Governments, as well as public, private and voluntary organisations around the world, are taking all the necessary steps to avoid the further spread of COVID-19 and in turn attempt to mitigate its effects on the general population.
Such attempts blur the line between the private and non-private life of an individual and also require the processing of special categories of personal data, such as health data. Under normal circumstances, such processing is disallowed, however the General Data Protection Regulation 2016/679 (‘GDPR’) allows for the processing of such data in exceptional circumstances, where it is ‘essential for the data subject or that of another natural person’ that such data be processed.
Despite this exception, data controllers are not given a carte blanche to interpret data protection laws as they wish and they must safeguard the rights of the data subjects.
1. On which basis can authorities process my health data?
Authorities may need to collect health data for either strategic planning, the tracking of possibly infected individuals and for the provision of advice to be given to any affected party.
As opined by the European Data Protection Board (‘EDPB’), in its statement related to data processing in relation to the COVID-19 outbreak, Article 6 and Article 9 of the GDPR allow for the processing of special personal data seeing as such data is ‘necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health…’
In general, recognised public health authorities have the right, more than ever to process the data subjects’ special person data.
2. Can my employer process my health data?
The Maltese Office of the Information and Data Protection Commissioner issued a statement emphasizing that data controllers must ensure lawful processing and must adhere to the instructions issued by health authorities to prevent the spread of COVID-19. However, so far within a local employment context, no specific guidelines vis-à-vis the treatment of personal data by employers during the COVID-19 pandemic have been issued. To note is the Special Leave Entitlement Regulations (SL 452.101), which provide that when an employee is legally required to observe mandatory quarantine, an employer is entitled to request documentation from an employee on their return to work. Despite this, it is presently unclear what type of documentation the employer may request.
On the other hand, in its updated statement of the 19th of March 2020 the EDPB further explored the processing of health data by employers and stressed the importance of applying the principles of proportionality and minimisation when collecting and processing such data. In its statement, the EDPB suggests that if an employee is infected with COVID-19, an employer may disclose such information to staff members in order to take the protective measures necessary. However, an employer must not provide more information than is necessary. Additionally, the EDPB opines that employers may obtain any information collected on the employee in relation to COVID-19, only to fulfil their duties and organise work.
What are other countries doing?
Belgium has adopted a proactive approach and the Belgian Data Protection Authority (‘APD’) issued a comprehensive guidance note which aims to strike a balance between the employer’s rights to maintain safety of the workplace and the employee’s rights to privacy. Indeed, employers may not conduct generalized and systematic checks on employees (e.g. temperatures) and medical checks may only be carried out by the occupational physician in cases where the employer ‘presumes’ that an employee has been exposed or presents symptoms of COVID-19.
Moreover, employers cannot require an employee to fill out a form about that employee’s health situation or recent travels. The APD recommends encouraging employees to voluntarily communicate symptoms or recent travels to risk areas to the occupational physician. An employer may not disclose the names of infected persons to the other employees. The employer may however communicate to the other employees that an employee was infected without mentioning his or her identity.
On the other hand, the State Data Protection Inspectorate of Lithuania issued guidance allowing employers to collect several special categories of personal data sets including, whether an employee:
- travelled to an affected country;
- was in contact with a person traveling to an affected country or a person who has or had the coronavirus;
- is undergoing voluntarily quarantine without a just reason; and
- is truly ill.
3. Are there any privacy implications when teleworking?
Monitoring of employees whilst teleworking may create privacy issues depending on the manner in which such monitoring occurs. The employer may adopt several monitoring measures ranging from monitoring the VPN usage and installing programmes which keep track of the work being carried out, however the employer must employ such tools in a proportion manner.
Notions previously discussed at a European Court of Human Rights level may be thrown once more into the spotlight due to the forced morphing of the private and non-private life when working from outside of the workplace. Thus, matters pertaining to monitoring the employee at the workplace, as debated in the Bărbulescu v. Romania case, may take on a different meaning, when the workplace is the private home of the data subjects.
Cybersecurity considerations when teleworking
The European Union Agency for Cybersecurity (‘ENISA’) has issued informal guidance relating to cybersecurity when working remotely, including having a secure WIFI connection, a fully updated anti-virus system, encryption tools, periodic backups and up-to-date security software.
Employees should moreover be careful when taking internal, restricted or highly restricted physical information away from the office premises. In such cases, it would be wise to consider whether one needs to take such documents home and to determine whether or not such documents could be securely stored in order to prevent a third-party access. Additionally, it would also be wise to dispose of such documents securely, either by shredding them or by disposing them when back at the office.
4. What are my rights?
As aforementioned, it is important to note that the right of the competent authorities and employers to collect personal data is not absolute and comes with limitations and conditions. Personal data that is necessary to attain the objectives pursued, which is that of monitoring COVID-19 cases to prevent an outbreak and safeguarding the health of others, should only be processed for specified and explicit purposes. This would include the compiling of statistics and determining what measures need to be taken to further manage the situation.
Data subjects, moreover, are to receive transparent information on the processing activities that are being carried out. Retention periods for collected data and the purposes of the processing should also be provided. Additionally, the information provided should be easily accessible and provided in clear and plain language.
Data controllers should implement adequate security measures and confidentiality policies which would in turn ensure that the personal data processed is not disclosed to unauthorised third parties. The measures adopted to control the present emergency and underlying decision making is to be properly documented.
Article written by Dr Bernice Saliba and Legal Trainee Ms. Emma-Marie Sammut.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.