Member Article

How do you protect the privacy of people who have been infected by Covid-19, while still usefully informing those who have been put at risk? At a time of public health emergency, shouldn't GDPR take a back seat?

As companies struggle to get new processes in place to cope with the potential ramifications of Covid-19, the aim of this note is to highlight how EU data protection law applies to this unusual set of circumstances. Shoosmiths’ top tips for ensuring data protection compliance in the age of coronavirus are as follows:

1. Don't give in to the panic factor – the law is the still the law

Yes, businesses may need to collect and use personal information about their employees in order to enforce their coronavirus protocols and to best advise their employees on how to limit the employee's risk of exposure. However, it is important not to forget that, although this could be a time-sensitive issue, the requirements of data protection law will still apply to any personal information that a company uses for these purposes.

2. Health information is sensitive information: What are you collecting, and why?

Under the GDPR, information about health is a "special category of personal data", which attracts a higher degree of protection. This means that in order to lawfully collect and use information about its employee's health, the company will need to satisfy a ground under Article 9 GDPR.

In the UK, the most useful ground to enable an employer to protect its workforce in relation to coronavirus will likely be Article 9(2)(b) ("employment, social security and social protection"). For non-employees visiting this would be caught under Article 9(2)(i) (“public interest in public health”). This is because, in the UK, there is a requirement under the Health and Safety at Work etc. Act 1974 for companies to take reasonable steps to look after the health, safety and welfare of staff. As such, it is reasonable for businesses to collect certain information (such as information about confirmed diagnosis) as part of the company's general duty to safeguard health and safety. Indeed, the concept that employers may have a role to play in relation to coronavirus has been highlighted in the UK's recent guidance for employers and businesses on dealing with Covid-19. Arguably this could go as far as temperature screening for both employees and visitors to sites, although the CNIL (French data protection authority) has stated last week that any mandatory and systematic processing of such tests is on a blacklist of processing activities.

However, there is still a limit as to what information employers should try to collect about its employees or visitors for the purposes of health and safety. The UK guidance makes it clear that, although employers will undoubtedly interact with their employees in relation to coronavirus, this is typically more to do with information provision and assistance to employees, rather than collecting information for a pre-emptive coronavirus strategy. Instead, it is the NHS and other health professionals who should be responsible for identifying cases of contagion and advising on appropriate steps for the business to take in response.

This separation of roles has also been reinforced in recent guidance released by the Italian data protection regulator, Garante, which highlights that businesses cannot oblige employees or visitors to disclose information about their presence of coronavirus symptoms. Instead, the Garante highlights that any actions for the purpose of preventing the spread of coronavirus must be carried out by individuals who have the correct qualifications to do this (e.g. doctors or medical institutions).

As the progression of this virus continues, businesses should stay abreast of updates from their governments, as governments may introduce additional local law requirements or guidance in relation to how businesses are permitted, or expected, to operate in relation to coronavirus.

3. Does this mean that I can't collect information about coronavirus to help guide my business through the crisis?

No. If a business is collecting information to help it respond to the coronavirus crisis in order to protect the health, safety and welfare of its staff, this will typically be acceptable under 9(2)(b) grounds and can be done with a 'do first, ask later' mentality (see above) (or, in rare circumstances, under Article 9(2)(c) ("vital interests"). Employers may also be able to rely on Article 9(2)(h) GDPR ("health and social care") to help it manage employee absences resulting from coronavirus. However, if the business is considering, from a commercial perspective, how best to position itself generally to deal with the outbreak, it may need to rely on other grounds under Article 9 to try to justify its activities – this can also increase the business' compliance burden.

For example, if attempting to rely on substantial public interest grounds under Article 9(2)(g) GDPR in order to use health related information about coronavirus, a business would be expected to carry out a legitimate interests assessment (LIA), to ensure that its legitimate interests are not outweighed by the rights and freedoms of the individual. This makes sense - this isn't health and safety firefighting or crucial management planning, this is considered commercial positioning. The company is also likely to have to carry out a Data Protection Impact Assessment (DPIA). Some of the factors that a company will need to evaluate in its LIA or DPIA are set out in the rest of this note.

