Coronavirus and the processing of personal data

The General Data Protection Regulation (GDPR) identifies certain types of personal data as likely to be more sensitive, and gives them extra protection. These types of personal data are known as the ‘special categories of personal data’ which is commonly shortened to ‘special category data’.

In order to process special category data, in addition to the normal requirements for processing personal data, the GDPR provides that one of 10 listed exceptions to a general prohibition on the processing of such data, referred to as the ‘conditions for processing special category data’ must apply.

Those conditions for processing special category data are:

• Explicit consent
• Employment, social security and social protection (if authorised by law)
• Vital interests
• Not-for-profit bodies
• Made public by the data subject
• Legal claims or judicial acts
• Reasons of substantial public interest (with a basis in law)
• Health or social care (with a basis in law)
• Public health (with a basis in law)
• Archiving, research and statistics (with a basis in law).

Special category data includes ‘data concerning health’ which means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Personal data related to a person’s potential exposure to the coronavirus clearly falls within the ‘health data’ category of special category data.

A number of the conditions listed above can readily be discounted as applicable to the collection and use of such health data, leaving a reduced – and still uncertain – shortlist of:

• Explicit consent
• Employment, social security and social protection (if authorised by law)
• Vital interests
• Reasons of substantial public interest (with a basis in law)
• Health or social care (with a basis in law)
• Public health (with a basis in law)

So, if you do not already have a person’s explicit consent, how can you collect coronavirus-related information from them?

The ICO has adopted a pragmatic approach. It does not say ‘just do it anyway’: it says “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.” Whilst this is welcome, the statement that “Data protection … [is] about being proportionate” with the test that “if something feels excessive from the public’s point of view, then it probably is” has not previously been observed to be the guiding principle for the ICO or any other data protection regulator and so we would be cautious about simply accepting it at face value. We are also aware that a number of national data protection regulators in various EU member states have not adopted the same pragmatic approach (although some have). There seems little doubt that the ICO’s approach is much more driven, as it notes in the press announcement accompanying its guidance, by “the compelling public interest in the current health emergency”.

However, when then considering a number of ‘FAQs’ the ICO’s guidance is always helpfully in favour of processing the relevant data, albeit without that guidance explaining the legal rationale underlying the guidance.

The ICO’s key guidance is as follows:

Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation?

You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.

It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.

You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.

If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Can I share employees’ health information to authorities for public health purposes?

Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.

Can I tell my staff that a colleague may have potentially contracted COVID-19?

Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.

As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?

Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop you using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.

The ICO also adds a couple of related FAQ’s which, whilst not directly concerning the processing of health data, data controllers and other organisations may find helpful during the continuation of the coronavirus pandemic.

More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?

No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period. We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.

So far as the relevant conditions for processing are concerned, the ICO’s guidance does not assist and the question remains open. Our own assessment is that an organisation can collect coronavirus-related health data, notwithstanding that health data is special category personal data, because an organisation will have its own obligations, at least as an employer and perhaps more widely, in relation to public health including the health of its own employees, and those obligations include reporting requirements to Public Health England.

As the ICO’s guidance makes clear, any organisation needs to ensure that the health data being collected is necessary for the purpose for which it is to be used and accordingly any questions posed to individuals regarding their exposure to the coronavirus or related matters must represent a necessary, reasonable and proportionate way of meeting the relevant legal obligations. However, in practice and noting the ICO’s answer to the FAQ ‘During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?’, it seems unlikely that the ICO or any other regulator would criticise a data controller for erring on the side of caution in terms of its collection of what it perceived to be relevant information in the present circumstances.

It should also be noted that the Data Protection Act 2018 provides that a data controller can process health data where it is necessary to do so to comply with its own obligations under employment, social security or social protection laws (incorporating one of the potentially relevant conditions for the processing of special category data into UK law) provided that it has an “appropriate policy” in place when the processing is carried out, and the data controller maintains an up to date policy document and a record of the processing, and accordingly any organisation collecting and processing coronavirus-related personal data should ensure that it complies with these requirements.