The General Data Protection Regulation ((EU) 2016/679) (GDPR) already has provision which allows competent public health authorities and employers to process personal data in the context of an epidemic, provided it is in accordance with national law and within the conditions set out within the legislation. Recital 46 of the GDPR specifically refers to the control of an epidemic.
Public Health Authorities
There are some instances where public health authorities will not need to rely on the consent of individuals in order to process their personal data. This could be where it falls under the public authority's legal mandate to do so, where it is necessary for reasons of substantial public interest in the area of public health or in order to protect an individual's vital interests.
The processing of personal data may also be necessary for employers in order to comply with a legal obligation. This could be an obligation relating to health and safety at the workplace, or to the public interest, that is the control of diseases.
The GDPR also foresees circumstances where the prohibition of processing of certain special categories of personal data may be exempt, such as health data, where it is necessary for reasons of substantial public interest in the area of public health, or where there is the need to protect the vital interests of the data subject.
Retention of core principles
While setting out the above potential modifications to how some personal data could be processed in light of COVID-19, the European Data Protection Board has also sought to remind all data processors and controllers that it is essential that the core principles of the GDPR are still observed during this time and have further underlined that:
- Personal data that is necessary to attain the objectives pursued should only be processed for specified and explicit purposes.
- Data subjects should receive transparent information on any processing activities that are being carried out, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
- Adequate security measures and confidentiality policies should still be implemented, ensuring that any personal data is not disclosed to unauthorised parties.
It is important to note that any new measures implemented to manage the current COVID-19 emergency and the underlying decision-making process must be fully documented.
Use of mobile location data
The European Data Protection Board has also offered some guidance on using mobile location data as a possible way to monitor, contain or mitigate the spread of COVID-19. This could be by geolocating individuals or to sending public health messages to individuals in a specific area by phone or text message.
The European Data Protection Board has underlined that public authorities should first seek to process location data in an anonymous way as personal data protection rules do not apply to data which has been appropriately anonymised.
Where it is not possible to only process anonymous data, there is a possibility that legislative measures could be introduced authorising non- anonymised location data in order to safeguard public security. It is important to note that in the event of such measures, adequate safeguards must be put in place and such measures would be limited to the duration of the COVID-19 outbreak.
For more information on this issue, Emily Steed can be contacted at firstname.lastname@example.org