The invasiveness of these measures varies from jurisdiction to jurisdiction. Some governments have asked people to download apps to enable contact tracing. Others are using geo-fencing technology to make sure people stay within the “fence”. At the other extreme, details of infected peoples’ age, gender, and their most recent location have reportedly been broadcast via text message to anybody within a particular radius. The response has been spurred by national interests and to date has not been coordinated. The European Commission and European Data Protection Board are working to coordinate app development and related issues and have issued guidance (respectively) on the use of personal data to help contain the virus, with a view to increasing uniformity. Unfortunately, early iterations of some apps have led to suspensions due to security, adoption and privacy concerns.
While governments may be able to rely on national security or public interest exemptions under local data protection laws to collect and share personal data during times of crisis, individuals are increasingly concerned about how their personal data may be used, with whom it may be shared and the impact on their rights. The spectre of stigmatisation is already evident. There is also a longer-term concern as to how some of these increased collection measures will be “rolled back” once the crisis ends, or indeed if they will be reduced at all.
Data Protection Rights and Obligations
For most European-style data protection regimes, personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual. Personal data holdings should not be excessive in relation to the purposes for which the data was collected and should be securely purged once those purposes have been fulfilled. If personal data are processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so which has been notified to the affected individual.
Data protection laws generally give individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted. Businesses are obliged to cease processing personal data once the purposes for which that data has been collected have been exhausted. Data retention periods vary, but each data controller must determine for how long data should be kept and ascertain how they might be securely deleted once the purposes for holding the data have been satisfied (in this case, once the crisis ends).
Where personal data holdings are shared between parties, contractual or other provisions should be put in place between the data controller and the third party processor to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that incident response plans are in place in the event of a data breach. Use of subcontractors by the service provider without the prior approval of the data controller should be prohibited, particularly where international transfers of data are involved.
As lockdown restrictions are eased and workplaces and other locations begin to reopen, employers and organisations will need to put appropriate measures in place to keep people safe. Those measures are likely to further impact the use of personal data. Some of the scenarios most frequently asked about by employers are considered below.
Can I use temperature checks or thermal cameras to monitor staff and members of the public for symptoms?
Generally, European-style data protection laws, including the General Data Protection Regulation (GDPR) do not prevent you from taking steps to keep your employees and the public safe, but they do require you to be responsible with the personal data you collect, only collect what is required and ensure it is handled with care. As you will be processing information that relates to an identified or identifiable individual, data protection laws will bite. Personal data relating to health is generally classified as “sensitive personal data” or, under the GDPR, as “special category data” and therefore attracts additional levels of protection.
When deciding whether to use more intrusive technologies, especially for capturing health information, you need to carefully consider the purpose and context of its use and be able to justify using it. Any monitoring of employees needs to be necessary and proportionate, and in keeping with their reasonable expectations. Can you achieve the same results through other less privacy-intrusive means? If so, then the monitoring may not be considered proportionate or appropriate. A data protection impact assessment is vital in helping to determine what methods may be most effective and proportionate, taking into account the circumstances of the business and its employees.
Protecting legitimate business interests and complying with legal requirements to provide a safe working environment for employees are likely to be potentially appropriate legal grounds for carrying out such checks, however consider whether less intrusive measures may be more useful, taking into account government guidance on measures to combat the spread of the virus.
How often should I check for symptoms?
This will depend on the social distancing and other measures that your organisation needs to put in place. Any testing of your staff, and subsequent processing of their health information, should be reasonable and proportionate to their specific role and the circumstances.
As an employer, and therefore a data controller for your employees’ health information, you will need to decide the appropriate length of time between tests. For front line staff who interact with the public and those who may be more vulnerable, more regular testing may be appropriate. Consider also any relevant government guidance on incubation periods and related matters.
You also have a responsibility to ensure that you hold accurate personal data. The health status of an individual may change over time, so if you record the results of any checks, you should ensure those records are accurate by including the date and time of any result. Any decision to send staff home or otherwise impact their employment should be based on factually accurate information available at the time the decision is made.
Can I keep lists of employees who were previously symptomatic or who tested positive?
Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purpose. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of staff. For example, any decision based on inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time, may be unfair.
Any such lists should only be retained for as long as they are needed to serve their purpose and should not be used for any other purposes. Consider any local government guidance on this aspect also, as further scientific knowledge around incubation periods is emerging over time.
Can I use CCTV or other recorded images to assist with contact tracing?
The analysis of recorded images could assist with contact tracing. You should assess whether this is necessary in the specific circumstances. Analysis of CCTV footage could reveal sensitive aspects of an individual’s behaviour. Employees have legitimate expectations that they can keep their personal lives private, so you should consider speaking to the individuals who would be affected and providing advice on appropriate measures such as self-isolation. Your approach should be guided by your existing employee monitoring policy.
How do I avoid collecting too much data?
For special categories of personal data, such as health data, it is particularly important to collect and retain only the minimum amount of information you need to fulfil the stated purpose.
In order not to collect too much data, you must ensure that the data collected are:
- sufficient to properly fulfil your stated purpose;
- relevant and have a sensible link to that stated purpose; and
- limited to what is necessary – you should not hold more data than you need to fulfil that purpose.
A person’s entire medical history is unlikely to be reasonable if in fact all that is required is a temperature test (for example).
Privacy should not be a casualty
As a result of the COVID-19 pandemic, most people accept and appreciate the need for extraordinary steps to protect the most vulnerable and the community at large. The measures being developed in response to the virus must, however, take privacy issues into account, have one eye on the long-term use of the data being collected, and ensure privacy is not another casualty of the crisis.
Appleby will shortly be launching its Offshore Data Protection Guide. The guide will provide a detailed overview of the data protection and cyber security regimes in eight of the world’s leading offshore jurisdictions. As the first dedicated offshore data protection publication, the guide will provide quick linked answers to some of the most business-critical issues. For more information on the guide, or to be added to the distribution list, please contact us.