25/04/2024Key Takeaways – April Breakfast Briefing: Structuring for Token Issuance
On 16 April 2024, Memery Crystal and Rosenblatt held the latest roundtable in our… Read more
25/03/2020
What can you ask you employees or any third parties about the coronavirus and what can you do with any information that they provide to you? These and related questions have been increasingly occupying those with data protection responsibilities in recent weeks. The UK’s Information Commissioner’s Office (ICO) has now provided some welcome if incomplete guidance.
The General Data Protection Regulation (GDPR) identifies certain types of personal data as likely to be more sensitive, and gives them extra protection. These types of personal data are known as the ‘special categories of personal data’ which is commonly shortened to ‘special category data’.
In order to process special category data, in addition to the normal requirements for processing personal data, the GDPR provides that one of 10 listed exceptions to a general prohibition on the processing of such data, referred to as the ‘conditions for processing special category data’ must apply.
Those conditions for processing special category data are:
Special category data includes ‘data concerning health’ which means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Personal data related to a person’s potential exposure to the coronavirus clearly falls within the ‘health data’ category of special category data.
A number of the conditions listed above can readily be discounted as applicable to the collection and use of such health data, leaving a reduced – and still uncertain – shortlist of:
So, if you do not already have a person’s explicit consent, how can you collect coronavirus-related information from them?
The ICO has adopted a pragmatic approach. It does not say ‘just do it anyway’: it says “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.” Whilst this is welcome, the statement that “Data protection … [is] about being proportionate” with the test that “if something feels excessive from the public’s point of view, then it probably is” has not previously been observed to be the guiding principle for the ICO or any other data protection regulator and so we would be cautious about simply accepting it at face value. We are also aware that a number of national data protection regulators in various EU member states have not adopted the same pragmatic approach (although some have). There seems little doubt that the ICO’s approach is much more driven, as it notes in the press announcement accompanying its guidance, by “the compelling public interest in the current health emergency”.
However, when then considering a number of ‘FAQs’ the ICO’s guidance is always helpfully in favour of processing the relevant data, albeit without that guidance explaining the legal rationale underlying the guidance.
The ICO’s key guidance is as follows:
Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation?
You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.
It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.
You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.
If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
Can I share employees’ health information to authorities for public health purposes?
Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.
Can I tell my staff that a colleague may have potentially contracted COVID-19?
Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.
As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?
Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop you using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
The ICO also adds a couple of related FAQ’s which, whilst not directly concerning the processing of health data, data controllers and other organisations may find helpful during the continuation of the coronavirus pandemic.
More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period. We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
So far as the relevant conditions for processing are concerned, the ICO’s guidance does not assist and the question remains open. Our own assessment is that an organisation can collect coronavirus-related health data, notwithstanding that health data is special category personal data, because an organisation will have its own obligations, at least as an employer and perhaps more widely, in relation to public health including the health of its own employees, and those obligations include reporting requirements to Public Health England.
As the ICO’s guidance makes clear, any organisation needs to ensure that the health data being collected is necessary for the purpose for which it is to be used and accordingly any questions posed to individuals regarding their exposure to the coronavirus or related matters must represent a necessary, reasonable and proportionate way of meeting the relevant legal obligations. However, in practice and noting the ICO’s answer to the FAQ ‘During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?’, it seems unlikely that the ICO or any other regulator would criticise a data controller for erring on the side of caution in terms of its collection of what it perceived to be relevant information in the present circumstances.
It should also be noted that the Data Protection Act 2018 provides that a data controller can process health data where it is necessary to do so to comply with its own obligations under employment, social security or social protection laws (incorporating one of the potentially relevant conditions for the processing of special category data into UK law) provided that it has an “appropriate policy” in place when the processing is carried out, and the data controller maintains an up to date policy document and a record of the processing, and accordingly any organisation collecting and processing coronavirus-related personal data should ensure that it complies with these requirements.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
On 16 April 2024, Memery Crystal and Rosenblatt held the latest roundtable in our… Read more
What does a UK business (‘data exporter’) wishing to transfer personal data to another business… Read more
Memery Crystal’s Corporate team has started 2024 with a bang, advising on three equity… Read more
In this five-part audio series in association with The Gambling Law Review and Lexology, Partner and renowned gambling… Read more