The COVID-19 outbreak has affected the lives of millions of individuals across the globe. Among those affected are the residents of my native Italy who are currently under a mandatory lockdown (nationwide travel restrictions have been enacted) until April 3rd. In this time of crisis, however, it’s important to not forget that data protection and privacy laws still apply.

How should the collection of potentially special category personal data (health data) be managed? Several data protection authorities have provided guidance to this end. In this post, I will limit myself to the Italian situation and explore what other DPAs have proposed in the coming days.

The Italian DPA on 2 March 2020 issued a statement – “Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA” (you can find both the English and Italian versions here) – which responds to questions that it received from both the private and public spheres concerning the collection of data, of both employees and visitors, with respect to Coronavirus symptoms and recent movements of these individuals.

The Italian DPA pointed out that “the emergency legislation adopted in recent weeks provides that any person who has been staying for the last 14 days in the areas of epidemiological risk as well as in the municipalities identified by the latest regulatory provisions must notify the territorial health authority, also by the agency of the family doctor. That authority will be responsible for carrying out the required checks including the special insulation measures.” Furthermore, employers should avoid collecting “in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.”

The Italian DPA affirmed that employees are obliged to inform their employer of any potential risks to the health and safety in the workplace. To this end, operational instructions have been provided to the Public Administration “to report to the respective administration that they have travelled to a risk area. In this context, the employer may invite their employees to make, where necessary, such communications by facilitating the way they are routed, including through dedicated channels; the obligations for the employer to inform the competent entities of any change in the ‘biological’ risk to health at work arising from the Coronavirus are left unprejudiced along with the other tasks related to health surveillance of workers through the competent doctor, such as the possibility to have the most exposed workers undergo an extraordinary medical visit.”

Concluding, the Italian DPA called “on all controllers to comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the Coronavirus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers where such initiatives are not regulated by the law or ordered by the competent bodies.”

Always with respect to Italy, on March 9th Decree-Law 14/2020 (see Article 14) was published which permits various data processing activities by the National Civil Protection Service, public and private healthcare entities operating within the National Healthcare Service, the Ministry of Health and the Higher Institute of Health care, also with respect to special categories of personal data. The stated purpose of this is “to ensure the most effective management of flows and the interchange of personal data, they may carry out processing, including the communication between them, of personal data, including those relating to Articles 9 and 10 of Regulation (EU) 2016/679, which are necessary for the performance of the duties assigned to it in the framework of the of the emergency caused by the spread of COVID-19.” The data processing shall be “carried out in accordance with the principles set out in Article 5 of Regulation (EU) 2016/679, by adopting appropriate measures to protect the rights and freedoms of those concerned.” Simplified information (Article 13 GDPR) can be provided in this context or can even be omitted. Finally, “At the end of the state of emergency… the entities referred to in paragraph 1 (those authorized to carry out data processing in this context) shall adopt appropriate measures to trace the processing of data personal carried out in the context of the emergency, in the context of the ordinary competencies and rules governing the processing of personal data.”