) establishing stricter retention times, c) training staff, d) minimising the amount of processed data, e) keeping records of any related decision-making process. Furthermore, data security remains of paramount importance and, when dealing with health data in a pandemic, special attention should be put in avoiding the identity of affected individuals being disclosed.
Recommendations for employers: do not forget proportionality
Following the recommendations published by the Italian, French, and Irish data protection authorities, we have produced a list of dos and don’ts for employers willing to collect and process data concerning employees to reduce the spread of the virus.
This list shows that – although the legal bases for processing data in this context allow for the exercise of additional flexibility – proportionality remains a cornerstone in the application of measures that should not be excessive or discriminatory.
Proportionality means that organisations should always keep in mind that the human dignity of individuals should always be safeguarded, even in these difficult times. For example, divulging the identity of a vulnerable person (such as a COVID-19-affected employee) is rarely necessary and – in most cases – mentioning that an employee of a certain department has contracted the virus could be equally effective in warning their colleagues of a potential exposure. On the contrary, divulging the name could lead to discrimination and long-term social exclusion. Therefore, it is extremely important to ensure that such risks to individuals are carefully assessed during business continuity planning.
|What you can do||What you cannot do|
|Educate and invite your employee to provide voluntary and individual information to you or to competent health authorities||Collect health data (such as body temperature measurement) in a systematic and generalized manner without the directions of public health authorities|
|In the event of a voluntary report, collect and store information about the identity of the person affected by the virus to assist health authorities with their statutory tasks||Collect information (such as travel history) through mandatory and individual inquiries/requests/questionnaires without justification on necessity and proportionality|
|Only collect health data if requested by competent authorities||Use CCTV to monitor compliance with health and safety rules (such as the ‘no handshake policy’)|
|Conduct a risk assessment to evaluate the implications of measures aiming to avoid the spread of contagion||Disclose the information that an employee has contracted the virus to their colleagues|
The bottom line
Data protection and privacy will not stand in the way as Europe and the world fight COVID-19. However, the existing waivers are not unlimited. It is necessary that each of us considers whether each measure is proportionate for the purpose we want to achieve and whether the same result can be achieved by less intrusive means.
Should you need further guidance to understand how you should behave in these emergency circumstances, our Trilateral Data Protection and Cyber Risk Team is available to help.