Businesses in Ireland have been operating in extraordinary times due to the global pandemic of COVID-19 (Coronavirus). While COVID-19 raises several concerns for businesses, the law under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 still apply.
Although challenging, businesses must remember that data protection law does not prevent businesses from taking steps to address and mitigate against COVID-19. In fact, recital 46 of the GDPR envisages this situation providing that processing in certain circumstances may serve both “important grounds of public interest and the vital interests of the data subject” when it is necessary for “humanitarian purposes” which includes “monitoring epidemics and their spread”.
In the context of COVID-19, businesses need to assess how they can achieve the right balance between:
- complying with data protection law;
- addressing the issues arising from COVID-19; and
- protecting individuals’ fundamental right to data protection.
In this article, we look on some key COVID-19 data protection queries and share some practical tips to assist businesses in order to comply with data protection law in addressing the impacts of COVID-19.
Key COVID-19 Data Protection Queries
The GDPR’s data protection principles (lawfulness, transparency, accuracy, data minimisation, purpose limitation, storage limitation, integrity and confidentiality and accountability) are centre stage in the top COVID-19 data protection queries (set out below). Businesses should remember that these principles act as a very useful toolkit to guide decisions in implementing new processing activities as a result of COVID-19.
Can we tell employees if another employee has contracted COVID-19?
Yes. The details provided to employees will depend on the context. For example:
- General employee communications: the general guidance issued by the Data Protection Commission (DPC) states that an employer would be justified in informing staff that there has been a case, or suspected case, of COVID-19 in the organisation. However, the DPC is clear that the employer should not name the affected individual to other employees (e.g. when informing them). We consider this rule to apply where an employer is making an organisation-wide communication.
- Department/Team-specific communications: it might be necessary and proportionate to disclose the personal data of an employee who had contracted COVID-19 where that employee worked in close contact with other employees. In such a case, there would be a justification for disclosing the employee’s name to his/her co-workers in the interests of protecting their vital interests and health.
Irrespective of the context, any disclosure of personal data must be performed in a secure and confidential manner.
Can we ask employees to specify their illness details on medical certificates in light of COVID-19?
Yes. According to the DPC, employers would be justified in having this information so that employers can take appropriate action in respect of an employee who has contracted COVID-19 and his/her co-workers. The DPC has also stated that there are dual obligations in such a scenario:
- For employees: employees have a duty to protect their health and the health of their co-workers. As such, an employee with COVID-19 should inform his/her employer and follow the advice of their healthcare practitioner and public health authorities.
- For employers: employers should follow the advice and directions of the public health authorities. This may render the disclosure of certain personal data necessary to protect against serious threats to public health.
As with any data subject communication, the principle of transparency must be applied. This means that employees must be provided with certain key details (e.g. the purposes of a new processing activity).
Visitors to building: can we ask them to fill out a questionnaire?
It will depend. The DPC has indicated that it would not be unlawful for an organisation to request visitors to a building to inform it whether they have travelled to an affected area, been in contact with a person who has contracted COVID-19 or are experiencing symptoms on the basis that the employer has a legal obligation to protect the health of employees and ensure the provision of a safe working place. However, the implementation of a more stringent requirement such as a questionnaire would need a strong justification based on necessity and proportionality and on an assessment of risk.
It is also important that the principle of transparency is complied with where a statement of fact is requested, or a questionnaire implemented.
What happens to subject access requests (SARs)?
Nothing. The one-month timeline for responding to SARs (from the date of receipt) still stands. However, the DPC has acknowledged that, for certain businesses, the impact of COVID-19 may have diverted resources within an organisation elsewhere. For example, organisations providing frontline services to manage the demands of COVID-19 (e.g. health sector services). The DPC stated that, where necessary and proportionate, the deadline for responding to a SAR could be extended by a further two months due to the complexity and number of requests provided that the organisation: informs the data subject about the extension; and documents the reasons for relying on the extension.
Practical Steps in applying Data Protection
COVID-19 raises challenges for businesses when managing its demands and compliance with data protection law. The following is a list of practical steps for businesses to apply when implementing any new processing activities due to COVID-19:
- Document decisions
Businesses need to document any decisions made to deal with COVID-19 which concern personal data in line with the principle of accountability. This documented decision-making process should be relatively simple but include the key factors that determined the outcome including how the actions incorporate data minimisation and transparency (e.g. notices/employee communications). - Clear and concise communications
Businesses must ensure that any communications to individuals, whether of a general or specific nature, meet the GDPR’s transparency requirements. This means that clear and plain language must be used along with an account of the key elements to a processing activity concerning individuals. For example, a communication informing employees that they must specify if they have COVID-19 in their sick certificates must detail the legal basis relied upon by the employer, the purposes of the processing along with other key information. - Data Protection Impact Assessments (DPIAs)
Where processing could result in a high risk to the fundamental rights of individuals and includes the processing of special categories of personal data, businesses should assess whether a DPIA is required. If it is, then a simple DPIA will suffice provided it focuses on the risks/mitigation measures, categories of personal data collected, the purposes for which such data are collected, the legal bases relied on, the recipients of such data and the period for which the data will be retained. - Data protection by design and default
Businesses must ensure that the concepts of data protection by design and by default are applied:- Data protection by design requires businesses to embed appropriate technical and organisational measures including to protect the data, into a processing operation from the outset (e.g. pseudonymisation and encryption). These measures must be designed to implement the data protection principles (e.g. data minimisation).
- Data protection by default mandates businesses to implement appropriate technical and organisational measures which, by default, only process the minimum amount of personal data necessary to carry out a processing operation. This obligation applies to the amount of personal data collected, the extent of processing the data undergo, the accessibility of the data and the period for which the data will be retained.
COVID-19 is a challenging time for all businesses. We are available to advise businesses with any issues they face. Please contact Leo Moore, Rachel Hayes or your William Fry contact with any queries.
Please visit our COVID-19 Hub for more information from our other practice areas which might be relevant to your business.
Contributed by Rachel Hayes
Follow us @WilliamFryLaw