COVID-19 and Data Protection Compliance

Following theoutbreak of COVID-19 and its development into a global pandemic, organisations have been implementing exceptional measures to safeguard employees, customers and others against the health threat that is being posed.¹ Organisations are also endeavouring to maintain 'business-as-usual' to the extent allowed by their particular circumstances.

As a result of these extraordinary efforts, organisations are collecting and processing new types of information about individuals, including whether individuals are displaying symptoms of the virus, the health status of individuals within the same household, the results of any COVID-19 testing, and the various locations individuals have visited since the outbreak started.

A large proportion of the new information being collected by organisations will fall within the categories of "personal data" and "special categories of personal data", the use of which is subject to strict compliance requirements in the European Union ("EU").²

Accordingly, we have set out an overview of some of the key issues for organisations to consider during this crisis, from an EU data protection compliance perspective:

1. Information collected from individuals relating to COVID-19 is likely to be considered "personal data" and/or "special categories of personal data".

In an effort to manage the impact of the COVID-19 outbreak, and to ensure that the decisions being taken are fully informed, organisations may be collecting information from personnel that would not typically be collected.

For example, in addition to the new types of information identified above, organisations may collect information such as whether personnel have self-isolated, body temperature of personnel and visitors to premises, and device location data. All of this information would be considered personal data, and as much as it pertains to individuals' health, it would also fall within the sub-category of "special categories of personal data" ("SCD").

The processing of personal data and SCD is subject to strict compliance requirements imposed by the General Data Protection Regulation ("GDPR") and local implementing laws, such as the UK Data Protection Act 2018.³

2. Organisations should consider undertaking a DPIA before collecting personal data and/or SCD from individuals relating to the coronavirus disease.

As a preliminary matter, organisations should consider undertaking a data protection impact assessment ("DPIA") prior to collecting any personal data and / or SCD from individuals relating to COVID-19.

A DPIA is intended to help organisations understand the risks associated with particular data processing activities and the measures that can be taken to mitigate such risks. A DPIA will also help to inform the changes that may be required in other data protection-related compliance documentation within the organisation (e.g., privacy notices and records of processing activities).

The GDPR requires organisations to undertake a DPIA if the processing is likely to result in a high risk to the rights and freedoms of individuals.⁴ Additionally, guidance issued by data protection regulators suggests that a DPIA should be performed where a processing activity involves biometric data, genetic data and/or tracking data.⁵

If an organisation has already started to process this new personal data and / or SCD without undertaking a DPIA, and such processing activity is likely to trigger the requirements for a mandatory DPIA, organisations should perform one as soon as possible. Even if a DPIA is not mandatory, organisations should nevertheless consider the benefits of undertaking one to help ensure that all relevant risks are being identified and mitigated.

3. Organisations should understand what personal data and/or SCD is required from individuals for the purposes being pursued.

Organisations may be tempted to collect as much information as possible from individuals relating to the coronavirus outbreak; however, the GDPR requires that organisations only collect as much personal data and / or SCD as is strictly necessary for the purposes being pursued.⁶

Prior to collecting any personal data and/or SCD from individuals, organisations should have a clear purpose in mind, as well as a clear understanding of what personal data and/or SCD, and level of detail, is required to fulfil this purpose.

For example, if organisations are making a decision on whether personnel should be self-isolating at home, it may be sufficient to ask questions – such as whether the relevant individual, or anyone within the individual's household, is displaying symptoms of COVID-19 and/or within a group of individuals at increased risk of severe illness from COVID-19 – on a 'yes' or 'no' basis, (as opposed to asking for detailed and specific information).

Adopting such an approach is beneficial from a data minimisation perspective and also ensures that the organisation does not retain detailed sensitive information about its personnel, which would create a potentially significant compliance exposure. In addition, organisations should ensure that the personal data and/or SCD collected are stored only for as long as necessary.⁷

4. Organisations must have an appropriate legal basis for processing the personal data and/or SCD collected from individuals relating to the coronavirus disease.

