COVID-19: Key Data Protection issues for organisations to considerMonday, 16 March 2020
The outbreak of COVID-19 has formally been declared a pandemic by the World Health Organisation and, on Thursday, 12 March, the Taoiseach recommended unprecedented measures to be taken by organisations within Ireland to protect public health. In addition to existing disruptions, many Irish organisations will have concerns regarding the implications of their responses to the ongoing crisis under Irish data protection laws. In particular, organisations may have questions as to what extent they can process the personal and health data of their employees and other visitors to their business premises as part of their COVID-19 responses and measures to reduce infection.
Further to guidance recently issued by the Data Protection Commission (“DPC”)1 surrounding the COVID-19 crisis, ByrneWallace’s Data Protection Team have summarised the key issues and relevant recommendations for organisations below.
What is the DPC’s primary message in relation to the COVID-19 pandemic?
In their guidance, the DPC have made it clear that data protection laws do not stand in the way of the provision of healthcare and the management of public health. However, the DPC have also reminded organisations that the processing of personal data, including measures to contain the spread and mitigate the effects of COVID-19, must remain necessary and proportionate to the aims of the processing under data protection laws. It remains a principle under GDPR that if organisations can reasonably achieve the purposes of their processing in other, less intrusive ways (or by processing less data), there may not be a lawful basis under GDPR for the processing.
What are the possible legal bases for processing personal data (including health data) in response to the COVID-19 pandemic?
For GDPR purposes, health data constitutes “special category data” under Article 9 of GDPR. The processing of such health data is generally prohibited, unless that processing falls within the scope of one of the exceptions set out in Article 9(2) of GDPR.
In their guidance, the DPC indicated that the legal basis for processing in the context of the COVID-19 epidemic is likely to fall within the scope of Article 9(2)(i) of GDPR (and Section 53 of the Data Protection Act 2018), which provides for the processing of special category/health data by organisations where it is ‘necessary for reasons of public interest in the area of public health’. The DPC points to this justification for processing as being appropriate in the context of acting on the guidance and directions of public health authorities.
Employers may also have a legal basis to process personal data under Article 9(2)(b) of GDPR where such processing is carried out in accordance with their legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). Furthermore, in emergency situations, there is a legal basis to process personal data, where necessary, in order to protect the vital interests of a data subject.
What are the limitations to the legal bases to process personal data (including health data) in relation to the COVID-19 pandemic?
In addition to the requirement for processing to be necessary and proportionate (as noted above) the DPC have made it clear that organisations will still need to ensure that they implement suitable safeguards and security measures to protect the data subjects concerned. At a minimum, these measures should include:
(i) minimising the personnel who have access to the personal data;
(ii) putting in place strict retention policies and time limits in respect of any personal data processed;
(iii) ensuring that staff are adequately trained in the protection of data subjects' personal data;
(iv) putting measures in place to ensure the confidentiality of employees’ personal data, particularly where health data is concerned; and
(v) being fully transparent with employees in relation to the personal data which is processed and the reasons for such processing.
In order to maintain accountability and demonstrate compliance with GDPR, organisations should document their decision-making processes in relation to personal data processing measures taken to control and manage COVID-19.
At a practical level, to what extent can organisations process the personal data of their employees?
The DPC have indicated that employers are likely to be justified in asking employees (and other visitors to their premises such as suppliers and contractors) to confirm whether they have been in a COVID-19 affected area or are experiencing COVID-19 symptoms. Where organisations intend to implement more intrusive measures (such as, for instance, employee and visitor questionnaires), these may still be justified; however there should be a clear (and preferably documented) justification for doing so.
Furthermore, the DPC have acknowledged that employers may be obliged to disclose personal information to public authorities to enable them to carry out their functions.
Given the necessity and proportionality requirements set out above, there is likely to be a limit to the extent of this processing. For instance, the DPC have advised employers against disclosing details of COVID-19 affected employees to their colleagues in the interests of maintaining employee confidentiality. Whilst employees might be justified in informing other staff that there has been a COVID-19 outbreak, care should be taken to avoid affected employees form being “indirectly identified” from any such communication.
The ByrneWallace Data Protection/ GDPR Team comprises specialist lawyers skilled at handling all aspects of data protection, including particular expertise advising clients in the healthcare sector and life sciences on the processing of special category data, GDPR derogations and the processing employee personal data.
For further information or advice in relation to data protection and privacy issues, including issues in relation to responses to the COVID-19 pandemic, please contact Sean O'Donnell, Zelda Deasy, Brian Murphy or any member of the ByrneWallace Data Protection/GDPR Team.
Separately, we have also written an article on the Data Protection Commission’s guidance for employers and employees in relation to working from home as part of the national response to COVID-19. Please click here for details.
Please note that the content of this summary does not amount to professional advice. Legal and tax advice should be sought in respect of specific queries. The COVID-19 situation is evolving rapidly and this update is provided on the basis of information available as at 16 March 2020.
1 Data Protection and COVID-19, Data Protection Commission, 6 March 2020.