The world is facing unprecedented challenges in its fight to contain Coronavirus (COVID-19). Various countries are in lockdown and emergency measures being implemented to contain the pandemic, with European countries currently at the epicentre of the outbreak.
Organisations are looking to adopt measures that support business continuity, whilst appropriately protecting the health and safety of workers, customers etc and complying with wider public health initiatives. The pace of response is fast moving, as the impact of the pandemic spreads quickly.
Application of the GDPR
As organisations implement emergency measures, it is important to be aware of the privacy implications of any steps being taken. In the EU, any measures which involve processing of personal data are likely to give rise to data protection compliance issues that will need to be managed consistent with the General Data Protection Regulation (“GDPR”).
The following are examples of some common measures being adopted by organisations which will give rise to processing of personal data and (in many cases) information about an individual’s state of health which is subject to additional regulation as ‘special category personal data’ under the GDPR:
- dealing with members of the workforce who are suffering from COVID-19, or who may be at risk, or who may have vulnerable family members
- tracing people who have been in contact with someone who has tested positive for COVID-19, or may otherwise be at high risk
- asking staff to complete questionnaires asking about potential exposure to the virus, or underlying health conditions or vulnerabilities which may present enhanced risks
- carrying out temperature checks on entry to sites
- sharing information with public health authorities
It is important to understand that the GDPR applies to these and similar response activities and there is no general waiver for compliance because we are dealing with a public health emergency. Compliance officers should bear this in mind and ensure that where measures are being adopted the usual principles are followed to ensure processing is fair, lawful and transparent, necessary and proportionate with minimal levels of data captured for the required purposes and due confidentiality and retention controls applied.