There's no denying that COVID-19 has upended practically everyone's way of living. The outbreak has led to several "new normals" in the tech world, including an uptick in Zoom meetings, Slack chats, and VPN usage. For organizations that collect and process data however, questions linger whether there will be any repercussions for failing to adhere to compliance laws, like the ability to action GDPR requests from individuals, in the shadow of the public health crisis.
Several data protection authorities from around the world went on record last week, vowing to protect personal data, whatever the cost, during the ongoing pandemic.
The European Data Protection Board issued guidance this week, encouraging employers and health authorities to continue processing personal data in the face of an epidemic.
“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
Only when necessary, for the reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation, should an organization process personal data without the consent of a data subject.
The ICO, the UK's Information Commissioner's Office, promised last week that it would take a "reasonable and pragmatic" approach to data protection and that it would take into account the public interest in the current health emergency when it comes to compliance.
Despite the emergency, the government, NHS, and other health professionals still need to broadcast messages and utilize technology to spread the word around public health, the ICO stressed.
"Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health," the ICO said in a statement last week, adding that a delay when making an information request wouldn't be out of the question.
"We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalize organizations that we know need to prioritize other areas or adapt their usual approach during this extraordinary period,” the ICO said, “We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic."
In a separate notice to organizations, the ICO reminded stakeholders that data protection shouldn't be a barrier to working from home, nor should it prevent organizations from sharing employee health information to authorities as long as it’s for public health purposes.
The Spanish data protection authority, the Agencia Española de Protección de Datos, reiterated a similar stance last week. As long as personal data is processed, it must be done while following already established regulations, namely data minimization and purpose limitation.
Drastic times call for drastic measures and the AEPD stressed that as well, pointing out that consent may not always be required for a pandemic.
"Emergency laws provide health authorities the powers to adopt necessary measures. Parties processing personal data must follow these instructions," the AEPD said. Personal data, if collected and processed for the control of an epidemic, can be done as long as its in the public interest, the vital interests of an individual or individuals susceptible to be infected, or if it adheres to compliance laid out by legal means - consider an employer looking to prevent future risk to personnel.
Ireland's Data Protection Authority echoed some of those sentiments even earlier this month, saying that any collection of personal data, including health data, should be informed by guidance by public health authorities. Specifically organizations should be aware of lawfulness, transparency, confidentiality, data minimization, accountability when it comes to managing data processing with regards to COVID-19.
"Data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data," the DPA said.
Ireland, the UK, and Spain weren't alone in issuing guidance. The Belgian data protection authority and authorities in the Czech Republic, Lithuania, Norway, Netherlands, and France were just some of the many other DPAs to share the conditions under which personal data, like health data, can be used in light of the coronavirus. Organizations of course should refer to their respective country's principles for guidance, as they could differ from country to country.
