I am writing this for small business and compliance managers in Ireland as a short cover note to simplify the information on Data Protection and COVID-19 put out by the Irish Data Protection Commission this week. Other jurisdictions, in general, would follow the procedures but might identify the domestic law under which they process.
As an employer, you should be aware of information from the HSE that can be found at this link: https://www.hpsc.ie/a-z/respiratory/coronavirus/novelcoronavirus/
This is not intended to be legal advice but rather as a broad guide for those responsible to understand the kinds of steps involved in managing data processing activities involving special categories of data in times of disease outbreak on a large scale where public health is of concern. There are always nuances to situations that cannot be covered in such writings, therefore, you are advised to take specific advice in your own situation if you need to do so.
Whilst the Data Protection Commission covers a few general questions in their guidance, this is also in response to several questions asked directly to us such as:
1. One of our staff has been in contact with a confirmed case, do we need to notify the rest of our staff?
2. Our staff deal with vulnerable groups (health-wise), and one of our staff has been in contact with a confirmed case (and/or is a confirmed case), do we need to notify the rest of our staff AND our clients?
3. We have been advised to work remotely, how can we facilitate this?
Before getting into the lawfulness of processing and transparency requirements, it is necessary to highlight the absolutely crucial need for confidentiality and security of data. Unless you have an absolutely watertight and crystal clear justification for revealing the identity of a data subject who might be or is an affected individual, you should not disclose their identity to third parties or colleagues. And if you do need to reveal the identity of data subjects, every party receiving this information should receive it under a duty of high care and confidentiality. At this point, it would do you well to review your incident and data breach management policies and procedures to ensure you can adequately deal with unauthorised disclosures of personal data.
A short note on data minimisation and accountability: only collect what is absolutely necessary for the processing activity according to the purpose you have defined. Document every decision you have made and your rationale for making the said decision, as well as all disclosures made, as you manage personal data in order to fulfil your accountability requirements.
You are not permitted to process the personal data of data subjects unless you can show that the processing activity is lawful. How do you do this? As the person or organisation responsible for the data protection over the specific processing activities of recording this health-related personal data (which is a special category of personal data under Article 9), you must identify the legal basis under which you are processing. The Data Protection Commission has identified several options in its guidance note.
Primarily, at this point for Article 6 requirements, most employers will be processing under a legal obligation which would suffice for the processing of special categories of data as per the requirements in Article 9(2)(b). When we process under a legal obligation, we have to identify the law under which we are processing. The Data Protection Commission has identified that employers have an obligation under the Safety, Health and Welfare at Work Act 2005 (as amended) to protect employees and maintain a safe place of work. Please note the specific requirement of processing only once suitable safeguards as defined in section 36 of the Data Protection Act 2018 are implemented over the data processing activities. Note that until you are given the go-ahead to process with guidance or direction by a public health authority (or other relevant authorities) such as the HSE, you will be processing under a legal obligation.
Whilst the Data Protection Commission notes that it is permissible to process data to protect the vital interests of data subjects, they do highlight the fact that this typically applies ONLY in emergency situations WHERE NO OTHER LEGAL BASIS CAN BE IDENTIFIED.
To be absolutely clear on the point, employers seeking to manage the spread and effects of disease outbreak in the workplace will process questioning and notification type data under their legal obligation as identified in the Safety, Health and Welfare at Work Act 2005 (as amended).
Employers must provide employees, who do enjoy the right to be informed, with a data protection notice as required under transparency that meets requirements of Article 13 of the GDPR. This information should not be overwhelming or written in legal or medical speak. In short, the data protection notice to employees for a disease outbreak type-specific situation for processing activities based on a legal obligation in the workplace should contain the following:
- the controller’s details;
- contact details of the data protection officer or compliance officer of the organisation;
- identify the purpose of the processing and the basis as discussed above;
- identify any other recipients of the personal data;
- transfers or intended transfers to territories outside the EEA;
- the retention period for the data – how long you will keep it for – but if you are not sure at this point, how you intend to determine that period;
- whether or not the data subject enjoys rights associated with the data processing activity and to identify the rights enjoyed;
- details of the Data Protection Commission (or other applicable Supervisory Authority) and how to lodge a complaint;
- the fact that the provision of personal data is a statutory requirement – an obligation under the law – with the possible consequences of failing to provide the personal data; and
- if at any point along the way of the data processing activity, there is an automated decision-making process being applied to the personal data or if you are profiling the data subjects where you will need to explain with information as to how decisions are being made and furthermore, the significance and consequences of the processing.
On point 3, an example of a purpose for processing would be ‘we are obliged to keep the workplace safe for all employees’ where the basis would be identified as processing under a legal obligation as identified in the Safety, Health and Welfare at Work Act 2005 (as amended).
On point 4, who are the data processors, service providers or third parties with whom you share this COVID-19 related data, whether to an actual person or store within an application? Are your relationships with them compliant with requirements under the GDPR and Data Protection Act 2018? Are they in a state to receive such sensitive special categories of personal data? Primarily, are these relationships governed by a duty of confidentiality over and above your regular compliance obligations? Please note that if you do suffer a data leak or data breach, you will be asked to show that you did your due diligence and you were satisfied as to the compliance status of these recipients.
On point 5, you will need to identify as per point 4 if the data is transferred out of the EEA. Usually, this would be to cloud storage providers or applications on the cloud. You will need to ensure compliance obligations are met in that the transfer out of the EEA must be lawful as per Article 45 of the GDPR (‘adequacy’), Article 46 of the GDPR (‘appropriate safeguards’ such as the standard contractual clauses, binding corporate rules, approved codes of conduct, etc), or as per a derogation identified in Article 49 of the GDPR where you will have to demonstrate that transfer under the aforementioned is not possible.
On point 6, it might do to review your retention policy and schedules to determine whether or not you make provision to retain data in cases of disease outbreak and whether or not you would fall under official requirements to do so.
On point 7, the rights the data subject enjoys are affected by the legal basis identified for the processing activity. As you are processing under a legal obligation, the data subject would not enjoy the right to erasure, right to data portability, or right to object. The data subject does enjoy the right of access, the right to rectification and the right to restrict processing. Generally, rights requests should be dealt with within 30 days of receiving the request. It would be prudent to review your policies and procedures in this regard.
On point 9, it would be advisable to take expert HR and legal opinion specifically on the point of the stance of the employer should an employee refuse to provide information as required in order to adequately perform the data processing activity. In plain language, as an example, if an employee refuses to confirm travel history or contact with infected individuals, what are you going to do? Will you ask them to stay home, etc.
On point 10, note the profiling portion where for example you might be ranking groups of people as low, medium or high risk, you will have to give the required explanations.
- Identify your purpose for processing and clearly explain it.
- Identify exactly what personal data you are going to need to fulfil your purpose and document the personal data required.
- Identify the legal basis under which you process and document it.
- Decide on your data retention periods and document them.
- Review the suitable safeguards you are implementing over the data processing activities and document them.
- Identify where and how data sharing will occur and ensure these relationships are managed in a compliant manner.
- Review your confidentiality provisions to ensure they are appropriate and up-to-date.
- Review any transfers of data out of the EEA.
- Ensure your data subject rights management and incident/breach management policies and procedures are up to date.
- Prepare your data protection notice for employees as per the checklist above and as per Article 13 requirements.
For some good business guidance and advice, please have a look at Teri Morris’s article at this link: https://www.impulsehub.ie/blog/getting-your-business-prepared-for-coronavirus
We are available for telephone- and video-consults on an hourly basis should you need assistance to fast-track your preparedness to deal with how you process health data. Please contact me on firstname.lastname@example.org.