Coronavirus and the GDPR – keep calm and carry on?
Amy Lambert at Fieldfisher in London explains the data dos and don'ts for companies as they deal with the coronavirus crisis.
Covid-19 is sweeping across the globe. It is highly contagious, and those infected may not show symptoms during its early, infectious stages. This makes it very important, for public health reasons, that people who are exposed to this virus are made aware that they have been exposed and that early steps are taken to mitigate viral spread.
However, this is where the GDPR and public health could be seen to be at odds. How do you protect the privacy of people who have been infected by covid-19, while still usefully informing those who have been put at risk? At a time of public health emergency, shouldn't the GDPR take a back seat?
As companies struggle to get new processes in place to cope with the potential ramifications of covid-19, we aim to highlight how EU data protection law applies to this unusual set of circumstances. Our top tips for ensuring data protection compliance in the age of coronavirus are as follows:
Don't give in to the panic factor – the law is the still the law
Yes, businesses may need to collect and use personal information about their employees to enforce their coronavirus protocols and to best advise their employees on how to limit the employee's risk of exposure. However, it is important not to forget that, although this could be a time-sensitive issue, the requirements of data protection law will still apply to any personal information that a company uses for these purposes.
Health information is sensitive information: What are you collecting, and why?
Under the GDPR, information about health is a "special category of personal data", which attracts a higher degree of protection. This means that to lawfully collect and use information about its employee's health, the company will need to satisfy a ground under article 9 of the GDPR.
In the UK, the most useful ground to enable an employer to protect its workforce in relation to coronavirus will likely be article 9(2)(b) ("employment, social security and social protection") of the GDPR. This is because, in the UK, there is a requirement under the Health and Safety at Work etc Act 1974 for companies to take reasonable steps to look after the health, safety and welfare of staff. As such, it is reasonable for businesses to collect certain information (such as information about a confirmed diagnosis) as part of the company's general duty to safeguard health and safety. Indeed, the concept that employers may have a role to play in relation to coronavirus has been highlighted in the UK's recent guidance for employers and businesses on dealing with covid-19.
However, there is still a limit as to what information employers should try to collect about its employees or visitors for the purposes of health and safety. The UK guidance makes it clear that although employers will undoubtedly interact with their employees in relation to coronavirus, this is typically more to do with information provision and assistance to employees, rather than collecting information for a pre-emptive coronavirus strategy. Instead, it is the UK’s National Health Service and other health professionals that should be responsible for identifying cases of contagion and advising on appropriate steps for the business to take in response.
This separation of roles has also been reinforced in recent guidance released by the Italian data protection regulator, which highlights that businesses cannot force employees or visitors to disclose information about the presence of coronavirus symptoms. Instead, the Italian regulator highlights that any actions for the purpose of preventing the spread of coronavirus must be carried out by individuals who have the correct qualifications to do this (such as doctors or medical institutions).
As the progression of this virus continues, businesses should stay abreast of updates from their governments, as governments may introduce additional local law requirements or guidance in relation to how businesses are permitted, or expected, to continue operating.
Does this mean that I can't collect information about coronavirus to help guide my business through the crisis?
No. If a business is collecting information to help it respond to the coronavirus crisis to protect the health, safety and welfare of its staff, this will typically be acceptable under article 9(2)(b) grounds and can be done with a "do first, ask later" mentality (see above) or, in rare circumstances, under article 9(2)(c) ("vital interests"). Employers may also be able to rely on article 9(2)(h) GDPR ("health and social care") to help manage employee absences resulting from coronavirus. However, if the business is considering from a commercial perspective how best to position itself generally to deal with the outbreak, it may need to rely on other grounds under article 9 to try to justify its activities; this can also increase the business' compliance burden.
For example, if attempting to rely on substantial public interest grounds under article 9(2)(g) to use health-related information about coronavirus, a business would be expected to carry out a legitimate interests assessment to ensure that its legitimate interests are not outweighed by the rights and freedoms of the individual. This makes sense: this isn't health and safety firefighting or crucial management planning, this is considered commercial positioning.
Who needs to know? Protect your employees' personal information
A company must protect the personal information that it holds to an appropriate standard. Where information collected about its employees in relation to coronavirus (particularly health information) is concerned, the business will be expected to protect this information to a higher standard than the general business-as-usual information that it collects and uses about its employees. Access to this information should be restricted to a need-to-know basis and should not be more widely shared. Do not name names about infected employees, unless this is strictly necessary.
Offer your staff an easy route to provide you with updates about their coronavirus status. Consider offering a coronavirus hotline, so there is a clear reporting line (manned by individuals subject to appropriate confidentiality provisions) that staff can use to call in to report any concerns they have about coronavirus. This will help to keep the reported information (as well as the virus) from spreading.
Data minimisation still reigns supreme: set a clear protocol to collect only what you need
A fundamental principle of the GDPR is data minimisation – that no more information is collected than is required for the stated purpose. In relation to coronavirus, it could be tempting to push the boat out and ask for all sorts of information about your employees – for example, if you are concerned they could be an infection risk due to their friends' friends' friend currently returning from a coronavirus hotspot. Don't give in to temptation. Be sensible when asking employees to provide personal information about their likelihood of risk and don't ask for more than you genuinely need. If you receive information from an individual that is not relevant to the pertinent issue, delete it.
Transparency is key
As with any use of personal information, it should be clear to the individual why the business is collecting their information, how it is being used and what the employee's rights are in relation to the same. If the business finds that it needs to collect new data types to specifically deal with a coronavirus issue, do not forget to notify employees about this. Provide an update to your employees explaining what new information is required and how it will be used, so your workforce knows what to expect.
If you are sending internal comms to your workforce about the virus, again, do not mention any individuals who may have been infected by name. You may find that you need to send tailored comms to staff where you have identified that they are at risk of infection – again, keep this email (and who is intended to receive it) confidential.
Keep your information accurate
Another underlying principle of the GDPR is data accuracy. In relation to coronavirus information, make sure that you keep accurate records. Not only is this a requirement of GDPR, but out-of-date information is likely to undermine the effectiveness of the coronavirus procedures that you are trying to put in place.
Global companies: don't forget about your international data transfer mechanisms (and top them up if need be)
Companies that operate internationally may also want to share information collected about their employees and their coronavirus risk across the company group, to take a collective view on how best to respond to this illness. However, the GDPR requires that personal information that is transferred outside the EEA be protected by appropriate safeguards. Make sure that any transfers to company offices outside the EEA are still handled appropriately. In addition, if your company group headquarters are outside the EEA, the same protections discussed here should be considered both at the headquarters level and in relation to any onward company-wide dissemination.
If the business does not have a GDPR international data transfer mechanism in place (or if this does not cover the intended coronavirus information), the business will be restricted from sharing the personal information among its group. In such case, as a short-term solution, the company should look to enter into EU standard contractual clauses between all relevant group entities to permit the transfer.
Delete what you don't need
GDPR requires that personal information is deleted once it is no longer required for the purposes for which it was collected. To this end, a company should be sure to delete any information it has collected in relation to coronavirus, once the threat has passed.
Where does this get us? To summarise: when it comes to using information about employees for the purposes of dealing with (or pre-empting) the coronavirus outbreak, the golden rule is that the position under the law has not changed. Although this is a novel factual scenario, the same considerations will apply. Businesses should ensure that they have the right policies and procedures in place, so they can process this information in compliance with the law. Put another way – keep calm, and carry on.