The GDPR requires organisations to have a legal basis for processing personal data.⁸ In the context of processing personal data relating to COVID-19, organisations may be able to rely on the following lawful bases:

• Legitimate interests: organisations may consider it necessary to process personal data relating to its personnel (and other individuals) for the purposes of its legitimate interests in managing business continuity and the well-being of individuals with whom it interacts. Any such organisation must accordingly consider whether its interests outweigh the interests or fundamental rights and freedoms of the individuals whose personal data are being processed. Further, it is recommended that any such organisation first conduct a legitimate interests assessment;⁹
• Contractual necessity: where processing of personal data relating to the coronavirus disease is necessary for an organisation's performance of its obligations to employees under the employment contract (whether express or implied terms), such as an obligation to ensure the health, safety and well-being of employees, then such processing may be justified; and/or
• Legal obligation: depending on the applicable law, organisations may have legal obligations relating to health and safety, and it may be possible to justify certain personal data processing activities on the basis of these legal obligations.

There may also be other country-specific legal basis on which organisations can rely to ensure the processing of personal data is compliant with data protection law.

In addition to identifying a lawful basis for processing personal data, if the personal data at-issue falls within the category of SCD (which is likely in this context), then a further condition must be satisfied. Of the existing further conditions, the following are the most likely to be relevant:

• Employment-related obligations: as noted above, an organisation may be subject to certain obligations under employment law in respect of which the processing of SCD relating to COVID-19 may be justified;
• Preventative or occupational medicine: an organisation that is acting on the advice of its medical advisors may be able to justify the processing of SCD relating to COVID-19 if it is necessary for the purposes of preventative or occupational medicine; and /or
• Public interest in the area of public health: if an organisation is acting on the advice of public medical advisors, it may be possible to rely on this condition to justify the processing of SCD relating to the coronavirus disease.

Consent from personnel is generally not regarded as freely given (and is therefore invalid) due to the apparent imbalance in power between the organisation and the individual; relying on consent as the legal basis for processing is unlikely to be considered compliant with the GDPR.

5. Review and update privacy notices as necessary.

Organisations should review existing privacy notices to ensure that these provide the necessary information regarding the data being collected and the purposes of processing.¹³

If an organisation is collecting new categories of personal data and/or SCD from individuals and using such data for new purposes, it will likely be necessary to update privacy notices to reflect the new changes in the collection of data from individuals.

6. Other issues to consider from a data protection compliance perspective.

There are a number of other issues that organisations need to consider from a data protection compliance perspective, including:

• Disclosure of COVID-19 cases to personnel: as part of the obligation to ensure the health and safety of employees, employers may (subject to requirements of applicable law) inform personnel about COVID-19 cases. Disclosure of such information should be limited as much as possible. If it is necessary to disclose the name of the personnel who has contracted COVID-19 (and this is otherwise permitted by applicable law) to enable other personnel to take appropriate protective steps, the personnel who has contracted the virus should first be informed of the intended disclosure;¹⁴
• Responding to individual rights requests: it is likely that an organisation's efforts and attention may be focused on tackling the implications of the coronavirus outbreak, but care should be taken to avoid failure to meet deadlines associated with responding to individual rights requests. If an organisation is concerned that it may not be able to meet such deadlines, this should be communicated to the relevant individuals as soon as possible;
• Local law requirements and guidelines: EU Member States each have their own data protection laws which should be considered when processing personal data and/or SCD, together with any guidance issued by local regulators;
• Remote working policies: with many organisations encouraging, or mandating, individuals to work remotely, now would be a good time for organisations to review and (if necessary) update remote working policies, and to remind personnel of the requirements of these policies;
• Data security: in light of the current context, it will be particularly important for organisations to maintain a close watch on system security and developing cyber threats.¹⁵ Personal data and SCD must be adequately safeguarded, and the more sensitive the data that are being processed, the more robust the applicable security measures must be to protect such data.¹⁶ Additionally, organisations must ensure that they continue to meet the deadlines for notifying data protection regulators (and individuals, as necessary) of personal data breaches that trigger the notification requirement;
• Third-party data sharing: it may be necessary to share the new personal data and/or SCD being collected with third parties (e.g., IT service or healthcare providers) for data processing purposes, or in relation to certain contractual obligations (e.g., under insurance contracts). Care should be taken when doing so, and where appropriate, data processing agreements compliant with the requirements of the GDPR should be entered into with the relevant third parties.

