It’s always in the news. It’s trending on social media. Above all, it has sent half of humanity back home and sealed the doors. Yes, it’s the nCOVID-19 virus. It has been spreading fear ever since it started travelling across continents. The world is slowly coming to a standstill and we still don’t have the complete picture in the context of dealing with this.

With the current situation, we can see an exponential growth in the number of cases where it is essential for public and private organisations to process a huge amount of personal data, without an individual’s consent.

During this time, we are faced with a pressing question:

Which do you think should take priority?

Protection of pandemic victim’s identity to safeguard their dignity

or

Identifying the potential victims who might have faced exposure, by processing the pandemic victim’s personal data

European Data Protection Board (EDPB) clarifies that no ordinance will be an obstacle to the medical mitigation during a pandemic.

They adopted a policy on 19 Mar 2020 easing the data protection burden amidst the battle against the COVID-19 pandemic, while the data processor and controller must continue to ensure the protection of personal data of data subjects, the victim.

Let’s walk through highlights of the policy:

Health officials

  • GDPR is a broad legislation which takes care of epidemic situation, which gives the liberty to the public health authorities to process personal data without relying on the consent of individuals in accordance to the nation law and rules applicable to them.
  • In addition to GDPR, ePrivacy Directive must be followed when electronic data such as location are to be processed. Under the provisions of this Directive, the Member States can introduce emergency legislative measures to safeguard public security under the criteria it’s a necessary, appropriate and proportionate measure within a democratic society.
  • Under this directive and GDPR, the public authorities should first attempt to process the electronic data by anonymous means. For instance, mobile phone towers can be used to trace the distribution of mobile devices such that whenever crowding takes place, the officials are alerted based on this information. This way, the information is processed anonymously. As this is anonymized data, data protection rules do not apply.
  • In case, when processing of anonymized data is not adequate, under ePrivacy Directive, Member States are mandated to put in place adequate safeguard measures (right to judicial remedy) as a part of the emergency legislation before processing non-anonymized electronic communication data, for instance, emails, messenger data etc., is processed.
  • Invasive measures of “tracking” of individuals could be taken in proportion to the risk and need where an exceptional case can be considered.
  • Any measures adopted in the event of emergency must be documented appropriately.
  • These emergency legislative measures will become obsolete after the pandemic event subsides as controllable.

Employers

In a workplace when any individual is infected, the employers could proceed to analyse and evaluate the personal data of the affected employees, without compromising on the privacy of an individual’s personal data. So here,

The data processor is the employer

The data subject is the affected employee

 

                                       

                                    

The personal data being processed is the health data of the data subject

  • The overall idea is that competent employers, who can ensure data integrity at all levels of processing, can process the special categories of data like health data of the employees without individual’s consent for the obligations of safety of the workplace and control of spread of the disease.
  • While the personal data processing without prior consent is allowed, it’s the responsibility of the data processor to ensure that it does not reach any unauthorized parties.
  • The personal data must be processed for specific and explicit objectives. If the data subjects, employees in this case, demand to know the details of processing activities, they should receive clear and accessible information on the activities in plain language on demand.
  • The employer should weigh the risk against need and ensure minimal data is obtained, particularly when collecting health information in the context of COVID-19.
  • The employer can perform medical check-ups on their employees only under the legal obligations of the nation.
  • An employer must inform the staff about the COVID-19 cases and can reveal their name and no more information than what is deemed necessary.

In a nutshell, if we need to process personal data to aid in mitigation, we can do so without compromising on an individual’s dignity. This is intended to help the direct and indirect touch-point organisations who need to be compliant yet execute a swift mitigation plan.