The COVID-19 outbreak has touched the lives of millions of individuals across the globe. Among those severely affected are the residents of my native Italy who are currently under a mandatory lockdown (nationwide travel restrictions have been enacted) until an undefined date. But how should the collection of potentially special category personal data (health data) be managed in a pandemic? Several data protection authorities have provided guidance to this end. In this post, however, I will largely limit myself to the Italian situation and explore what other DPAs have proposed in the coming days.
My initial reflection with respect to the current state of emergency is embodied in the idea that even more in this time of crisis, it is paramount that we do not forget that data protection and privacy laws still apply. In this critical (and I may add, particular) moment, in fact, it is more important than ever to place privacy and data protection at the center of public discourse. It goes without saying that in this exceptional moment, exceptional measures are necessary to protect the health of individuals and the community. However, it would appear that we are facing a daily balancing test head-on, one that creates a potentially dangerous dichotomy of public health versus privacy and data protection. Instead, now is the time to break this line of thinking and promote the idea that it’s not “public health or privacy”, it’s “public health and privacy”.
The conceptualization of approaching data processing in relation to COVID-19 as public health and privacy is confirmed by the position of the European Data Protection Board as expressed in its formally adopted Statement on the processing of personal data in the context of the COVID-19 outbreak (19 March 2020), which reads, “Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way. It is in the interest of humanity to curb thespread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”
Generally speaking, it can be concluded that European Supervisory Authorities (in their specific guidelines) have censored any abundant and unregulated mass collection of health data by those (e.g., employers) who have not been specifically endowed with such a mandate, such as healthcare providers and the relevant competent authorities. In further specifying this general approach, Italy has recently taken an interesting practical approach set forth in the March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces, agreed upon by the President of the Council of Ministers, the Minister of Economy, the Minister of Labour and Social Policy, the Minister of Economic Development and the Minister of Health, and employers’ unions and trade unions. The 13-point protocol (explained in more depth below) provides precautionary measures aimed at containing the virus in non-healthcare working environments and includes the possibility to surveil the health of employees by permitting employers to take temperature readings of employees before they enter their place of work (see in this respect the different approach taken, as of today, for example, by the CNIL). These measures allow for the collection of special category personal data (health data) but at the same establish a clear procedure for collecting and processing the data. This is a case, in fact, in which health safety and privacy & data protection work together. Another example of a pragmatic approach outside of Italy can been seen in the UK where the ICO has stated that it “that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”
On 2 March 2020, the Italian DPA issued a statement – “Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA” (you can find both the English and Italian versions here) – which responds to a number of questions that the Authority had received from both the private and public spheres concerning the collection of data, of both employees and visitors, with respect to Coronavirus symptoms and recent movements of these individuals.
The Italian DPA pointed out that “the emergency legislation adopted in recent weeks provides that any person who has been staying for the last 14 days in the areas of epidemiological risk as well as in the municipalities identified by the latest regulatory provisions must notify the territorial health authority, also by the agency of the family doctor. That authority will be responsible for carrying out the required checks including the special insulation measures.” Furthermore, employers should avoid collecting “in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.”
The Italian DPA thus affirmed that employees are obliged to inform their employer of any potential risks to the health and safety in the workplace. To this end, operational instructions have been provided to the Public Administration “to report to the respective administration that they have travelled to a risk area. In this context, the employer may invite their employees to make, where necessary, such communications by facilitating the way they are routed, including through dedicated channels; the obligations for the employer to inform the competent entities of any change in the ‘biological’ risk to health at work arising from the Coronavirus are left unprejudiced along with the other tasks related to health surveillance of workers through the competent doctor, such as the possibility to have the most exposed workers undergo an extraordinary medical visit.”
Concluding, the Italian DPA called “on all controllers to comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the Coronavirus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers where such initiatives are not regulated by the law or ordered by the competent bodies.”
Always with respect to Italy, on 9 March 2020 Decree-Law 14/2020 (see Article 14) was published which permits various data processing activities by the National Civil Protection Service, public and private healthcare entities operating within the National Healthcare Service, the Ministry of Health and the Higher Institute of Health care, also with respect to special categories of personal data. The stated purpose of this is “to ensure the most effective management of flows and the interchange of personal data, they may carry out processing, including the communication between them, of personal data, including those relating to Articles 9 and 10 of Regulation (EU) 2016/679, which are necessary for the performance of the duties assigned to it in the framework of the of the emergency caused by the spread of COVID-19.” The data processing shall be “carried out in accordance with the principles set out in Article 5 of Regulation (EU) 2016/679, by adopting appropriate measures to protect the rights and freedoms of those concerned.” Simplified information to the data subject (Article 13 GDPR) can be provided in this context or can even be omitted. Finally, “At the end of the state of emergency… the entities referred to in paragraph 1 (those authorized to carry out data processing in this context) shall adopt appropriate measures to trace the processing of data personal carried out in the context of the emergency, in the context of the ordinary competencies and rules governing the processing of personal data.”
