COVID-19: Managing Privacy Law Risks in the EU

Kim Roberts
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

The unprecedented global spread of coronavirus, or COVID-19, has taken a major toll on governments and businesses in both trying to protect people and contain the outbreak. The human impact has also seen, tragically, thousands of people die so far.

Any individual who is diagnosed with the virus will, understandably, be very anxious and concerned. Likewise, employers will also have a duty of care when it comes to the well-being of infected staff and the protection of employees’ personal information. As our readers will know processing health information in countries such as the U.K. and across the European Union is highly regulated under the General Data Protection Regulation (GDPR).

GDPR

Under GDPR an individual’s health information falls under the rules for processing “special category data” and requires additional protection due to its sensitive nature. The rules on the protection of special category data, or sensitive personal data, cover information about racial or ethnic origin, sexual orientation, political opinions, genetic data, biometric data as well as, specifically, data concerning health.

In routine scenarios individuals are protected from the dissemination of sensitive personal data (such as about medical conditions or other health information) to colleagues within an organization and the wider world. Of course, sensitive personal information should be protected, not least because an individual may not want colleagues, or other third parties to know they may have a medical condition or illness. Whilst this is the starting point and the dissemination of information about an individual’s medical condition or illness is highly regulated under GDPR, that is not the end of the story – helpfully the processing of sensitive information about COVID-19 cases can be managed differently under GDPR’s rules.

Article 9

Article 9 of GDPR includes a list of specific conditions which can be relied upon for processing special category data, which would be applicable in a scenario where an individual has COVID-19. The conditions cover specific grounds for processing, such as receiving explicit consent from the individual (albeit GDPR sets a high standard for the form and content of informed and explicit consent). In addition, the information may already have been made public by the data subject, and GDPR recognizes that it is lawful to process sensitive health information on that basis.

An additional provision of Article 9 may also be a relevant for processing of sensitive health data, namely: “Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”

Many member states of the EU and the U.K. have made use of specific derogations under GDPR to legislate further in this area. Under English law, the Data Protection Act 2018 sets out that (among others) the substantial public interest grounds will include “statutory and government purposes”, “protecting the public” and “supporting individuals with a particular….medical condition.” These provisions offer employers a framework for processing sensitive health information of an individual in the case of the COVID-19 outbreak.

Proportionality

Once the lawful basis for processing sensitive health data has been established, employers must also be mindful of the other principles that GDPR sets out for processing personal information generally. Employers will need to be aware of the necessary balance which must be struck between protecting the health and well-being of the workforce and not causing further unnecessary trauma to someone suffering from COVID-19.

In practice this means carefully considering how much information is given out about the individual’s particular circumstances. For example, rather than naming specific individuals, which may not only compromise data but have a knock-on effect for morale and impact the individual personally, it is advisable to reveal only the necessary information to manage the risks and protect the privacy of the individuals concerned.

COVID-19 has seemingly plunged the world into great uncertainty. As such, organizations must do everything they can to protect staff, both in terms of their health and personal information, to ensure that the impact of the outbreak is minimalized as best as possible.

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide