“Public Health AND Privacy” vs. “Public Health OR Privacy” in the time of the COVID-19 pandemic

The COVID-19 outbreak has touched the lives of millions of individuals across the globe. Among those severely affected are the residents of my native Italy who are currently under a mandatory lockdown  (nationwide travel restrictions have been enacted) until an undefined date.  But how should the collection of potentially special category personal data (health data) be managed in a pandemic? Several data protection authorities have provided guidance to this end. In this post, however, I will largely limit myself to the Italian situation and explore what other DPAs have proposed in the coming days.

My initial reflection with respect to the current state of emergency is embodied in the idea that even more in this time of crisis, it is paramount that we do not forget that data protection and privacy laws still apply. In this critical (and I may add, particular) moment, in fact, it is more important than ever to place privacy and data protection at the center of public discourse. It goes without saying that in this exceptional moment, exceptional measures are necessary to protect the health of individuals and the community. However, it would appear that we are facing a daily balancing test head-on, one that creates a potentially dangerous dichotomy of public health versus privacy and data protection. Instead, now is the time to break this line of thinking and promote the idea that it’s not “public health or privacy”, it’s “public health and privacy”.  

The conceptualization of approaching data processing in relation to COVID-19 as public health and privacy  is confirmed by the position of the  European Data Protection Board as expressed in its formally adopted Statement on the processing of personal data in the context of the COVID-19 outbreak (19 March 2020), which reads, “Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way. It is in the interest of humanity to curb thespread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”

Generally speaking, it can be concluded that European Supervisory Authorities (in their specific guidelines) have censored any abundant and unregulated mass collection of health data by those (e.g., employers) who have not been specifically endowed with such a mandate, such as healthcare providers and the relevant competent authorities. In further specifying this general approach, Italy has recently taken an interesting practical approach set forth in the March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces, agreed upon by the President of the Council of Ministers, the Minister of Economy, the Minister of Labour and Social Policy, the Minister of Economic Development and the Minister of Health, and employers’ unions and trade unions.  The 13-point protocol (explained in more depth below) provides precautionary measures aimed at containing the virus in non-healthcare working environments and includes the possibility to surveil the health of employees by permitting employers to take temperature readings of employees before they enter their place of work (see in this respect the different approach taken, as of today, for example, by the CNIL). These measures allow for the collection of special category personal data (health data) but at the same establish a clear procedure for collecting and processing the data. This is a case, in fact, in which health safety and privacy & data protection work together. Another example of a pragmatic approach outside of Italy can been seen in the UK where the ICO has stated that it “that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”

On 2 March 2020, the Italian DPA issued a statement – “Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA” (you can find both the English and Italian versions here) – which responds to a number of questions that the Authority had received from both the private and public spheres concerning the collection of data, of both employees and visitors, with respect to Coronavirus symptoms and recent movements of these individuals. 

The Italian DPA pointed out that “the emergency legislation adopted in recent weeks provides that any person who has been staying for the last 14 days in the areas of epidemiological risk as well as in the municipalities identified by the latest regulatory provisions must notify the territorial health authority, also by the agency of the family doctor. That authority will be responsible for carrying out the required checks including the special insulation measures.” Furthermore, employers should avoid collecting “in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.” 

The Italian DPA thus affirmed that employees are obliged to inform their employer of any potential risks to the health and safety in the workplace. To this end, operational instructions have been provided to the Public Administration “to report to the respective administration that they have travelled to a risk area. In this context, the employer may invite their employees to make, where necessary, such communications by facilitating the way they are routed, including through dedicated channels; the obligations for the employer to inform the competent entities of any change in the ‘biological’ risk to health at work arising from the Coronavirus are left unprejudiced along with the other tasks related to health surveillance of workers through the competent doctor, such as the possibility to have the most exposed workers undergo an extraordinary medical visit.” 

Concluding, the Italian DPA called “on all controllers to comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the Coronavirus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers where such initiatives are not regulated by the law or ordered by the competent bodies.” 

Always with respect to Italy, on 9 March 2020 Decree-Law 14/2020 (see Article 14) was published which permits various data processing activities by the National Civil Protection Service, public and private healthcare entities operating within the National Healthcare Service, the Ministry of Health and the Higher Institute of Health care, also with respect to special categories of personal data. The stated purpose of this is “to ensure the most effective management of flows and the interchange of personal data, they may carry out processing, including the communication between them, of personal data, including those relating to Articles 9 and 10 of Regulation (EU) 2016/679, which are necessary for the performance of the duties assigned to it in the framework of the of the emergency caused by the spread of COVID-19.” The data processing shall be “carried out in accordance with the principles set out in Article 5 of Regulation (EU) 2016/679, by adopting appropriate measures to protect the rights and freedoms of those concerned.” Simplified information to the data subject (Article 13 GDPR) can be provided in this context or can even be omitted. Finally, “At the end of the state of emergency… the entities referred to in paragraph 1 (those authorized to carry out data processing in this context) shall adopt appropriate measures to trace the processing of data personal carried out in the context of the emergency, in the context of the ordinary competencies and rules governing the processing of personal data.”

On 12 March 2020, in Italy, the Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces, was published. As mentioned above, one of the important aspects included in the protocol is the possibility, before entering the workplace, to subject staff to body temperature monitoring. If their temperature exceeds 37.5° C, access to the workplace shall not be permitted. Persons in this condition – in compliance with the indications given in the protocol – shall be temporarily isolated and provided with masks. The employee in this case will be asked to not go to the Emergency Room and/or to the company infirmaries, but will instead have to contact their doctor as soon as possible and follow indications they are given. It should be underlined that this measurement of body temperature indeed constitutes data processing and therefore must take place in accordance with relevant privacy laws. 

For this purpose, it has been suggested that the temperature is taken but that the relevant reading not be recorded. Furthermore, the identity of the individual and the fact that the temperature reading of the same exceeded the threshold of 37.5° C shall be documented only if it is necessary that the reasons preventing access to company premises are required. Information with respect to the data processing should also be provided, though the information notice may be provided orally and may omit information already in the possession of the data subject. 

Concerning the contents of the information notice, and with reference to the purpose of the processing, it is possible to indicate prevention from the COVID-19 contagion. Instead, with respect to the legal basis, it is possible to indicate the implementation of the anti-contagion security protocols pursuant to Article 1(7)(d) of the Prime Ministerial Decree of 11 March 2020. In terms of the data retention period, reference should be made to the end of the state of emergency. Data controllers are also called on to define appropriate security and organisational measures to protect the relevant data. 

Such data may be processed exclusively for the purpose of preventing COVID-19 contagion and “must not be disclosed or communicated to third parties outside the specific regulatory provisions (e.g. in case of request by the Health Authority for the reconstruction of the supply chain of any close contacts of a worker who has tested positive to COVID-19).” Should the employee be subject to isolation, the confidentiality and dignity of the worker shall be protected by way of procedures and guarantees also in the case that the employee informs their higher-ups that they have had contact with individuals who have “tested positive for COVID-19 and in the event of removal of the worker who develops a fever and symptoms of respiratory distress.” 

Concerning declarations from employees certifying that they do not come from an area of risk and have not had contact with any positive cases, it is important to follow data protection rules as the acquisition of such a declaration indeed constitutes the processing of personal data. The protocol affirms that “To this end, the indications referred to above shall apply and, specifically, it is suggested that only the necessary, adequate and relevant data for the prevention of COVID-19 infection should be collected.” Concretely, it clarifies that “if you are requesting a statement on contact with a COVID-19-positive person, you should refrain from requesting additional information about the positive person. Or, if a declaration of origin from epidemiological risk areas is required, it is necessary to refrain from requesting additional information about the specificities of places that were visited.” 

Below I report other available, to date, positions/guidelines of organizations, governments and DPAs:

European Data Protection Board – Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and Statement on the processing of personal data in the context of the COVID-19 outbreak Adopted on 19 March 2020

United Nations Special Rapporteurs – COVID-19: States should not abuse emergency measures to suppress human rights

National Statements and Guidance

Albania – IDP Guidelines on the protection of personal data in the context of the measures taken against COVID-19

Argentina – Agencia de Acceso a la Información Pública  Tratamiento de datos personales ante el Coronavirus

Australia – Office of the Australian Information Commissioner (OAIC), 

Coronavirus (COVID-19): Understanding your privacy obligations to your staff – Agencies

Austria – Austrian Data Protection Authority Information on Coronavirus (Covid-19)

Bulgaria – Commission for Personal Data Protection КЗЛД въвежда противоепидемични мерки срещу разпространението на COVID-19

Canada – Office of the Privacy Commissioner of Canada, Announcement: Commissioner issues guidance on privacy and the COVID-19 outbreak  and 

Guidance: Privacy and the COVID-19 outbreakOffice of the Information and Privacy Commissioner of Alberta Privacy in a Pandemic

Denmark – Datatilsynet, How about GDPR and coronavirus?

