What happens to data protection in a global health pandemic?
Data protection compliance is probably the last thing on most people’s minds right now as businesses struggle to adapt to the financial and resourcing challenges brought by Covid-19. At the same time, most of us are probably processing more personal data than we normally do as part of our efforts to deal with this thing – particularly data relating to staff health and domestic circumstances.
Both the Information Commissioner’s Office (ICO) in the UK and the European Data Protection Board (EDPB) in the EU have recently issued statements on data protection during the coronavirus pandemic.
The ICO’s statement is quite reassuring, showing that the ICO recognises the unprecedented challenges organisations are facing during the pandemic and that organisations might need to share information quickly or adapt the way they work.
The ICO’s key message is that data protection law doesn’t stop organisations doing what they need to do and that it’s about being proportionate in the way personal data is used – If something feels excessive from the public’s point of view, then it probably is.
Key points of the ICO’s statement are:
- Responding to data subject requests and compliance generally: although the ICO can’t extend the statutory timescales for data protection compliance, it understands that staff and expenditure may currently be diverted from usual compliance work and won’t penalise organisations that need to adapt their approach during this extraordinary period.
- Public health communications and processing: The Government, the NHS and health professionals can send public health messages using all forms of technology including phone, text, or email – these are not marketing messages and do not require consent. Public bodies may also need to undertake additional collection and sharing of personal data to protect against serious threats to public health.
This is unlikely to have direct application to private sector businesses, except that where public bodies use private providers’ software/communications services to send such public health messages or to collect, process and share personal data for public health purposes, such providers can feel assured that the ‘processing instructions’ from the public body are lawful, and may be called on to provide assistance with data security, impact assessments and responding to data subjects’ enquiries.
- Working from home: Data protection law is not a barrier to home-working, but information security considerations should be borne in mind when staff are using their own devices and communications equipment at home – i.e. businesses need to ensure that information security and data protection compliance are not compromised as a result. See our forthcoming blog post on home-working and data security and compliance.
- Telling staff about Covid-19 cases at work: employees should be kept informed about cases in their organisation, but employers shouldn’t provide more information about individuals than is necessary, e.g. it may not be necessary to name them. Employers have an obligation and a duty of care to ensure the health and safety of their employees and data protection law doesn’t prevent this.
- Collecting health data relating to Covid-19: Organisations have an obligation to protect their employees’ health, but shouldn’t collect more data than they need for that purpose and should protect any information collected with appropriate safeguards. The ICO suggests it is reasonable to ask people to tell their employer if they have visited a particular country or are experiencing symptoms. It also suggests asking visitors to consider government advice before they decide to come and advising staff to call 111 if they are experiencing symptoms or have visited particular countries as ways of minimising the information organisations need to collect. (However, anyone with experience of calling 111 recently or who has reason to doubt the adequacy of government advice or the reliability of individuals might be reluctant to take that approach.)
- Sharing information with public authorities about specific employees for public health purposes: Data protection law will not prevent this.
The overall message is that the ICO will adopt a common-sense approach to data protection enforcement in the midst of the extraordinary circumstances we are all facing.
The EDPB statement takes a sterner and more academic approach, saying that although the fight against communicable diseases is a valuable international goal which should be supported in the best possible way, even in these exceptional times, organisations must ensure the protection of personal data.
It is also aimed at a ‘higher’ level, addressing government/state actions more than that of individual businesses, emphasising that any measures taken to address Covid-19 must respect the general principles of law and must not be irreversible, and that although emergency circumstances may legitimise restrictions of freedoms, they must be proportionate and time-limited to the emergency period. (Relevant UK measures can be found in the Coronavirus Bill.)
Some key points in the EDPB statement are:
- Lawfulness of processing by competent public authorities: competent public authorities (e.g. public health authorities) can process personal data, including special categories such as data relating to health, without data subject consent, using other legal bases under GDPR Articles 6 and 9, particularly when it falls under the legal mandate of the public authority provided by national legislation and the conditions enshrined in the GDPR.
- Lawfulness of processing by employers: processing of personal data may be necessary for compliance with legal obligations to which employers are subject such as obligations relating to health and safety at the workplace, or necessary to the public interest, such as the control of diseases and other threats to health. The GDPR also contains derogations to the prohibition of processing of special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health and on the basis of EU or national law (Article 9(2)(i)), or where there is the need to protect the vital interests of the data subject (Article 9(2)(c)).
- Employment and Covid-19: the EDPB gives similar guidance to the ICO:
- Employers can require visitors or employees to provide specific health information in the context of Covid-19 to the extent that national law allows it.
- Employers may perform medical check-ups on employees if national laws permit it and should only process health data if the legal obligations they are subject to require it.
- Employers should inform staff about Covid-19 cases and take protective measures but should not communicate more information than necessary. If it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.
- Employers can obtain information processed in the context of Covid-19 to fulfil their duties and to organise work in line with national laws.
- Processing telecoms data such as location data: national laws implementing the ePrivacy Directive (e.g. the Privacy and Electronic Communications Regulations in the UK) must be respected. Location data can only usually be used by an operator when made anonymous or with the consent of individuals, but Article 15 of the ePrivacy Directive enables Member States to introduce laws to restrict this obligation to safeguard public security. Such laws must constitute a necessary, appropriate and proportionate measure, be in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms, be subject to the judicial control of the European Court of Justice and the European Court of Human Rights and strictly limited to the duration of the emergency.
Any such new laws may have direct application to providers of telecommunications services, who may be asked to provide telecoms data in relation to Covid-19 measures under new powers granted by emergency legislation.
- Use of mobile location data: this issue features heavily in the EDPB statement, presumably in response to indications that phone location data could be deployed as part of measures to monitor, contain or mitigate the spread of Covid-19, such as geolocating individuals and sending public health messages to individuals in a specific area by phone or text message. The EDPB states that:
- Public authorities should first seek to process location data in an anonymous way (i.e. processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”).
- Personal data protection rules do not apply to data which has been appropriately anonymised.
- When it is not possible to only process anonymous data, the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security as described above under Article 15.
- If measures allowing for the processing of non-anonymised location data are introduced, governments must put in place adequate safeguards, such as providing individuals of electronic communication services with the right to a judicial remedy.
- The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved. Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).
This issue may become relevant to private providers of telecommunications and data processing software services over the coming months if public authorities ask to use their services to implement such measures.
The take-home message from the two statements is that data protection law shouldn’t prevent organisations from taking necessary steps to address Covid-19, and that although they will still be expected to comply with the law, the ICO at least recognises the unprecedented circumstances facing businesses and will not penalise organisations who struggle to comply fully as a result. Businesses who provide telecommunications or data processing software services may find themselves at the forefront of the inevitable battle between privacy and other basic human rights and new emergency powers of the Government and public authorities to tackle Covid-19.