Data Protection Commission shares information on data protection law to help organisations who have staff transitioning to work
Governments, as well as public, private, and voluntary organisations are taking necessary steps to contain the spread and mitigate the effects of COVID-19, widely referred to as the ‘coronavirus’. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).
Data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.
Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities.
Organisations should also have regard to the following obligations.
There are a number of legal bases for the processing of personal data under Article 6 GDPR, and conditions permitting the processing of Special Categories of personal data, such as health data, under Article 9 that may be applicable in this context. Among these, the following may be relevant.
In circumstances where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary. A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent. This will typically apply only in emergency situations, where no other legal basis can be identified.
Organisations processing personal data must be transparent regarding the measures they implement in this context, including the purpose of collecting the personal data and how long it will be retained for. They must provide individuals with information regarding the processing of their personal data in a format that is concise, easily accessible, easy to understand, and in clear and plain language.
Any data processing in the context of preventing the spread of COVID-19 must be carried out in a manner that ensures security of the data, in particular where health data is concerned. The identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.
As with any data processing , only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
Controllers should also ensure they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.
Read full article here: Data Protection.ie, Data Protection and COVID-19