With Italy in lockdown, travel significantly restricted and interest rates cut again to a historic low, all in an attempt to tackle the global emergency, the commercial and practical implications of the outbreak of coronavirus (COVID-19) on day-to-day life are becoming increasingly apparent.
In response, organisations are rightly implementing various measures to detect and prevent the spread of the virus across their premises, workforce and supply chains.
Whilst these measures are important in the context of a health crisis, they often involve the collection and use of individuals' personal information, and as such, may give rise to data protection implications that should be borne in mind.
For example, an organisation may need to ask individuals where they have travelled or if they are suffering any symptoms of coronavirus. These questions will not only apply to an organisation’s employees, but also its customers, suppliers and visitors.
In this article, we consider what information an organisation can collect in relation to coronavirus, how that personal information can be used and to whom it can be disclosed.
Data protection principles
Under the General Data Protection Regulation (“GDPR”), as implemented in the UK by the Data Protection Act 2018, organisations must comply with the data protection principles.
In the context of coronavirus detection and prevention, the most relevant of these include that:
Personal data must be used lawfully, fairly and in a transparent manner;
Organisations must only collect personal data that is necessary; and
Personal data should not be kept for any longer than necessary for the original purpose for which it was collected.
Additional rules also apply to the collection of health data, which is considered further below.
For personal data to be used lawfully, organisations must identify the legal basis for using the personal data. Whilst this should be done on a case-by-case basis, in the context of detecting and preventing the virus, the most appropriate basis will likely be that the organisation has a legal obligation to collect and use the information (for example, under health and safety laws), or that it has a legitimate interest to do so.
There are a number of other legal basis to use personal information, such as consent from the individual, but these would not generally be appropriate in these circumstances. In particular, guidance issued by the Information Commissioner’s Office makes it clear that an employer will struggle to obtain valid consent from its employees, on the basis that the consent cannot be freely given in an employer-employee relationship.
If an organisation is relying on having a legitimate interest in collecting and using certain information to manage the spread of coronavirus, then it will also need to consider the potential privacy impact on the individuals in question. It would be advisable to undertake a legitimate interest assessment to assess the organisation’s legitimate interest as against the impact on the individual in question.
Under the GDPR, organisations are required to inform individuals, amongst other things, about how and why their personal information is being collected and used. This is typically communicated through privacy notices.
Where an organisation is collecting and using additional information in the context of coronavirus, it would be prudent for organisations to update their privacy notices to include reference to this further information, or issue new privacy notices to specifically address coronavirus-related personal data, if appropriate.
Only collect necessary personal data
Organisations should not collect more personal data than they actually need for the specific purpose. As such, in these circumstances, organisations should only collect the minimum amount of information required to assess the situation and the risk involved.
For example, it is likely that collecting the following data would be necessary under the GDPR:
- Information about recent travel to an affected area;
- Whether the individual has been advised to take any precautionary measures;
- If an individual has come in contact with anyone who has been to an affected area; and/or
- Any symptoms of coronavirus being experienced.
However, organisations who ask an individual for the names and details of the people they have been in contact with, or for copies of an individual’s medical records, are likely to be considered disproportionate in the circumstances.
Likewise, implementing medical tests for employees or other persons on the premises (such as temperature scanning) may give rise to potential issues under the GDPR, so the impact on the individuals in question should be carefully assessed before proceeding with any such measure.
Retention of personal information
Organisations must only retain personal information for as long as they need it for the original purpose. As such, if personal information (such as travel history) has been collected to detect and prevent coronavirus, then it should only be retained as required for that purpose.
Whilst no one can predict how long coronavirus is likely to continue, organisations should update their retention policies and registers to make reference to any additional coronavirus-related data being collected by the organisation.
Under the GDPR, in addition to the main data protection principles, special rules apply to the collection and use of health data. “Health data” would include anything that relates to a person’s physical or mental health, and therefore will include medical records and information about a person’s symptoms.
The collection and use of information about a person’s health is generally prohibited unless – in addition to having a legal basis as referred to above – the organisation can demonstrate it has satisfied one of the further conditions under the GDPR relating to “special categories of personal data” (which includes health data).
In the context of coronavirus, these conditions are likely to include:
- Collection and use of health data is necessary to exercise rights in the field of employment in so far as it is authorised by UK or EU law (for example, under health and safety laws);
- Collection and use of health data is necessary for reasons of public interest in the area of public health on the basis of UK or EU law; or
- In exceptional circumstances, collection and use of health data is on the basis of the individual’s explicit consent (although note the comments above in an employer-employee relationship).
As such, organisations need to think carefully about the above grounds before collecting health data (such as asking for description of symptoms).
Disclosure of coronavirus-related personal data
An organisation can disclose coronavirus-related personal data if strictly necessary or required by law.
Any disclosure of such personal data must be carried out in compliance with the principles set out above and the other requirements of the GDPR. Organisations must also take steps to ensure that the person or company to whom the coronavirus-related personal data is being disclosed has proper measures in place to maintain the security and integrity of the information disclosed. Where appropriate, this should be documented through a data sharing or data processing agreement.
Whilst it is anticipated that data protection compliance may not be the immediate concern for organisations taking measures to detect and prevent the spread of coronavirus, it is important that any procedures and processes being implemented take into account the requirements of the GDPR to avoid further risk.
If you have any questions regarding the above, please feel free to contact Alex Saunders in the Corporate and Commercial Team on 01603 281141 or at email@example.com.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.