The world is struggling with an unprecedented crisis seen in recent human history. Governments have taken serious measures to combat the outbreak and Covid-19 was declared to be a "pandemic" by the World Health Organization. Within the scope of the measures taken, data controllers, public authorities or private companies, are in need of processing personal data with different methods to protect health and limit the spread of the infection through contact tracing and requiring medical examination or health information. The conditions of data processing in these hard times from data protection law perspective came to the agenda of data controllers and as well as some data protection authorities in the EU.
How Turkish data protection rules handle processing of health data for the purposes of protecting health
Unlike General Data Protection Regulation ("GDPR"), unfortunately the Law No. 6698 on Personal Data Protection ("Law") which is the legislation in force in the field of personal data protection and the secondary legislation in Turkey do not address public health crises and include specific provisions and rules on processing personal data. Since the personal data processed within the scope of the measures will also include health data, the Law is criticized once again to be problematic in these difficult days as processing health data under the Law does not even respond properly to handling personal data in response to COVID-19.
Article 28 of the Law - Exceptions
Article 28/1 of the Law under the title of "Exceptions" provides exceptions to the application of the Law. However, Article 28/1/c and ç do not set clear exception to the processing of personal data in order to protect public health, to control or prevent risks that threaten public health. The exception only enables public institutions and organizations authorized by law to process personal data and not be subject to the Law for the purpose of ensuring public safety and public order. Considering the purpose of the Law and the nature of the situation, it is considered that measures to protect public health can benefit from the "public safety" exception. However, within the scope of the article, the exception only covers public institutions and organizations authorized by law, so it is has limited application.
Article 6/3 of the Law - Processing Health Data
As per Article 6/3 of the Law "individuals or authorized institutions and organizations under the confidentiality obligation" can process health data "for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing" without the explicit consent of the data subjects. In the preamble of the Law, no explanation, within the scope of the relevant article, has been made regarding data controllers who are not public institutions and organizations. On the contrary, public institutions and organizations, such as the Ministry of Health, are shown as examples to data controllers who may fall within the scope of the article. The provision has been controversial among privacy practitioners and ambiguities have been discussed a lot in this respect. Apparently, it does not meet the need of data processing activities even in a global pandemic to protect health or prevent the spread of risk.
For these reasons stated above, apparently there is no specific rule under Turkish legislation, especially in terms of data controllers who are not considered public bodies to process sensitive personal data such as health data, without explicit consent of data subjects even in exceptional circumstances. The Turkish Data Protection Authority has not yet issued a guideline on this matter.
On the other hand, Article 9 of GDPR regulates the cases, without differentiating public or private bodies, in which health data can be processed without seeking explicit consent in order to protect public health and safety under certain conditions.
As we know, employers have the obligation to protect and monitor workplace and ensure employees' safety and health. Therefore, data controllers must prevent the spread of the pandemic and protect their organizations and community by applying certain measures and this may include tracking and tracing of personal data (of their visitors, customers, employees).
It is seen that data protection authorities of different countries have recently issued statements on how to interpret and clarify the legislation within the scope of the outbreak crisis. ICO has recently announced that data controllers may be treated more flexibly in terms of legal liabilities such as responding to data subject requests and through data breach notifications.
Covid-19 pandemic therefore introduces certain privacy considerations since most countries now have privacy laws in effect, so issue of data protection increasingly has become a focus for all stakeholders.
In terms of processing personal data for the purpose of protecting public health; complying with the fundamental rules of data privacy such as processing data limited with the purpose and proportionately, protection of data security and ensuring that all required measures are duly taken to protect data, not using the processed data for different purposes and not sharing data with third parties are crucial. Although Law does not enable processing of health data without consent in theory, it may be held necessary for public health purposes and we believe that exception provisions must be interpreted in such a way to cover processing personal data for public health reasons. Therefore, while processing personal data for implementing preventive measures to protect health and maintain safety, it is crucial to ensure that data is being processed lawfully, personal rights are respected at all times and data minimization is ensured. To comply with Turkish law, it is advised that for the workplace doctors are included in implementation of preventive measures in companies if process of personal data is required to protect health and prevent the spread of risk.
We hope that you, your colleagues, friends and families stay safe and healthy.
First published by Gün + Partners, in 18.03.2020