Data Protection and the coronavirus: Key measures your business should be taking

Lawfulness

The GDPR requires that all personal data is processed lawfully. A legal (or lawful) basis for processing must be satisfied before an organisation can process any personal data. Without this, processing cannot take place.

The personal data processed in relation to COVID-19 is mainly health data relating to the physical health of a natural person and providing information on his or her state of health. For example, if you gather information about the symptoms of an illness or measure a fever. If you inform third parties about cases in your organisation, this also constitutes the processing of health data.

Health information is sensitive information. Under GDPR it is a special category of personal data. In order to lawfully collect and use information relating to a person’s health, organisations must satisfy not only a ground under Art. 9 of the GDPR, but also sections 10-11 and parts 1 and 2 of Schedule 1 of the DPA.

As the World Health Organisation (WHO) has declared Covid-19 a pandemic, Art. 9(2)(g) serves as a legal basis. According to this provision, collecting health data is allowed as an exception for non-public bodies (including companies) where the processing is necessary for reasons of substantial public interest, such as protection against threats to health. Recital 46 GDPR lists examples that may serve as a reason for processing sensitive data where it is necessary to protect the public interest. Processing for the purpose of monitoring and preventing the spread of a pandemic such as the coronavirus is therefore justified.

However, it should be noted that organisations will also need to be able to sufficiently justify the processing by being able to show that it is a necessary, reasonable and proportionate way of meeting the relevant rights or obligations. Even in exceptional cases, such as those caused by the Corona pandemic, the rights of individuals must be adequately assessed.

Balancing of interests

As explained above, in addition to having a legal basis, the processing has to be necessary. Moreover, the data minimisation principle must be complied with. Therefore, organisations should always think about whether the personal data processed is adequate, relevant and limited to what is necessary in relation to the relevant purpose.

Organisations should not be tempted to ask for irrelevant information about their employees. Make sure you only ask questions when it is necessary, for example, for managing immediate health risks and making decisions about required action. Reasonable questions to ask are, for example:

• Questions about symptoms of the disease
• Questions on recent travel history
• Questions about contact with individuals who may be infected or with healthy individuals if the respondent is suspected of being infected

This will require the interests of the individuals and organisations to be weighed up to ensure that an organisation’s legitimate interests are not outweighed by the rights and freedoms of the individual.

Example: temperature screening

Personal health data is gathered when an individual’s temperature is measured. This is also an intrusive means of achieving this purpose. Firstly, a person infected with the coronavirus does not necessarily have a fever, so measuring his or her temperature may not clearly identify the person as a carrier of the virus. Secondly, fever is not a decisive symptom and when an increased body temperature is detected, it does not necessarily indicate a coronavirus infection. Finally, since the incubation period is up to 14 days, an individual, even if suffering from an attack of coronavirus with a fever, may have had an unidentified form of the virus for some time beforehand.

Thus, temperature measurements are not an appropriate means of unambiguously detecting coronavirus infections and do not meet the criterion of data that is sufficient to fulfil the stated purpose (Art. 5(1)(c) GDPR). Therefore, questioning employees about coronavirus-specific symptoms, especially when returning from risk areas should be considered.

Example: smartphone tracking

Tracking employee movement and the people they contact by using smartphone location data represents a clear breach of data protection law. Again, it is questionable whether the accuracy of the location data gathered serves the intended purpose, especially since less intrusive methods are available. Data should be collected through questionnaires or by requiring employees to provide details of their travel plans.

Processing data related to coronavirus monitoring

Once employee personal data relating to the coronavirus is legally processed further considerations should be taken into account:

• The data minimisation principle in Art. 5(1)(c) GDPR requires the identification of data that is necessary and is sufficient to fulfil a specified purpose. Such information only may be stored. For example, you should not store data on the whereabouts of your employee, if the location is not considered a risk area. If a location is considered to be a risk area, it is not necessary to store the exact location, only the fact that the employee has visited a risk area.
• Update your records of processing activities pursuant to 30 of the GDPR and Section 61, Chapter 4 of the DPA. The processing of coronavirus data must be documented including the length of time the information will be retained.
• Make sure that you provide data subjects with comprehensive information about the processing of their personal data (Art. 13 and 14 GDPR), such as information about the purpose of the processing and its legal basis. You should check whether your HR privacy notice covers such processing. If you collect information about other individuals (e.g. visitors), you could include a privacy notice on the forms/questionnaires used to collect their data.
• Data related to an individual’s health should only be retained for the period necessary for controlling the spread of the virus and to take immediate action. Once the purpose is fulfilled, you should delete the data. If you keep paper copies of sensitive data, you should ensure that they are shredded or destroyed. A detailed data retention and deletion policy is advisable.
• Any sharing of data related to the coronavirus should be subject to careful consideration. If the process is outsourced to a service provider, an Article 28 GDPR contract must be concluded with the supplier. If data is shared with entities outside of the UK and (during the transition period) the EEA, appropriate third country measures are required. If data sharing takes place with a third party (e.g. public authority, hospital) proportionate due diligence should be carried out to ensure that such a transfer is lawful.

Conclusion: Exceptional circumstances should not undermine data protection

The global outbreak of the coronavirus poses a major challenge for companies in particular. In order to contain the pandemic, certain exceptions permit private organisations to process sensitive health data related to the fight against the coronavirus.

However, the privacy of employees and other individuals still needs to be considered. Permissible use is limited and needs to be balanced against an organisation’s duties, rights and interests; for example, an employer’s health and safety obligations in the workplace, it’s duty of care and it’s responsibility to ensure that the business is resilient.

As a data controller, you have an obligation not only to prove that you comply with all legal requirements when monitoring corona infections but also to protect the rights of the individuals concerned.

Finally, please note: If you do allow your employees to work from home, we have compiled a number of useful recommendations.