The global effort to fight the spread of coronavirus has prompted new privacy related questions around the world. Much has been written for and against the use of privacy-compromising measures to protect public health. Therefore, we have chosen to concentrate on the practical implications of privacy principles on companies and businesses.
In this context, we note that the Israeli Privacy Protection Authority has published two documents designed to help address privacy concerns during this period – a Q&A on privacy during the coronavirus period and points for companies and employees working from home.
Even during this period, which requires the provision of ad hoc solutions to new challenges posed by the coronavirus pandemic, it is important to remember the following principles of privacy protection laws:
Use of information
First of all, it is important to keep in mind that although companies and businesses hold a great deal of information about their customers and employees, before using any such information that goes beyond your routine, it should be considered whether such use does not go beyond the purposes set for collecting the information in the first place.
Protecting employees’ privacy
As they possess a great deal of information about their employees, employers have many obligations with regard to privacy protection in both routine and emergency situations. In the list of questions and answers compiled by the Israeli Privacy Protection Authority, the question arose on whether an employer is allowed to inform employees about a colleague who was infected with coronavirus or suspected of being a carrier. Similar to other privacy issues, a balance is needed between striving to maintain the well-being of employees and protecting the privacy of the sick employee. According to the PPA’s position, the disclosure of personal information should be avoided as much as possible and targeted notification of a specific list of employees who came into contact with the sick employee is preferred (for example, those present in the small meeting room on Wednesday at 15:00).
In addition, with the the new obligation imposed the employers to check a worker’s body temperature before he enters the workplace, it must be ensured that this is conducted in a manner that does not violate the employee’s privacy nor harms his dignity. Documentation should also be kept securely while determining who in the organization should be exposed to it.
Moving to online work also changes employee interaction. In the process of intra-organizational preparation involving the use of online communication, internal procedures should be refreshed, as discussed in our previous update, and communication between employees, as far as personal information (employee or client related) is concerned, must be carried out via secure and protected organizational measures. We note that despite the need to find quick and available solutions, data security concerns should also be considered.
The coronavirus has forced quite a few businesses to send operational messages to their customers to update their work format in light of government decisions. As a rule, there is no prohibition on sending operational messages to a wide list of recipients, including customers who did haven’t consented to marketing communications. However, bear in mind that adding a marketing content, even on the margins of the message, may change the nature of the message and result in spam lawsuits.
Many businesses use third parties and outsourcing as part of their business, whether to infrastructure service providers that have access to the company’s information systems or a delivery company that receives customer contact information. It is important to comply with Rule 15 of the Privacy Protection (Data Security) Regulations and make sure that choosing a certain provider does not come at the expense of the standards the company adheres to in terms of privacy protection and database security.
It is important to remember that we all, including the Privacy Protection Authority, must adapt to the new situation. However, this does not mean there is a loosening of existing legislation, standards or the duty to comply with such. If there is any uncertainty about how to act, we recommend consulting a lawyer and avoiding acting in a way that exposes the company to enforcement actions that have financial implications, especially during this already complex period.