The spread of the COVID-19 pandemic has been so swift that there has scarcely been time to stop and consider how it impacts legislation that was formulated to protect the private personal information of people, such as the European Union’s General Data Protection Regulation (GDPR).
Naturally there is an expectation that groups and official bodies will have to process personal data during the crisis as they make efforts to come to the aid of those who are suffering. Even though data authorities are expected to adapt a practical approach when it comes to the processing of data and possible breaches of private information, there are a number of key considerations to take into account at all times.
It is of the utmost importance to see to it that data protection measures do not prevent an adequate amount of care being provided to anyone during the crisis. For this to happen some level of data processing will need to be completed. However, all measures and policies implemented – that involve the use of personal data – should be necessary, proportionate and creating with the help of the appropriate authorities in that specific country.
Main GDPR Considerations During COVID-19 Pandemic
1. Legal Reasoning for Processing Data
There are a few articles in the legislation that permit processing of personal private data during a crisis such as this. For example, if a public health authority issues guidance to do a specific job or provide a specific treatment, then Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 allows for the processing of personal data, incorporating health data.
However, this is only allowable if the proper security measures are implemented (more on this below). These measures would be:
- A clear defined time window and set of rules for access to the data
- Stringent time restrictions for data
- Educating employees staff to ensure that they know their GDPR obligations
2. COVID-19 Pandemic & Employer Obligations During
Employers must permit the processing of personal data if it is for the good of their employees – as per the Safety, Health and Welfare at Work Act 2005 and Article 9(2)(b) of GDPR – if it is deemed a necessary and proportionate measure.
Along with these obligations, all personal data processed must be kept confidential to avoid breaches from taking place. For example, it should be never be known if a member of staff or their family are, at present, suffering from coronavirus nor should enough information be handed over to allow for the identity to be ascertained.
3. Incapacitated Individuals & Processing Data in Relation to
There is a legal argument for processing the private personal data of an individual if it can be proven that this is in their best interests or the best interests of another party. For example, if a person is either physically or legally incapable of providing authorization their consent, then their data may be processed using this basis.
However, this is only permissible if there is no other valid legal argument for processing the data and this is only allowable in emergency situations.
4. Recording of Data Processing
Any individual who is processing data (data controllers) must track the decision-making process for implementing data processing steps during the pandemic. A clear record of this should be recorded so it may be referred to at a later date if any issues are to come to the fore.
This will mean that the process is 100% transparent. It is vital to include the reason for the data processing and state how long the data will be held for. If there is any question linked to this then the above can be provided to data subject in a concise, easily accessible and easy to comprehend way.
5. Individuals’ Confidentiality
No one is permitted to know the identity of any impacted individuals unless there is a clear and carefully reasoned argument for this. If an identity is vital then this must be done in a way that maintains the safety of the data.
This can be easily accomplished if only smallest amount of data possible is made available
A group of data authorities have made more information available about GDPR during the COVID-19 Coronavirus pandemic. You can view all of these:
- Data Protection Commission (Ireland): Data Protection and COVID-19
- Informations Commissioner’s Office (UK): Data protection and coronavirus: what you need to know
- Citizen’s Information (Ireland): Your employment rights during COVID-19 restrictions
- European Data Protection Board: Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak