Managing the CoVid-19 outbreak and stopping its spread is now a global challenge. In addition to the significant medical and health responses underway around the world, governments, public health authorities and businesses in general are focused on how to monitor, understand and prevent the spread of the virus.
An important mean of limiting the spread of the infection is contact screening, which is in practice identifying and monitoring anyone who may have been in contact with an infected person. Both in the business environment and in the various public institutions, measures such as travel restrictions, self-quarantine policies, visitor limitation and consideration of the requirement for medical examinations have been imposed.
The answers to these questions necessarily involve obtaining and potentially sharing personal information, including data about the health, travel, personal contacts and employment of an individual, his family and the third parties he had contacted.
It is necessary to balance personal privacy with the public interest without forgetting the need to limit data collection and its use during this public health crisis.
The GDPR specifically addresses public health crises and includes provisions on the processing of personal data in this area.
Article 6 of the GDPR states that the processing of personal data without consent is considered lawful whenever it is necessary to comply with a legal obligation to which the data controller is subject, in order to protect the vital interests of the data subject or another person, or for the exercise of functions with public interest or in the exercise of the public authority to which the controller is investing.
Under GDPR recital 46, the processing of personal data should also be considered lawful specifically for the purposes of a public health crisis, stating that “some types of treatment can serve both important public interests and vital interests of the data subject, for example when treatment is necessary for humanitarian purposes, including the monitorization of epidemics and their spread or in case of humanitarian emergencies.
Recital 45 describes different ways for Member States to address these issues and states that processing under this exemption from the public interest can be carried out by both public and private authorities.
Article 9 of the GDPR, which prohibits the processing of special categories of personal data (including health data) without explicit consent, also has similar exceptions, including where processing is necessary to:
- "Protect the vital interests of the data subject or other singular person in the event of the data subject being physically or legally unlabeled to give his consent;"
- "for reasons of important public interest;"
- "for the purposes of preventive medicine or work... medical diagnosis. . . [Or] the provision of health care or health treatments or social action;"
- "for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health."
Recitals 52, 53 and 54 of the GDPR also complement these provisions. Recital 52 recognizes the need to process special categories of personal data for "the prevention or control of communicable diseases and other serious health threats" and recital 53 stresses that such data should be processed for health-related purposes where this is necessary to achieve the objectives in the interests of singular persons and society alike. Recital 54 recognizes that the processing of special categories of personal data without consent may be necessary for public health reasons, but makes it clear that such processing should not result in the processing of data for other purposes by third parties, such as employers or insurance companies and banking entities.
By this, the government, as well as public and private organizations, are legitimately taking the necessary measures to contain the spread and mitigate the effects of CoVid-19. Many of these steps involve the processing of personal data (such as name, address, local work, travel details) of individuals, including in many cases sensitive personal data, of "special category" (such as health data).
As it was demonstrated the Data Protection Regulation does not prevent the provision of health care and the management of public health issues by private entities, however, there are important considerations that should be taken into account in the processing of personal data in this context, such as the implementation of technical and organizational measures to protect personal data, health data, which may include, for example:
- the limitation of access to data (only authorized persons should be able to access the data);
- Strict deadlines for erasing data as soon as they prove they are unnecessary.
- Adequate training for workers who have access to health data in order to safeguard the rights of data subjects.
- Providing the data subjects with information on the processing of their personal data in an easily accessible format and in clear and simple language.
- Any data processing in the prevention of the spread of CoVid-19 should be carried out in such a way as to ensure health data are secure.
- The identity of those affected should not be disclosed to third parties or their colleagues.
- Consideration should be given to the principle of data minimization and as in any data processing, only the data strictly necessary to achieve the purpose of processing such data should be collected, in this case, that of implementing measures to prevent the spread of CoVid-19.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.