As noted by Dr Andrea Jelinek, chair of the European Data Protection Board (the “EDPB”), in a statement released on 16 March 2020, laws pertaining to the protection of personal data are not intended to create unnecessary obstacles in the global effort to combat the spread of the coronavirus pandemic. That being said, laws such as the General Data Protection Regulation (EU Regulation 2016/679) (the “GPPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta) (the “DPA”) must be adhered to even during the present challenging times.
Certain collection and processing of personal data for COVID purposes may be necessary for the company to identify (and subsequently reduce) any specific risks the organisation may be exposed to. This type of collection may include, for example, systematic data collection through workplace questionnaires or obliging employees to report their travel plans to the company’s HR department. The onset of COVID-19 may have led companies to begin processing personal data which they had not been processing previously, meaning that the organisation needs to re-assess its processing practices in order to ensure that it is processing this ‘new’ personal data in a lawful manner.
On 20 March 2020, the Information and Data Protection Commissioner issued a statement on the processing of personal data in the context of COVID-19. The IDPC stated that controllers must be sure to process personal data in a lawful manner and properly follow data protection obligations and requirements. The statement goes onto to say that “the IDPC encourages all controllers to comply strictly with the instructions provided by the public health authorities to prevent the spread of the COVID-19, including any processing of personal data as necessary in compliance with national laws”. However, controllers must also ensure to implement appropriate measures to secure processing operations in order to achieve the right balance between the need for processing health data and the rights of data subjects.
We have prepared a concise set of guidelines directed at private and public companies in order to assist such companies in the processing of personal data pertaining to their employees or their customers. The guidance below applies irrespective of COVID-19 but the present crisis has highlighted the need for companies to ensure that they are processing certain sensitive personal data in a GDPR compliant manner.
The Type of Personal Data being Collected – Special Categories of Personal Data
We have seen an increase in entities asking employees or customers to provide organisations with data pertaining to a person’s health or medical history. Examples of how this is being done is in the form of body temperature checks or swab test results. Entities must be aware that, when processing data concerning health, the starting point is that processing of special categories of personal data (such data concerning health) is prohibited.
If the entity determines that it is fundamental that this type of personal is processed, such personal data may only be processed in reliance on at least one lawful basis under article 6 and at least one lawful basis under article 9 of GDPR. If the entity is not able to rely on these bases, the processing of this personal data is being carried out in breach of the GDPR.
In any event, all categories of personal data must always be processed in line with the principles of processing and the processing of personal data should be reduced, eliminated or anonymised where possible.
Appropriate Lawful Bases of Processing in the Context of Health Data
With regard to the lawful basis for processing, consent to process such personal data would not be applicable for employees. Consent may be applicable for the collection of this type of personal data relating to customers, provided that the processing of such data is not tied to the service being offered and the consent is collected in accordance with the GDPR’s requirements. Reliance on consent is, however, an onerous task given the formalities tied with this lawful basis of processing, such as the method of collecting opt-in consent and the right of the data subject to withdraw consent at any time.
Interestingly, the Belgian data protection authority has stated that reliance on the protection of vital interests of the data subject or of another natural person (such as a family member) is not an appropriate lawful basis in this context.
In light of the above, entities would need to ensure that they are relying on one of the other lawful bases, being either contract (if the requirement of processing such personal data can be incorporated into the contract with the data subject), legal obligation (if the data processing entity is subject to an obligation set out at law to process this type of personal data, such as health and safety laws and possibly specific requirements, such as eligibility for mandatory quarantine leave), or legitimate interest of the controller to process that personal data. When relying on legitimate interest, it is advisable for companies to carry out legitimate interest assessments to make sure that the interests of the company do not override the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This is particularly important where the data subject is a child.
