Responses to the COVID-19 pandemic involve a fluid, data-forward approach in many jurisdictions, with the gathering and processing of personal data forming a key part. But how does this sit with data protection laws – is it a case of ‘needs must’ and ‘anything goes’, or will the same framework and enforcement process continue to apply, possibly restricting how we can use personal data as a tool to combat the spread of the virus? The EDPB and ICO have released (related) guidance to try to address this question (you can read the EDPB guidance here and the ICO guidance here).
The EDPB guidance acknowledges that governments, public bodies and private organisations are inherently processing personal data as part of measures to contain the spread of COVID-19, specifically looking at the following key topics:
- Lawfulness of processing. As the EDPB notes, processing of personal data by public authorities and employers is permitted by the GDPR in the context of an epidemic without the need for consent from the data subject. This is provided that such processing complies with national law and the conditions therein (e.g. the processing is necessary for reasons of substantial public interest in the area of public health).
- Core principles relating to processing of personal data. Broadly, the EDPB guidance stresses that the seven key principles of the GDPR must be upheld. It is further stressed that measures put in place to manage the current emergency, and the underlying decision making, should be properly documented.
- Use of mobile location data. Some Governments have sought to use location data contained in data subjects’ mobiles phones to contain the spread of COVID-19 (e.g. by mass texting public health messages). In such circumstances, the EDPB reminds that location data should only be processed with the consent of data subjects, or when anonymised.
- Employers. The EDPB guidance addresses a number of key questions that employers may have:
- Can employers require visitors or employees to provide specific health information in the context of COVID-19?
- Is an employer allowed to conduct medical check-ups on its employees?
- Can an employer disclose that a member of staff has been infected with COVID-19?
- In the context of COVID-19, what information can be obtained by employers?
The ICO have considered the impact COVID-19 may have on both employers and health practitioners, by providing answers to assumed key questions. Unsurprisingly, there is some overlap between the two sets of guidance. The ICO notes that (amongst other things):
- It will not penalise organisations that need to divert attention away from usual compliance or information governance work in order to prioritise other areas or adapt their usual approach.
- Data protection and electronic communication laws do not stop Government or health professionals sending public health messages to people, as these messages do not constitute direct marketing.
- Staff should be informed about cases involving colleagues, albeit more information than necessary (e.g. colleague names) should not be provided.
- Employers have an obligation to protect their employees’ health, but that does not mean it is necessary to collect significant amounts of information.
- It is unlikely that organisations will need to share information with authorities about specific individuals, but if it is necessary to do so, organisations should not be stopped from doing so by data protection laws.
The EDPB and ICO have each stressed that necessary COVID-19 related data processing should not be prohibited by data protection laws. That said, any processing of personal data in the current circumstances must still be compliant with existing data protection law, and the onus remains on controllers and processors to comply with their legal obligations. However, the ICO has indicted that leniency may be shown to organisations who have had to divert staff away from compliance to focus on other areas of their business but it remains to be seen what this means in practice.