Data Protection and COVID-19
The Data Protection Commission has released the latest guidance on data protection and privacy concerns relating to the Coronavirus outbreak.
Governments, as well as public, private, and voluntary organisations are taking necessary steps to contain the spread and mitigate the effects of COVID-19, widely referred to as the ‘coronavirus’. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).
Data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.
Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities.
Organisations should also have regard to the following obligations:
Lawfulness
There are a number of legal bases for the processing of personal data under Article 6 GDPR, and conditions permitting the processing of Special Categories of personal data, such as health data, under Article 9 that may be applicable in this context. Among these, the following may be relevant.
In circumstances where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented.[1] Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended)[2]. This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary. A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent.[3] This will typically apply only in emergency situations, where no other legal basis can be identified.
Transparency
Organisations processing personal data must be transparent regarding the measures they implement in this context, including the purpose of collecting the personal data and how long it will be retained for. They must provide individuals with information regarding the processing of their personal data in a format that is concise, easily accessible, easy to understand, and in clear and plain language.
Confdentiality
Any data processing in the context of preventing the spread of COVID-19 must be carried out in a manner that ensures security of the data, in particular where health data is concerned. The identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.
Data Minimisation
As with any data processing , only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
Accountability
Controllers should also ensure they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.
Further Information
Further information on COVID-19, including guidance for employers and the general public, can be found on the website of the Health Protection Surveillance Centre.
Those seeking more detailed information on Data Protection obligations can consult our guidance on the basics of data protection, ensuring than any processing is in line with the principles of data protection, and identifying the legal basis which justifies the processing of personal data.
Questions
We have been asked a number of questions by organisations and employers about how they can ensure any measures carried out are compliant with data protection law; some examples include:
Can an employer require all staff and visitors to the building to fill out a questionnaire requesting information on their recent travel history concerning countries affected by the virus, and medical info such as; symptoms of fever, high temperature, etc?
As noted above, employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, and in the current circumstances, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms.
Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.
There would be no data protection implications in bringing the HSE recommendations to the attention of staff and visitors, if they have recently travelled to an affected area and/or are experiencing symptoms, and requesting that they take any appropriate actions.
Any questions about the appropriate measures that should be implemented to protect against COVID-19 should be addressed to the public health authorities.
Can an employer request more specific details of their employee’s illness on medical certificates in light of the situation in relation to COVID-19?
While employers have a legal obligation to protect the health of their employees, employees also have a duty to take reasonable care to protect their health and the health of any other person in the workplace. In this regard, employers would be justified in requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow necessary steps to be taken.
However, it is important to keep in mind that the recording of any health information must be justified and factual, and must be limited to what is necessary in order to allow an employer to implement health and safety measures.
Employers should follow the advice and directions of the public health authorities, which may require the disclosure of personal data in the public interest to protect against serious threats to public health.
Employees should follow the advice of their healthcare practitioners and the public health authorities in these circumstances, who will instruct them as to what they need to do if they present symptoms of COVID-19
Can an employer send employees home from work if they are confirmed to have the virus?
Employers have a duty of care to employees to provide a safe place of work, which may require them to exercise discretion regarding access to premises. In a situation where an employee has confirmed that they have COVID-19, advice should be sought as a matter of urgency from the public health authorities as to what steps should be taken.
The decision to send employees home from work is not a data protection matter and may have other consequences for employers relating to employment law e.g. entitlement to sick pay.
Can an employer disclose that an employee has the virus to their colleagues?
This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID 19 in the organisation and requesting them to work from home. This communication should not name the affected individual.
Disclosure of this information may be required by the public health authorities in order to carry out their functions.
[1] See section 36 of the Data Protection Act 2018
[2] See section 8 of the Safety Health and Welfare at Work Act 2005
[3] See Article 6(1)(d) and Article 9(2)(c) GDPR
Protecting Personal Data When Working Remotely
About The Data Protection Commission
The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.