Coronavirus: overcoming data protection challenges
Covid-19 data questions
09 March 2020
While the Coronavirus continues to expand, companies are multiplying measures to prevent the coronavirus ("COVID-19") from contaminating their premises and staff. These measures sometimes require them to collect, analyze and share information about individuals. Though the use of individual's information in that context is usually necessary to comply with health and safety regulations, it nonetheless raises data protection challenges.
What types of personal data can be collected, and how? Can it be shared with group companies, and with entities outside the group such as service providers and authorities? Very often, these questions emerge in the employer – employee relationship, but they also arise when dealing with other stakeholders who are in contact with the workplace, namely customers, contractors and other visitors.
This Q&A outlines some of the key steps to keep COVID-19 containment in line with GDPR requirements (with respect to both employees and other stakeholders), and briefly addresses other privacy laws from different regions of the world. Of course, there is no valid "one-size-fits-all" approach under data protection law, so these steps should be adapted to the specificities of each contemplated COVID-19-related measure.
UNDER THE GDPR
Q: Does the GDPR allow companies to collect travel and health data for COVID-19 containment (e.g. information on recent travels, exposure to contaminated individuals, symptoms)?
Travel data can be collected provided the company complies with essential principles such as transparency, lawfulness and security. Health data collection is prohibited, but there are exceptions to that rule as explained below. Naturally, in crisis situations such as the COVID-19 epidemic, meeting GDPR requirements will be easier if ongoing compliance processes are already in place. [As a reminder, companies outside the European Economic Area (EEA) should not assume that they are outside the scope of the GDPR. Rather, they should proactively assess whether their data uses are caught by the GDPR's extraterritorial provisions (e.g. a US company administering COVID-19 questionnaires to EEA employees via its establishment in France could be subject to the GDPR for this activity)].
Q: How to lawfully collect such personal data under the GDPR?
Before collecting the data, the company should take the following steps:
- Lawfulness: the legal basis for using data should be identified on a case-by-case basis. In the COVID-19 containment context, the "legal obligation" basis – provided collecting data is necessary to comply with an EU or local European law – or "legitimate interests" will likely be considered appropriate legal bases. Conversely, the conditions for using "consent" or "vital interests" as legal bases would less likely be met;
- Sensitive data: the GDPR broadly defines health data as any information related to an individual's physical or mental health. Therefore, health data not only covers information that is "obviously" health-related (such as a description of symptoms) but also more general information (e.g. where an individual is calling in sick). Before collecting any health information, the company must ensure it meets one of the conditions to handle sensitive data, in addition to the legal basis mentioned above. In particular:
- In a work environment, the company should identify the EU or local European law – in the field of employment or public health – that permits the health data collection. For instance, that law may consist in an employer's legal obligation to ensure workers' health and safety, that justifies measures to limit the spread of the virus
- In certain circumstances (which would be rare), explicit consent may work.
- Transparency: individuals about whom personal data is collected should receive a privacy notice before or at the moment of collection, that details the main characteristics of the data use. The company can either (a) update existing privacy notices if they do not cover disease containment or (b) create a new privacy notice dedicated to COVID-19;
- Data Protection Impact Assessment (DPIA): given the nature of COVID-19-related data processing activities – e.g. they may involve sensitive data and evaluation of health risks – a DPIA would likely be required under the GDPR, and, in this context, the related safeguards would have to be implemented.
Q: What personal data could be collected?
Companies should only collect necessary personal data. In the context of COVID-19 containment, this means collecting the minimum information (see below for more details) needed to evaluate the risk that an individual carries the virus and take proportionate, risk-based measures.
Data likely deemed necessary
- Presence of COVID-19 symptoms
- Confirmation as to whether the person recently traveled to epidemic's "hot zones", which currently include China and other countries such as Italy, South Korea, Japan and Iran. Information can cover both professional and non-professional travels
- Close contact with individuals who have recently been in "hot zones" and/or showing COVID-19 symptoms
Data unlikely deemed necessary
- The person's nationality
- The identity of the individuals to whom that person has been exposed
- Visited countries that are not "hot zones" or countries visited before the incubation period
Of course, what is considered as necessary information may evolve as scientists learn more about the COVID-19.
