Since the COVID-19 pandemic began everything has been moving at breakneck pace and there has been little time to consider how it impacts the European Union’s General Data Protection Regulation (GDPR).
It is understandable, and perfectly reasonable, to expect that organizations and authorities will be required to process personal data during the crisis as they attempt to assist anyone suffering as best they can. Even though data authorities are expected to be reasonable when it comes to the processing of data and potential breaches of private information, there are a number of key conditions which must be in place at all times.
It is vitally important to ensure that data protection measures do not prevent individuals and groups receiving the appropriate amount of care during the crisis, and data processing will likely need to take place for this to occur. However, all steps and policy decisions made that involve the use of personal data should be necessary, proportionate and formulated using the guidance provided by the appropriate authorities in that specific jurisdiction.
Key GDPR Considerations During COVID-19 Pandemic
1. Legal Basis for Processing Data
There are a number articles in the legislation that allow for processing of personal private data during a crisis such as this. For instance, if a public health authority issues guidance to complete a specific task or provides a specific treatment, then Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 allows for the processing of personal data, including health data.
However, this is only legal if the appropriate security measures are implemented (more on this below). These measures would include:
- A clear defined period and rules for access to the data
- Strict time limits for data
- Training staff to ensure that they are aware of their GDPR obligations
2. Employer Obligations During COVID-19 Pandemic
Employers must allow the processing of personal data if it is to protect their employees – as per the Safety, Health and Welfare at Work Act 2005 and Article 9(2)(b) of GDPR – if it is deemed a necessary and proportionate step.
In tandem with these obligations, all personal data processed must remain confidential to avoid breaches occurring. For example, it should be never be disclosed if a member of staff or their family are currently suffering from coronavirus nor should enough information be provided to allow for the identity to be ascertained.
3. Processing Data in Relation to Incapacitated Individuals
There is a legal basis to processing the private personal data of an individual if it can be shown that this is in their best interests or the best interests of another party. For example, if a person is either physically or legally incapable of providing their consent, then their data may be processed using this basis.
However, this is only acceptable if there is no other legal basis for processing the data and this is only valid in emergency situations.
4. Recording of Data Processing
Anyone processing data (data controllers) must record the decision-making process for implementing data processing steps during the current crisis. A clear record of this should be maintained so it may be referred to at a later date if any issues are to arise.
This will also allow this process to be 100% transparent. It is crucial to include the purpose of the data processing and state how long the data will be retained for. If there is any query in relation to this then the above can be provided to data subject in a concise, easily accessible and easy to understand way.
5. Confidentiality of Individuals
No one may be made aware of the identity of any impacted individuals unless there is a clear and carefully reasoned basis for doing so. If an identity is disclosed then this must be done in a way that maintains the security of the data.
This is more achievable by ensuring that only smallest amount of data possible is made available to achieved the aim of the disclosure.
A number of data authorities have made more information available in relation to GDPR during the COVID-19 Coronavirus pandemic. You can read these on the links provided below:
- Data Protection Commission (Ireland): Data Protection and COVID-19
- Informations Commissioner’s Office (UK): Data protection and coronavirus: what you need to know
- Citizen’s Information (Ireland): Your employment rights during COVID-19 restrictions
- European Data Protection Board: Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak