The UK Information Commissioner's Office (ICO) advised that companies should minimise the amount of health data collected from employees and visitors amid the COVID-19 epidemic.
The General Data Protection Regulation (GDPR) already imposes strict rules regarding the collection, storage and transmission of any data that could identify an individual. It is particularly stringent on medical data collection. Banks and financial services firms requiring employees, contractors, and visitors to complete health declarations before entering their premises could find themselves on the wrong side of that regulation.
The GDPR limits, but does not prevent, firms' ability to collect health and medical data. It is a delicate matter, however, and firms must proceed cautiously.
"Many European data protection authorities have already published guidance. It isn't always consistent. The legal bases you can rely on to collect this data may be different in different countries. The sensitivities about what can and cannot be collected may also be different. In Italy, for example, there is a lot of sensitivity about collecting generalised information on symptoms and carrying out investigations in relation to individuals' health which can be seen as the responsibility of a healthcare professional. The ability to ask questions through surveys about information to do with their health may be quite restricted in some European countries," said William Long, global co-leader of Sidley's privacy and cyber security practice and leader of its EU data protection practice in London.
A personal health data breach would be a serious matter, he said.
Yesterday the ICO published limited guidance on data privacy obligations and COVID-19, pertaining mainly to data collection in the health care sector.
It did say, however: "You have an obligation to protect your employees' health, but that doesn't necessarily mean you need to gather lots of information about them. You could ask visitors to consider government advice before they decide to come. And you could advise staff to call the [National Health Service] if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect. If that's not enough and you still need to collect specific health data, don't collect more than you need and ensure that any information collected is treated with the appropriate safeguards."
Financial organisations and firms are collecting visitors' personal health data
Thomson Reuters Regulatory Intelligence (TRRI) contacted the ICO on March 10 about an online health questionnaire sent to attendees of a March 11 breakfast meeting, held by the Centre for the Study of Financial Innovation (CSFI) and hosted at the offices of the Chartered Institute for Securities & Investment (CISI). The form requests attendees' names, alongside health information. The online questionnaire suggested it was based on a UK NHS questionnaire. The NHS website cited provides information about symptoms, not a questionnaire.
CISI said in an email, March 13, that hard copies of the questionnaire were kept in a folder at its reception, hidden from visitors and shredded once the event had taken place. Online forms were kept in a separate email folder which was deleted after the event. The forms were reviewed by reception staff and individuals who provided answers that they had recently returned from an effected country, were exhibiting systems, or had been in contact with someone with the virus were excluded from the event and referred to NHS guidelines for containment of COVID-19.
CISI is not the only financial organisation requiring visitors to fill out questionnaires. UBS's London operations have been asking visitors to complete a health declaration form. A UBS spokeswoman declined to comment.
Firms may in some circumstances collect health data from employees. There is less of a legal basis for collecting health data from customers and visitors to company premises, however. The difference is there is no employer/employee relationship and therefore companies should be more measured when collecting data from visitors, Long said.
TRRI also contacted Bank of America, Barclays, Citi, Deutsche Bank, HSBC, JPMorgan and NatWest/Royal Bank of Scotland.
A Citi spokeswoman said the firm was not collecting health data from visitors.
"Like most other organisations, we've also put some restrictions in place around large meetings and non-essential travel. We are applying the same criteria to visitors/contractors/suppliers to our buildings as to our own staff if they have recently returned from a hot spot area," a NatWest/RBS spokeswoman said.
She did not say what that criteria are or whether the bank is collecting and storing data on visitors' health.
A Standard Chartered spokesman said it is: "asking hosts to check with their guests before scheduling meetings that they've not travelled to mainland China, South Korea, Iran [or] Italy in the past 14 days, which is in line with our own staff guidance."
The bank is not collecting or storing this information; the other banks did not respond to emails.
The UK had 590 confirmed cases of COVID-19 and eight people had died at the time of going to press.
EU data regulators issue COVID-19 guidance
Many European Union countries' data privacy regulators — Denmark, France, Ireland, Italy and Spain, among others — have issued guidance.
"When we get into health data that's where there are some important legal points that need to be considered. The grounds under the GDPR on which to process health data are pretty narrow and they are normally strictly applied. Yes, it is possible to put in place plans to deal with the crisis as an employer, but the GDPR is there to ensure checks and balances are in place. The crisis is not a blank check for companies to collect data on employees, visitors, and customers. You still need to develop a data protection plan dealing with GDPR requirements," Long said.
Protocols: what firms should be doing
Long emphasised that it is possible to collect health data from employees as long as companies follow GDPR principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security) and accountability.
Firms must be able to provide legal grounds for collecting any data, particularly health data, and show there is a legitimate interest and necessity. Long recommended firms conduct a privacy assessment when implementing any data collection concerning the COVID-19 pandemic. That should include a checklist to ensure only data that is genuinely needed is being collected.
"We've had a pandemic before in 1918. The difference in 2020 is we live in a data- and information-driven world. We don't know how long this could go on. It could be months. Many businesses considered GDPR as a compliance project with 2018 written on it. What we're seeing here is a good example of how the GDPR applies to developments such as the current pandemic. The bottom line is the GDPR won't prevent people dealing with the pandemic but businesses need to think through how they collect personal data, why they need it and apply GDPR principles," Long said.