Governments, as well as public, private, and voluntary organisations, are taking necessary steps to contain the spread and mitigate the effects of COVID-19, widely referred to as the ‘coronavirus’. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).
Data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless, there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.
Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities.
Organisations should also have regard to the following obligations:
There are a number of legal bases for the processing of personal data under Article 6 GDPR, and conditions permitting the processing of Special Categories of personal data, such as health data, under Article 9 that may be applicable in this context. Among these, the following may be relevant.
In circumstances where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary. A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent. This will typically apply only in emergency situations, where no other legal basis can be identified.
Organisations processing personal data must be transparent regarding the measures they implement in this context, including the purpose of collecting the personal data and how long it will be retained for. They must provide individuals with information regarding the processing of their personal data in a format that is concise, easily accessible, easy to understand, and in clear and plain language.
Any data processing in the context of preventing the spread of COVID-19 must be carried out in a manner that ensures security of the data, in particular where health data is concerned. The identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.
As with any data processing, only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
Controllers should also ensure they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.
Further information on COVID-19, including guidance for employers and the general public, can be found on the website www.hpsc.ie.
Those seeking more detailed information on Data Protection obligations can consult our guidance on the basics of data protection, ensuring than any processing is in line with the principles of data protection, and identifying the legal basis which justifies the processing of personal data.
The European Data Protection Board (EDPB) has also adopted a statement of the processing of personal data in the context of the Covid-19 outbreak, which provides further guidance on the lawfulness of processing and the special rules regarding the use of location data to monitor, contain, or mitigate the spread of COVID-19.
We have been asked a number of questions by organisations and employers about how they can ensure any measures carried out are compliant with data protection law; some examples include:
Can an employer require all staff and visitors to the building to fill out a questionnaire requesting information on their recent travel history concerning countries affected by the virus, and medical info such as; symptoms of fever, high temperature, etc?
As noted above, employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, and in the current circumstances, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms.
Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.
There would be no data protection implications in bringing the HSE recommendations to the attention of staff and visitors, if they have recently travelled to an affected area and/or are experiencing symptoms, and requesting that they take any appropriate actions.
Any questions about the appropriate measures that should be implemented to protect against COVID-19 should be addressed to the public health authorities.
Can an employer request more specific details of their employee’s illness on medical certificates in light of the situation in relation to COVID-19?
While employers have a legal obligation to protect the health of their employees, employees also have a duty to take reasonable care to protect their health and the health of any other person in the workplace. In this regard, employers would be justified in requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow the necessary steps to be taken.
However, it is important to keep in mind that the recording of any health information must be justified and factual, and must be limited to what is necessary in order to allow an employer to implement health and safety measures.
Employers should follow the advice and directions of the public health authorities, which may require the disclosure of personal data in the public interest to protect against serious threats to public health.
Employees should follow the advice of their healthcare practitioners and the public health authorities in these circumstances, who will instruct them as to what they need to do if they present symptoms of COVID-19
Can an employer send employees home from work if they are confirmed to have the virus?
Employers have a duty of care to employees to provide a safe place of work, which may require them to exercise discretion regarding access to premises. In a situation where an employee has confirmed that they have COVID-19, advice should be sought as a matter of urgency from the public health authorities as to what steps should be taken.
The decision to send employees home from work is not a data protection matter and may have other consequences for employers relating to employment law e.g. entitlement to sick pay.
Can an employer disclose that an employee has the virus to their colleagues?
This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID 19 in the organisation and requesting them to work from home. This communication should not name the affected individual.
Disclosure of this information may be required by the public health authorities in order to carry out their functions.
Do the timelines for responding to GDPR data subject requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19?
The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, we recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19.
Members of the public should appreciate that frontline and critical services organisations such as healthcare providers, government departments, in particular the Department of Employment Affairs and Social Protection, Revenue and local authorities may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. Educational bodies such as schools and universities, and private sector organisations may be closed or have reduced capacity so that responding to requests may be significantly delayed. We ask you to bear this in mind in the event that you experience any such understandable delays when dealing with these organisations or considering making a complaint to the DPC. We also remind you to please be as specific as possible in relation to the personal data you wish to access. Where a complaint is made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.
We appreciate that many organisations, especially frontline and critical services organisations such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. We are very alive to the unprecedented challenges facing organisations and the need for a proportionate regulatory approach in response to these extraordinary circumstances.
Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding. The GDPR provides for an extension of two months to respond to a request where necessary taking into account the complexity and number of requests.
Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Again, organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.
Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.
While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.