The Covid-19 coronavirus is creating a need for organisations to process personal data, for a variety of specific purposes (including managing and protecting their workforce, customers and the public). Many of these processing activities are not part of “business as usual”, so established policies and protocols may not exist. Organisations face a challenge to ensure that this processing complies with data protection and privacy laws, particularly given the urgency behind some of these processing activities and other pressures, which means there is limited time available for consideration and consultation.
No country is left unaffected, so for companies operating across multiple jurisdictions this is a particularly complex challenge. Regulators across the world have made statements on their expectations of how organisations may process personal data, for purposes related to dealing with Covid-19 coronavirus, in compliance with data protection laws. This guidance generally endeavours to strike a balance between enabling processing, in the public interest, while protecting the fundamental rights of individuals.
We set out below a high level summary of this guidance.
Whilst many regulators highlight the desire to implement procedures to tackle the Covid-19 coronavirus and halt its progression, the overarching message is that the processing activities aimed at achieving that goal should nonetheless comply with data protection and privacy laws.
This was also the main message of the Executive Committee of the Global Privacy Assembly (a global forum for data protection and privacy authorities), which commented in its March statement as follows: “[We] are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight Covid-19.”
In the EU, in particular, many regulators have reiterated the need to treat health data with particular care and provide guidance in what circumstances processing in the context of the Covid-19 coronavirus can be justified. Generally, this requires that employers operate proportionately, considering the necessity of what is proposed and avoiding activities such as:
- systematic monitoring and testing of employees (by continuously testing the body temperature of employees for example)
- mandatory questionnaires about health condition, and
- widespread sharing or reporting of health information.
Particular care is advised in relation to disclosure to the workforce of health status of specific individuals.
That said, guidance often highlights that there are protection of public health (and similar) justifications for processing of personal data, including that related to health, particularly by government bodies and other authorities working to mitigate the impact of Covid-19.
A number of authorities have also highlighted that Covid-19 coronavirus has led to an increase in cyber-attacks that seek to take advantage of public concerns concerning the virus, as well as leading to changes in working patterns (in particular, increased home-working), both of which create increased cyber risk. Many have issued practical guidance regarding homeworking, highlighting for example the need to implement appropriate security measures, utilise access controls and encryption, engage with employees, and be vigilant for phishing attacks in particular.
The high level summaries included reflect key messages as at 26 March 2020. New guidance and advice is being issued all the time and so we will continue to update these summaries.