7. Monitor regulatory guidance issued in response to the coronavirus outbreak.

Data protection regulators have shown that they are aware of the challenges being faced by organisations in responding to this evolving crisis and the associated data protection compliance obligations.

The European Data Protection Board ("EDPB") has stressed that data protection laws in the EU do not, and should not, hinder the response to the COVID-19 pandemic, and has issued a reminder to all organisations subject to the GDPR that they must remain compliant with their obligations under the GDPR (and associated legislation, such as the ePrivacy directive). The EDPB has also acknowledged that an emergency such as this is a "legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period."

The UK Information Commissioner's Office ("ICO") has also issued guidance on compliance with UK data protection law in the context of the COVID-19 virus outbreak. Interestingly, the ICO acknowledges that organisations may find it difficult to adhere to usual data protection compliance standards as resources are diverted away from data protection compliance. The ICO appears to be sympathetic to this challenge and suggests that enforcement action may not be taken against organisations failing to comply with their obligations. This is a welcome concession from the ICO; however, we expect the scope of the flexibility being afforded to be construed very narrowly.

Organisations should continue to monitor guidance issued at a European-level by the EDPB, as well as the guidance of national data protection regulators in the countries in which organisations have a presence.

_{1 The World Health Organization declared the coronavirus disease (COVD-19) outbreak a pandemic on 11 March 2020.
2 For more information on the various compliance requirements imposed by the EU General Data Protection Regulation on organisations processing data, please see our GDPR Handbook.
3 For further information on the local laws implementing the GDPR in each EU Member State, please see our GDPR Guide to National Implementation.
4 See Article 35 of the GDPR.
5 See guidance issued the UK Information Commissioner's Office, as well as guidance issued by the European Data Protection Board on the types of processing activities that are likely to trigger the requirement to conduct a formal DPIA.
6 See the principle of data minimisation set out in Article 5(1)(c) GDPR.
7 See Article 5(1)(e) GDPR.
8 See Article 6 GDPR.
9 See the ICO guidance on conducting a legitimate interests assessment.
10 See Article 9 GDPR.
11 The UK Secretary of State for Health confirmed that the GDPR does not prohibit the use of personal data for responding to the COVID-19 virus outbreak, and noted that it was in the "overwhelming public interest". This position is also supported by the European Data Protection Board in its Statement on the processing of personal data in the context of the COVID-19 outbreak.
12 See the European Data Protection Board Guidelines on Consent under Regulation 2016/679, in particular, section 3.1.
13 Articles 13 and 14 GDPR set out the information that must be provided to individuals in privacy notices.
14 The position is supported by the European Data Protection Board in its Statement on the processing of personal data in the context of the COVID-19 outbreak.
15 In the wake of the COVID-19 pandemic, there has been a significant rise in COVID-19 related malware and phishing scams (as detailed here and here).
16 See Article 32 GDPR.
17 See Article 33 GDPR. Organisations subject to the NIS Directive, and relevant national implementing legislation, should also remain cognizant of the breach notification obligations imposed by this law.
18 See the European Data Protection Board Statement on the processing of personal data in the context of the COVID-19 outbreak.}

Khadija El-Leithy (White & Case, Trainee Solicitor, London) contributed to the development of this publication.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP