As coronavirus disease 2019 (COVID-19) continues to spread, employers have been trying to strike a balance between safety and privacy as they apply their own policies and attempt to follow laws such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act of 1996 in the United States. Health data is often granted greater protective status under data-privacy laws and is subject to additional specialized laws. Most data-protection laws specify health- and safety-related exceptions that allow for more data collection and processing, with the GPDR citing “the prevention or control of communicable diseases and other serious threats to health” as one reason for such derogation.
A guiding principle of the GDPR is to avoid collecting, processing, or disclosing data unnecessarily and to maintain employee privacy—even during a global public health emergency. It is worth considering the purpose of a contemplated measure and whether that measure would reasonably accomplish its purpose based on the facts known at the time. Similar principles apply to transferring personal data. Whenever an employer processes its employees’ personal data, employees must be on notice about what the data will be used for as well as the consequences of nondisclosure.