While contact tracing can be vital to helping control the spread of a disease, it can also raise significant personal data concerns. During this process, information is gathered and potentially shared amongst employers, health officials and government agencies. This might include information such as a person’s health data, address, family members, employment details, travel schedules, and even personal contacts. To what extent can this personal information be gathered? Is consent required? How long will it be kept? What rights and protections does an individual have regarding such data that has been collected?
As things currently stand, here is a snapshot of how several governments are dealing with data protection concerns with respect to COVID-19 data gathering:
Generally, members of the EU are required to comply with the GDPR. However, Article 6 of the law allows for processing of data without consent in special cases, including cases where “processing is necessary for the performance of a task carried out in the public interest…” Article 9 prohibits processing of many categories of personal data (such as race, ethnicity, genetic and health) unless a specific exception is met. One such exception is when processing is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health…”
As COVID-19 and GDPR priorities begin to intersect, we are starting to see data protection authorities in EU countries issue data processing guidance and even pass emergency measures allowing for data processing by governmental personnel in order to track and combat the disease.
Italy’s civil protection department passed Decree 630 of 3 February 2020, (these provisions also being included in Decree-Law 14 of 9 March 2020) which essentially suspends certain data protection rights in order for various entities to process personal data in carrying out civil protection activities to fight the disease. This is effective until July 30, 2020, unless otherwise provided for.
France’s CNIL issued guidance outlining what organizations and employers can and can’t do, with respect to processing personal data during the coronavirus crisis .
Ireland’s Data Protection Commission issued supervisory guidance on March 6, outlining rights and obligations of personal data processing by governments and organizations (including employers) during the crisis.
In Denmark, the DPA published brief guidance on personal data that is justifiable for employers to collect and share, in connection with the coronavirus.
To help protect personal data during the coronavirus outbreak, The National Health Commission of China and the PRC Cyberspace Administration of China (CAC) have issued notices and circulars providing guidance and outlining requirements with respect to the collection and management of personal data. Among other things, the guidance emphasizes the importance of protecting personal data according to Chinese laws and regulations, and it discusses parameters for collecting data pursuant to epidemic prevention and mitigation efforts.
The Personal Data Protection commission issued an advisory concerning personal data that organizations may collect without consent for purposes of COVID-19 contact tracing.
Currently there is no comprehensive federal-level data protection law, but there are several federal and state laws that address data privacy and protection. With the COVID-19 situation continuing to evolve, we are seeing bulletins, waivers, and other documents and notices being released at the federal level, addressing issues of HIPAA privacy and the coronavirus.
As the COVID-19 situation continues to roll out, it will be interesting to see how governments handle the balance between persona data rights and public need to access and use such data to mitigate large-scale health crises such as pandemics.
Bringing this down to a company level – at all times, and especially in times of widespread public health emergencies when it is possible if not likely that personal data might be processed or shared, it is important for businesses to understand their jurisdictional data protection laws and rules. Also crucial is the need for companies to be forthwith and transparent with their clients and employees about what, when, and how personal or sensitive data is being processed. A robust information governance program that is already in place can significantly help in these efforts.
For your current information governance and data compliance needs, contact Zasio today.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Jared Walker, JD
Senior Research Analyst, Team Lead / Licensed Attorney