On 17 April 2020, the Mauritius Data Protection Office (the “DPO”) published a guide on data protection in the context of the Coronavirus (COVID-19) outbreak. The DPO, as the enforcing authority under the Data Protection Act (the “Act”), has reiterated that all organisations involved in the processing of data should continue to comply with all their obligations under the Act.
Data processing in the context of COVID-19
The Guide reminds data controllers that consent is not the sole basis for processing data. While the Act allows a data controller to process personal data when necessary, in respect of special categories of data (including health data), further specific conditions will apply. For instance, the DPO acknowledges that supermarkets are under a legal obligation to take the temperature of their customers, and it could be argued that this is required to protect the vital interests of data subjects, other people within the supermarket, and to allow the health authorities to perform their duties.
As far as employers are concerned, it should be pointed out that employers have a statutory duty under the Occupational Health and Safety Act (“OSHA”) to ensure the safety, health and welfare of all employees at work, and the obligation under OSHA arises in all circumstances, irrespective of COVID-19.
Under the Guide, the DPO notes that employers may process the health data of their employees on the basis of their obligations under OSHA. In practice, this means employers must prepare and implement protocols or standard operational practices as soon as the confinement is lifted. However, in doing so, employers must always balance their legitimate interest in exercising their rights to collect health data of employees, and those of other data subjects as part of their obligations to implement preventive measures under the OSHA or as imposed by health authorities, against the rights and freedom of the data subjects. It would therefore be advisable that employers refrain from generalising the practice of processing health data through individual questionnaires or requests to search for potential symptoms of an employee or his/her next of kin, or to collect medical report from employees or agents.
Employers should further bear in mind the following:
- they may inform their employees if one of their colleagues has been contaminated. However, the name of the specific employee should not be disclosed. Health data can be shared with health authorities in case of contamination;
- personal data collected for combatting the COVID-19 must not be used or disclosed for other unrelated purposes;
- personal data collected for the purposes of combatting COVID-19 must be permanently destroyed when the purpose of collection is fulfilled, or when there is no evidence suggesting that any employees have contracted the virus, or have close contacts that have been infected after a reasonable period of time; and
- employers must demonstrate that adequate security and organisational safeguards have been put in place to protect the sensitive data against unauthorised or accidental access, processing, erasure, loss or use.
The Guide also provides that developers of apps and the use of artificial intelligence generally, should take into account data protection principles like data minimisation, proportionality, necessity and time limitation. Practically, developers should ensure that privacy is being considered from the initial design stages and throughout the development and finalisation stages of apps, and by doing so, are able to demonstrate that:
- the legal basis under which data is being processed is strictly for combatting the spread of COVID-19, and for no other purpose;
- that clear security and organisational measures are in place to protect the integrity and safety of the personal data; and
- that in the apps licence data protection terms, data subjects are properly and fully informed of their rights, including the manner in which their personal data is being processed, the purpose of such processing, and the persons with whom such data may be shared, for example with the health authorities, and the duration of storage of the data.
Last but not least, developers must also ensure that a written contract be entered into for the development of apps and that any instructions in respect of processing of personal data in the context of the fight against the COVID-19 must, at all times, be given by the organisation commissioning the development of the app, as data controller.