COVID-19 and GDPR
With the introduction of strict working from home guidelines resulting from the current COVID-19 pandemic, the area of GDPR and data privacy concerns for companies are once again at the forefront. In terms of healthcare especially, GDPR is well defined. For instance, a subsection of the GDPR law, under Article 9, gives companies an ability to process user’s personal information without their consent if doing so is necessary for protecting against any serious cross-border related health threats. For this reason, the GDPR presupposed a situation just like this. In such a crisis as COVID-19 has created, the processing of information for companies related to the health sector is not limited by the GDPR.
That said, there is still a basic requirement for protecting the information in terms of confidentiality, limiting the purpose of the data, minimizing data, and securing it.
FIRST TIME FOR GDPR TO BE USED IN SUCH A WAY GLOBALLY
The GDPR itself is being tested by the global nature of the COVID-19 testing processes and the sharing of information between countries for the greater good. Guidance has been issued for companies to understand the balance between protecting public health and protecting consumer’s privacy rights. The main concern for data protection authorities, however, is how companies will be able to request more information from their employees in relation to their private lives. For instance, future employers could want to know where the applicant has travelled to recently, about their employees’ personal acquaintances’ health, and the employees’ symptomatology . Employers might even want to ask for medical examinations in light of COVID-19, which we are currently seeing in the form of temperature checks at some organizations. It is not a blanket rule that all companies working to stop the spread of COVID-19, or for other reasons associated with public interest, will be able to circumvent GDPR or other privacy concerns in their handling of this data.
WHAT IS OK
An employer is able to inform co-workers if an employee reports to them that they have been exposed to someone with or personally have had a positive COVID-19 test result, but the employer is not allowed to name the person or identify them in any way that would lead people to know who the employee is.
When considering the length of time information can be held, if a receptionist asks people to sign in and include their recent travel details or temperature checks are completed, the employer must be aware that the information should only be kept for a reasonable time limit and should be able to be removed after an acceptable period. It is recommended that companies dispose of any information they acquire when it is no longer needed under the GDPR, and this rule still applies in relation to COVID-19 related information.
Main takeaways to remember are:
- The GDPR allows both employers and public health authorities an ability to process personal data related to COVID-19 in accordance with the circumstances (such as in the public interest) and as long as it is done in a legally compliant fashion.
- Processing personal data from an employer’s perspective might be necessary to comply with legal obligations that the employer may be subject to which could arise in relation to health and safety in the workplace, or if it is in the public interest.
- Employers can only use anonymized location data with individual’s consent. The GDPR does allow individual countries to make their own ePrivacy directives in relation to public security and there may well be an update to allow for saving anonymized health information longer than normal, but as yet this has not happened.
- Data should still only be collected when necessary and for a specific objective and purpose.
- Confidentiality measures should be outlined to ensure personal data is never disclosed to an unauthorized person.
- Access to an employee’s health data should only be given when there is a legal obligation to do so.
- Employers should tell their staff about any potential COVID-19 exposures that they are made aware of in the workplace and take measures to protect employees while protecting the confidentiality of the employee who is ill.