The Processing of Personal Health Data according to the GDPR for Organizations in the time of Coronavirus (COVID-19)

The Processing of Personal Health Data according to the GDPR for Organizations in the time of Coronavirus (COVID-19)

Coronavirus is an outbreak of a respiratory disease, also known as”COVID-19″ or “SARS-CoV-2”. The outbreak first became noticeable at the end of December 2019 in the megacity of Wuhan in the Chinese province of Hubei. On 30 January 2020, the World Health Organization declared it a public health emergency of International concern. By March 2020 COVID-19 had spread into a worldwide pandemic with over 125,000 cases confirmed in 118 countries and 4,291 victims and rising, becoming a financial threat to corporates as well as economies. Many European organizations are currently facing the question of how to deal with the personal health data of their employees. This article deals how organizations could deal with data protection challenges and privacy approaches within their entities.

Requirement of health data

Under the General Data Protection Regulation 2016/679 of the European Union (GDPR), ‘special categories’ of personal data require an additional layer of protection because they are particularly sensitive.[1] Information about an individual’s health is a ‘special category’ of personal data, and the ability to lawfully collect personal health data is more limited. Information about an individual’s travel history will be personal data and depending on the context may be considered under special category of personal data, i.e. if the person who is travelling has a health concern and discloses this sensitive data relating to his health.

GDPR broadly defines health data as any information related to an individual’s physical or mental health. Therefore, health data not only covers information that is “obviously” health-related (such as a description of symptoms) but also more general information (e.g. where an individual is calling in sick). This includes not only information on past or present health conditions, but also information concerning the person’s future health. It means if an organization stores information of an employee that shows symptoms of coronavirus, it is already a health data regarding Article 9(1) GDPR. Therefore, data that the organization receives through self-declaration or questionnaires from employees or external parties in order to check the current health status is also sensitive data that requires protection. Entry controls and surveys related to specific occasions after business trips are also subject to special requirements, whereby, for example, a manual fever test without further processing of information would not constitute processing of personal data.

Leave a Reply

Your email address will not be published. Required fields are marked *