The Coronavirus and the Covid-19 illness predominantly pose challenges in the scientific world. However, its unprecedented impact on many other fields may not be underestimated. Indeed, almost two years after the entry onto force of GDPR, the coronavirus crisis tests the applicability of GDPR in times of a health emergency.
A lot of health and health-related data is generated and processed by various authorities and private entities. How is this processing governed by GDPR?
Personal data categories related to the coronavirus pandemic
GDPR distinguishes between two types of data – personal data and special categories of personal data. The latter term is used to describe more sensitive data, the processing of which is in principle prohibited, unless one of specific exemptions listed in GDPR applies.
Broadly speaking, in relation to the coronavirus, personal data would be data related to one’s recent visits to a foreign country in which a high number of the coronavirus cases were diagnosed or the fact that a person was in contact with persons diagnosed with or otherwise affected by the coronavirus.
As for the special categories of data, they would include information concerning the status of a person as affected by the virus or not, the obligation imposed upon such a person to remain at home due to the illness, any symptoms or clinical findings of illness.
Limitation of the scope of application of GDPR to data processing
GDPR is applicable in cases where personal data is processed by automated means / forms part of a filing system /is intended to form part of a filing system. As a result, verbal notifications (such as an employee calling their employer to take a sick leave due to fever and cough) would not fall within the scope of GDPR. This is because such notifications, while containing personal data, are not a part of a filing system and are processed by non-automated (manual/verbal) means.
Furthermore, GDPR only applies to personal data of living persons: it does not apply to the deceased. Therefore, reporting on the casualties of patients infected by the coronavirus is not limited by GDPR. In fact, the general principles of data protection and the need to preserve public health could mean that the disclosure of elements which identify persons who died as a result of the coronavirus might be needed for the protection of the living. Such information could namely help protect living persons who have come in contact with the deceased. This is regardless of any rights that may arise from human rights law.
Processing of personal data related to the coronavirus by various entities
1. Public authorities
The crisis caused by the coronavirus might require the public authorities to process personal data of persons affected by the coronavirus. Public authorities would need to process such data in order to perform their tasks and protect public health, for example. The data processed could include contact details, names and in some circumstances also a description of one’s symptoms. This would be the case when the NHS or health professionals message, text or email people about public health as long as these messages do not constitute direct marketing.
If and where possible, public authorities should process personal data related to the coronavirus after the data has been pseudonymised, which increases the safety of such processing.
In certain circumstances, employers are allowed to process personal data of employees, related to the coronavirus. While numerous Data Protection Authorities in European countries (e.g. UK, France, Greece) have warned against excessive data collection by employers, it is also recognised that employers have a duty of care towards their staff which can justify their inquiries about the coronavirus symptoms among their employees.
It is important, however, that employers process such data only where necessary and in a manner proportionate to the aim they want to achieve. For instance, an employer might need to keep staff informed of any confirmed cases within their organisation. At the same time, it might not be necessary to provide the names of affected employees.
Some companies introduce privacy-intrusive steps, like registering temperature measurements of the employees, which raises concerns in relation to GDPR compliance. It seems that they should only be applied on an exceptional basis and when absolutely necessary to protect public health.
However, it is interesting to note that undertaking some protective steps which at first glance may seem very privacy-intrusive might not always be related to data processing. For instance, measuring one’s temperature doesn’t always mean processing personal data: if it is done at the entrance to the company, and access is allowed or denied to the person based on the measurement, yet no register or verification of identity is conducted, no personal data is processed.
Most Data Protection Authorities state that informing public opinion about the epidemic threat is needed. At the same time, data protection principles shall be followed, and only data that is necessary to keep the public informed should be disclosed.
It is clear that these principles are interpreted in different ways by different media in various European countries. In some countries, for instance, only a daily amount of new cases is provided, while in others, more geographical specifications or personal identifiers of affected persons are disclosed – such as their professions, age or recent travel details.
The situation is different if a person voluntarily discloses their health status: in such a case, processing of that data by third parties is lawful, since it has been made manifestly public by the person concerned.
Personal data related to the coronavirus, like any personal data, should not be processed in a manner incompatible with the purposes for which they were initially collected , and the processing should be necessary and proportionate for that purpose.
Many Data Protection Authorities underline that data protection laws should not be used as an obstacle to actions aimed at combatting the coronavirus threat. Therefore, the right to personal data protection may be subject to restrictions for the protection of other fundamental rights such as the right to health.
Sources: GDPR, websites of Data Protection Authorities in Poland, Germany, France, Greece and the UK
Spark Legal Network, 02/04/2020