Q: How should personal data be collected?
In terms of data collection method, the least intrusive option should always be selected. This may require adopting a gradual, risk-based approach, such as for instance:
- Administer questionnaires with targeted yes / no questions to carry out a first screening of individuals' COVID-19 risks. Review the questionnaires to ensure only needed information is collected. On the basis of the initial screening's results, notify individuals presenting high contamination risks of the measures taken to limit their interactions with the workplace;
- Request individuals who provided incomplete or improperly completed questionnaires to confirm information.
Moreover, some organisations ask themselves whether they could implement or cause implementation of medical tests (e.g. temperature scanning, blood tests). These would raise many issues, from a GDPR standpoint (given the intrusiveness of such tests) and other perspectives (e.g. right to bodily integrity, doctor-patient confidentiality).
Q: Does the GDPR allow companies to outsource the collection and analysis of COVID-19-related personal data?
Yes, provided this outsourcing does not reduce the level of data protection. In particular, the company should engage with service providers having the capacity to comply with GDPR obligations – as demonstrated by audit reports and labels – and formalize the relationship with an appropriate data protection agreement.
Q: Can a company share COVID-19-related personal data with others?
Yes, if it is absolutely necessary (e.g. involvement of a contractor or a group company needed to implement sufficient health and safety measures) or mandatory (e.g. sharing of information with government agencies). In any case, such data sharing should take place in compliance with all GDPR requirements (e.g. determination of a legal basis, information of the concerned individuals, data minimisation, implementation of security measures, entering into appropriate data protection provisions).
For the sake of transparency, a company may inform its staff about the infection of others (e.g. employees, visitors), provided it does not communicate personal information (e.g. names, position of the infected individuals).
BEYOND THE GDPR
Q: What are the legal requirements beyond the GDPR?
Strict data protection laws – some of them GDPR-inspired – are being adopted all over the world. Companies taking COVID-19 measures in various jurisdictions should ensure they address local requirements. For example:
- Local European laws: European countries have often adopted stricter requirements than the GDPR in the fields of employment and health. A company should not assume that, by complying with the GDPR, it automatically complies with European local privacy laws.
- China: People's Republic of China's (PRC) government has reinforced data protection requirements during the COVID-19 outbreak. Where a company is willing to process an individual's personal data (e.g. information on whether he/she (i) is infected, (ii) has been in direct contact with infected persons, (iii) recently travelled to or from certain cities in order to prevent and control COVID-19 expansion), it will need to obtain his / her prior consent. That said, a simple implied consent (i.e. asking an individual to provide relevant information before entering the workplace, and such individual voluntarily provides the requested information) may suffice. Moreover, companies will have to comply with PRC law principles of lawfulness, necessity and minimization.
- Australia: Under the Australian Privacy Principles (APPs), sensitive information (which includes health information) is generally afforded a higher level of privacy protection than other types of personal information. Consent of the individual would likely be required if a company is willing to ask questions in relation to his / her health, in the COVID-19 context. Moreover, strict obligations would apply in respect of the use and disclosure of this sensitive information (including any disclosure to an overseas recipient)
- Hong Kong: A company may process an individual's identity, location and health-related data, without collecting his / her consent, if processing the relevant data would be necessary to avoid causing serious physical or mental harm to individuals (this could be the case in the COVID-19 context)
- Singapore: A company may collect, use and disclose an individual's personal data (e.g. identity, location and health-related data) without collecting his / her consent, provided that the contemplated processing is necessary to respond to an emergency that threatens the life, health or safety of other individuals (this could be the case in the COVID-19 context). In addition, the relevant company should ensure that it has security arrangements in place to protect the personal data at stake from unauthorized access or disclosure.
- United Arab Emirates (UAE): The Dubai International Financial Centre (DIFC) financial free zone and the Abu Dhabi Global Market (ADGM) financial free zone have their own data protection regulations that apply to companies incorporated within those free zones. DIFC and ADGM's data protection requirements are similar to those provided for in the GDPR. In addition, consent of the individual would likely be needed if health-related data were to be disclosed by a company to third parties.
Should you have any questions or need assistance in the management of COVID-19-related information, please do not hesitate to reach out to us.