Simultaneously, a company processing health data would need to justify doing so also on the bases of article 9 of the GDPR. To this end, we are of the view that the bases which may apply in this scenario would be that processing is necessary for either:
- reasons of substantial public interest, on the basis of Union or Member State law which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; or
- reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
It is debatable whether the Legal Notices that have been passed to-date in response to COVID-19 impose an obligation upon data controllers to process such special categories of personal data in reliance on the aforementioned articles. The situation may be said to be somewhat different in the insurance sector given that specific regulations provide that entities carrying out the business of insurance (as defined by the Insurance Business Act, Chapter 403 of the Laws of Malta), may process personal data pertaining to health where:
- Such processing is necessary and proportionate for the purposes of a policy in the business of insurance;
- The data controller cannot reasonably be expected to obtain the consent of the data subject; and
- the data controller is not aware that the data subject is withholding consent.
Plan of Action for Data Processing Entities
We have noticed that companies have implemented (whether intentionally or not) different methods of processing personal data in order to stop the spread of COVID-19. One of the ways in which companies are collecting personal data for this purpose is by implementing policies. These policies raise employees’ awareness on what the company expects them to do when handling personal data while working from home as well as what to do if they suspect that they, or their colleagues or family members, are ill. Another method that companies are using is the constant monitoring of their workers or customers whereby the company asks its employees or customers to actively provide sensitive information to the company in order for the company to manage its risks.
The French and Italian data protection authorities have stated that companies should avoid active monitoring of employees and have encouraged companies to implement policies and procedures which their employees must adhere to. A substantially different approach was taken by the Hungarian data protection authority which is encouraging employers to advise their employees to report any possible COVID-19 risks to them. The IDPC’s position on this subject remains to be seen. However, it is our view that the implementation of policies and procedures would be the cleanest route as the company would have control of the personal data that it is being collect as well as the way in which its employees are handling it. Where active monitoring of employees is taking place, this must be done in compliance with the GDPR. In particular, the data subjects should be made aware of the monitoring being carried out.
Furthermore, controllers need to pay attention to the technical and organisational measures that they have implemented to ensure the protection of personal data in light of the fact that many employees are working from home. Physical and electronic copies of documents may be being stored throughout a person’s household or on their personal computer, rather than at the office or on the company’s system. The risk of a data breach occurring may be heightened in this regard, especially if employees are working on their own private Wi-Fi networks which may not be as secure as the company’s. Controllers should undertake an assessment as to the technical measures that are in place and determine whether the measures are appropriate to satisfy the GDPR requirements.
We would advise data processing entities to undertake the following exercises to re-assess whether their data processing practices are in line with the GDPR’s requirements:
- Review privacy notices (both employee and external);
- Conduct legitimate interest assessments where legitimate interest is being relied upon as a lawful basis;
- Implement policies to provide direction to employees in order for them to be aware of what the company expects them to do when handling personal data while working from home as well as what to do if they suspect that they, or their colleagues/family members are ill;
- Stick to deadlines (relating to data subject rights and breach reporting) as much as possible. If any deadline needs to be extended, provide written reasons as to why this is the case and be sure to document such reasons internally;
- Establish appropriate reporting lines to handle employee concerns and harassment complaints;
- Outsource employee health checks to professionals or request employees to be responsible and carry out checks themselves (e.g. temperature checks);
- Follow relevant health authority measures and avoid imposing measures which are more stringent than those instructed at law or by local authorities;
- Draft specific codes of conduct to discuss the health status of employees and particular measures that shall be taken in respect of COVID-19 prevention measures;
- Record new processing operations which are inevitable for the company to undertake at this point and update the registers of data processing activities; and
- Increase the involvement of Data Protection Officers.
Controllers and processors are reminded that infringements of the GDPR may result in fines of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year in the case of an undertaking, whichever is the higher. Companies should also note that their data processing activities are not only subject to the scrutiny of the IDPC, but they may also face investigations or audits by supervisory authorities located in other Member states.
For more information and any assistance required, kindly contact us on firstname.lastname@example.org and email@example.com
Kindly note that the above is not a substitute for legal advice and only sets out our generic views, which are likely to change when assessing specific circumstances.