In addition, as ever, if the business is subject to the UK Data Protection Act 2018 (DPA 18) and intends to rely on certain provisions of Article 9 of the GDPR, then the business will also need to satisfy a condition in the DPA 18. As such, if using these grounds to justify processing of coronavirus information, the business should be sure to keep its "appropriate policy document" and Article 30 GDPR records up to date, to reflect the requirements of the DPA 18.

4. Who needs to know? Protect your employees personal information

A company must protect the personal information that it holds to an appropriate standard. Where information collected about its employees in relation to coronavirus (particularly health information) is concerned, the business will be expected to protect this information to a higher standard than the general BAU information that it collects and uses about its employees. Access to this information should be restricted to a need-to-know basis and should not be more widely shared. Do not name names about infected employees, unless this is strictly necessary.

Offer your staff an easy route to provide you with updates about their coronavirus status. Consider offering a coronavirus hotline, so there is a clear reporting line (manned by individuals subject to appropriate confidentiality provisions) that staff can use to call in to report any concerns they have about coronavirus. This will help to keep the reported information (as well as the virus), from spreading.

5. Data minimisation still reigns supreme – set a clear protocol to collect only what you need

A fundamental principle of the GDPR is data minimisation i.e. that no more information is collected than is required for the stated purpose. In relation to coronavirus, it could be tempting to push the boat out and ask for all sorts of information about your employees – for example, if you are concerned they could be an infection risk to due to their friends' friends' friend currently returning from a coronavirus hotspot. Don't give in to temptation. Be sensible when asking employees to provide personal information about their likelihood of risk and don't ask for more than you genuinely need. If you receive information from an individual that is not relevant to the pertinent issue, delete it.

6. Transparency is key

As with any use of personal information, it should be clear to the individual why the business is collecting their information, how it is being used and what the employee's rights are in relation to the same. If the business finds that it needs to collect new data types to specifically deal with a coronavirus issue, do not forget to notify your employees about this. Provide an update to your employees explaining what new information is required and how it will be used, so your work force knows what to expect.

If you are sending internal comms to your workforce about the virus, again, do not mention any individuals who may have been infected by name. You may find that you need to send tailored comms to staff where you have identified that they are at risk of infection – again, keep this email (and who is intended to receive it) confidential.

7. Keep your information accurate

Another underlying principle of the GDPR is data accuracy. In relation to coronavirus information, make sure that you keep accurate records. Not only is this a requirement of GDPR, but out-of-date information is likely to undermine the effectiveness of the coronavirus procedures that you are trying to put in place.

8. Global companies: don't forget about your international data transfer mechanisms (and top them up if needs be)

Companies that operate internationally may also want to share information collected about their employees and their coronavirus risk across the company group, in order to take a collective view on how best to respond to this illness. However, the GDPR requires that personal information that is transferred outside the EEA be protected by appropriate safeguards. Make sure that any transfers to company offices outside the EEA are still handled appropriately. In addition, if your company group headquarters is outside the EEA, the same protections discussed in this note should be considered both at the headquarters level and in relation to any onward company-wide dissemination.

If the business does not have a GDPR international data transfer mechanism in place (or if this does not cover the intended coronavirus information), the business will be restricted from sharing the personal information amongst its group. In such case, as a short-term solution, the company should look to enter into EU standard contractual clauses and/or a global data transfer agreement between all relevant group entities to permit the transfer and think about binding corporate rules as a longer-term solution.

9. Delete what you don't need

GDPR requires that personal information is deleted once it is no longer required for the purpose for which it was collected. To this end, a company should be sure to delete any information it has collected in relation to coronavirus, once the threat has passed.

10. Next steps

So, where does this get us? To summarise: when it comes to using information about employees for the purposes of dealing with (or pre-empting) the coronavirus outbreak, the golden rule to remember is that the position under law has not changed. Although this is a novel factual scenario, the same considerations will apply. Businesses should ensure that they have the right policies and procedures in place, so they can process this information in compliance with law. Put another way – keep calm and carry on.