‘…even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects’, Andrea Jelinek, Chair of the European Data Protection Board
The European Data Protection Board’s advice
During epidemics and pandemics, employers and public health authorities can process health data lawfully without the need to obtain the explicit consent of the data subject. This applies when processing personal data is needed to protect public health, to protect vital interests, or to comply with another legal obligation.
Key guidance
Remote working: check that appropriate IT security assessments and data protection impact assessments have been undertaken. Take this opportunity to remind staff about internal data protection, information security policies, and their responsibilities to safeguard personal data processed by the organisation.
Processing health data: there are some variations between EU member states’ guidance. However, in most jurisdictions it will not be appropriate to proactively collect coronavirus health information about staff, family, or friends. The principles of proportionality and minimisation are key.
Data Protection Authority specifics
Germany, DSK: in order to combat the pandemic, employers may process the personal data of employees, as well as guests and visitors if:
- they are infected with the coronavirus;
- they were in contact with an infected person; or,
- they stayed in classified risk areas during the relevant period.
The legal basis for processing is the legitimate interest in conjunction with the relevant civil service law, tariff, labour, and social law regulations of national law.
France, CNIL: accepts that organisations may keep dates, times, and identities of individuals who are working remotely, or in isolation. Organisations may also keep a record of measures it has implemented regarding its pandemic response.
UK, ICO: acknowledges that employers have an obligation to ensure the health and safety of employees, as well as a duty of care. Ultimately, the welfare of staff is paramount. The naming of individuals should be on a strictly need-to-know basis and kept confidential.
Ireland, DPC: understands that many of the steps to contain and mitigate the spread of the virus will involve the processing of personal data. Data protection laws do not prevent this, but the processing should be necessary and proportionate. These decisions should be based on the direction and guidance provided by public health and other relevant authorities.
What’s happening in other parts of the world?
Singapore, PDPC: has indicated that organisations may collect visitors’ personal data without consent for contact tracing and other response measures. These measures will be in place for as long as the emergency threatens the life, safety, or health, of other individuals. However, the data should not be used for other purposes without consent or authorisation under the law. Reasonable security arrangements must still be made to protect such data and ensure that it is expunged when no longer needed.
Hong Kong, PCPD: has noted that a data subject’s personal data rights are not absolute, and the right to life trumps any other right. As such, the government may process data collected without consent, in order to safeguard the health of the data subject, or to protect public health. However, tracking employees (e.g., group chats or social media) for potential coronavirus infections requires consent.
USA: health data can be disclosed if your company is getting general health data as a “covered entity” through its self-insured plan. This information would be subject to the Health Insurance Portability and Accountability Act (HIPAA).
If the information collected by the self-insured plan is specific to a threat like the coronavirus, the US Department of Health and Human Services (HHS) states that HIPAA allows disclosure “without a patient’s authorization, [of] protected health information about the patient as necessary to treat the patient or to treat a different patient.” In emergencies HIPAA also allows disclosures to:
- public health officials;
- foreign public health officials working with US officials;
- persons at risk, if authorised by state authorities, and their friends or family acting as caretakers.
The Equal Employment Opportunity Commission (EEOC) requires that any disability or medical
information be kept confidential and disclosed on a need-to-know basis only. However, the employer can make enquiries/examinations when they are job-related and consistent with business necessity. Specifically, when there is evidence that:
- an employee’s ability to perform their duties may be impaired by the medical condition; or
- the employee poses a direct threat to others due to their medical condition.
According to the EEOC pandemic related inquiries are not related to the Americans with Disabilities Act (ADA) restrictions. In this context, asking employees the following is not restricted:
- whether they have experienced flu-like symptoms;
- whether they have travelled during a pandemic to high risk areas;
- why they are absent and how long they expect to be absent from work.
How HewardMills can help you
- Review current policies, including: Bring Your Own Device (BYOD), IT use, and others to ensure compliance
- Update notices to employees regarding working from home and email monitoring
- Provide ongoing support in relation to incidents and breaches
- Assist with data subject rights requests or complaints in this period
- Assist your HR teams in terms of what data can be collected and shared from employees, their families, and visitors under the current circumstances
- In the event of a hiring freeze or unexpected illness, provide ongoing cover and business continuity support.
For further information email dpo@hewardmills.com