Finland – Office of the Data Protection Ombudsman, Data protection and limiting the spread of coronavirus

France – Commission Nationale de l’Informatique et des Libertés, Coronavirus (Covid-19): les rappels de la CNIL sur la collecte de données personnelles

Gibraltar – Gibraltar Regulatory Authority Data protection and Coronavirus: What you need to know

Germany – Office of the Federal Commissioner for Data Protection and Freedom of Information, DSK provides information on data protection and Coronavirus and German Data Protection Supervisory Authorities joint information paper on data protection and the Coronavirus pandemic

Hong Kong – Privacy Commissioner for Personal Data, The Use of Information on Social Media for Tracking Potential Carriers of COVID-19  and Privacy Commissioner Responds to Privacy Issues Arising from Mandatory Quarantine Measures and Provides Updates on Doxxing

Hungary – Hungarian National Authority for Data Protection and Freedom of Information, Information on processing data related to the Coronavirus epidemic

Iceland  Data Protection Authority, COVID-19 and privacy

Ireland – Irish Data Protection Commission, Data Protection and COVID-19

Italy – Garante per la protezione dei dati personali, Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA, Italian state – Urgent provisions for the strengthening of the National Health Service in relation to the COVID-19 emergency and Italian state – March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces

Jersey – Office of the Information Commissioner, Data Protection and Coronavirus

Lithuania – State Data Protection Inspectorate, Personal Data Protection and Coronavirus COVID-19

Luxembourg – National Commission for Data Protection, Coronavirus (COVID-19): recommendations by the CNPD on the processing of personal data in the context of a health crisis

Malta – Office of Information and Data Protection Commissioner, Processing of personal data in the context of COVID-19

Mexico – National Institute for Transparency, Access to Information and Personal Data Protection, Ante casos de COVID-19, INAI emite recomendaciones para tratamiento de datos personalesSuspende INAI eventos públicos, por recomendación de la SSA para evitar contagio de COVID-19, and Adoptará INAI como medida de prevención el trabajo a distancia ante COVID-19

New Zealand – Office of the Privacy Commissioner, Covid-19 and privacy FAQs

North Macedonia – Personal Data Protection Agency of the Republic of Northern Macedonia, Data Protection and Coronavirus

Norway – Datatilsynet,  Corona and privacy

Peru – Autoridad Nacional de Protección de Datos Personales del Peru, Divulgar datos personales de pacientes con coronavirus puede ser multado hasta con 215 mil soles

Phillipines – National Privacy Commission, NPC PHE BULLETIN No. 3: Collect what is necessary. Disclose only to the proper authority

Poland  – Personal Data Protection Office of Poland, Statement by the President of the Personal Data Protection Office on coronavirus

San Marino – Autorità Garante per la protezione dei dati personali, Public announcement on COVID-19 emergency

Slovakia – Office for Personal Data Protection of the Slovak Republic, Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and 

Coronavirus and processing of personal data

Spain –  Agencia Española de Protección de Datos, Report from the State Legal Service Department on Processing Activities Relating to the Obligation for Controllers from Private Companies and Public Administrations to Report on Workers Suffering from Covid-19Covid-19 FAQs,  La AEPD publica un informe sobre los tratamientos de datos en relación con el COVID-19Campañas de phishing sobre el COVID-19

Switzerland – Federal Data Protection and Information Commissioner, Data protection legal framework for the containment of the coronavirus

The Netherlands – De Autoriteit Persoonsgegevens, AP gives organizations more time due to corona crisis

United Kingdom –  Information Commissioner’s Office (ICO), Data protection and coronavirus: statement for health and care practitioners, and COVID-19: general data protection advice for data controllers

Comments are closed.