On 12 March 2020, in Italy, the Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces, was published. As mentioned above, one of the important aspects included in the protocol is the possibility, before entering the workplace, to subject staff to body temperature monitoring. If their temperature exceeds 37.5° C, access to the workplace shall not be permitted. Persons in this condition – in compliance with the indications given in the protocol – shall be temporarily isolated and provided with masks. The employee in this case will be asked to not go to the Emergency Room and/or to the company infirmaries, but will instead have to contact their doctor as soon as possible and follow indications they are given. It should be underlined that this measurement of body temperature indeed constitutes data processing and therefore must take place in accordance with relevant privacy laws.
For this purpose, it has been suggested that the temperature is taken but that the relevant reading not be recorded. Furthermore, the identity of the individual and the fact that the temperature reading of the same exceeded the threshold of 37.5° C shall be documented only if it is necessary that the reasons preventing access to company premises are required. Information with respect to the data processing should also be provided, though the information notice may be provided orally and may omit information already in the possession of the data subject.
Concerning the contents of the information notice, and with reference to the purpose of the processing, it is possible to indicate prevention from the COVID-19 contagion. Instead, with respect to the legal basis, it is possible to indicate the implementation of the anti-contagion security protocols pursuant to Article 1(7)(d) of the Prime Ministerial Decree of 11 March 2020. In terms of the data retention period, reference should be made to the end of the state of emergency. Data controllers are also called on to define appropriate security and organisational measures to protect the relevant data.
Such data may be processed exclusively for the purpose of preventing COVID-19 contagion and “must not be disclosed or communicated to third parties outside the specific regulatory provisions (e.g. in case of request by the Health Authority for the reconstruction of the supply chain of any close contacts of a worker who has tested positive to COVID-19).” Should the employee be subject to isolation, the confidentiality and dignity of the worker shall be protected by way of procedures and guarantees also in the case that the employee informs their higher-ups that they have had contact with individuals who have “tested positive for COVID-19 and in the event of removal of the worker who develops a fever and symptoms of respiratory distress.”
Concerning declarations from employees certifying that they do not come from an area of risk and have not had contact with any positive cases, it is important to follow data protection rules as the acquisition of such a declaration indeed constitutes the processing of personal data. The protocol affirms that “To this end, the indications referred to above shall apply and, specifically, it is suggested that only the necessary, adequate and relevant data for the prevention of COVID-19 infection should be collected.” Concretely, it clarifies that “if you are requesting a statement on contact with a COVID-19-positive person, you should refrain from requesting additional information about the positive person. Or, if a declaration of origin from epidemiological risk areas is required, it is necessary to refrain from requesting additional information about the specificities of places that were visited.”
Below I report other available, to date, positions/guidelines of organizations, governments and DPAs:
European Data Protection Board – Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and Statement on the processing of personal data in the context of the COVID-19 outbreak Adopted on 19 March 2020
United Nations Special Rapporteurs – COVID-19: States should not abuse emergency measures to suppress human rights
National Statements and Guidance
Germany – Office of the Federal Commissioner for Data Protection and Freedom of Information, DSK provides information on data protection and Coronavirus and German Data Protection Supervisory Authorities joint information paper on data protection and the Coronavirus pandemic
Hong Kong – Privacy Commissioner for Personal Data, The Use of Information on Social Media for Tracking Potential Carriers of COVID-19 and Privacy Commissioner Responds to Privacy Issues Arising from Mandatory Quarantine Measures and Provides Updates on Doxxing
Italy – Garante per la protezione dei dati personali, Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA, Italian state – Urgent provisions for the strengthening of the National Health Service in relation to the COVID-19 emergency and Italian state – March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces
Mexico – National Institute for Transparency, Access to Information and Personal Data Protection, Ante casos de COVID-19, INAI emite recomendaciones para tratamiento de datos personales, Suspende INAI eventos públicos, por recomendación de la SSA para evitar contagio de COVID-19, and Adoptará INAI como medida de prevención el trabajo a distancia ante COVID-19
Norway – Datatilsynet, Corona and privacy
Spain – Agencia Española de Protección de Datos, Report from the State Legal Service Department on Processing Activities Relating to the Obligation for Controllers from Private Companies and Public Administrations to Report on Workers Suffering from Covid-19, Covid-19 FAQs, La AEPD publica un informe sobre los tratamientos de datos en relación con el COVID-19, Campañas de phishing sobre el COVID-19
United Kingdom – Information Commissioner’s Office (ICO), Data protection and coronavirus: statement for health and care practitioners, and COVID-19: general data protection advice for data controllers