Here are some general tips that your organisation can follow at each stage of its activities relating to COVID-19 preventative and safety measures. They incorporate common data protection / privacy principles.
These tips are intended as a general guide to raise awareness of general data protection / privacy principles. They reflect the operational requirements under most, if not all, data protection / privacy laws and should be supplemented by legal advice on data protection / privacy laws and regulations that apply to an organisation in a specific jurisdiction.
- Explicit consent is generally not required for the collection, use and disclosure of personal data to respond to an emergency, such as COVID-19, for the purpose of activities such as contact tracing of individuals.
- Do your due diligence and put in place strong contracts with vendors engaged to collect personal information on behalf of the organisation (for example, security staff engaged by it to regulate entry into the organisation's premises).
- Putting up notices where there is a requirement to inform individuals about the screening being done by the organisation when requesting for travel and health declarations and/or taking temperature and/or using CCTV or other surveillance equipment - putting up notices is often a good idea even if it is not a legal requirement.
- Being transparent and informing individuals what the information will be used for when there is a legal requirement to do so - again, it is also often a good idea even if it is not a legal requirement.
- Collect only such personal information as is necessary. Minimise the personal information collected and make sure that it is not excessive.
- Remove fields in travel or health declaration forms that are not related to fulfilling the specific purposes for which the personal information is collected. Is the personal information really needed? Are there less intrusive ways to find out necessary information?
- Ensure there is a valid reason (or legal basis) for collecting the personal information sought by a travel or health declaration form - it must be valid for the specific purpose for which it is being collected or else it must not be collected.
- Be ready to address questions relating to how an individual's personal information will be used, disclosed and/or stored (including when the organisation will dispose of it).
Use / Processing Stage
- Be ready to explain any processing of personal information, particularly where sensitive personal information is processed.
- Take steps designed to ensure that all personal information processed is accurate, relevant and up-to-date. Verify the information with the individual from whom it is collected.
- Be careful when transcribing handwritten information provided by individuals.
- Maintain the confidentiality of the personal information being used / processed and make sure that it is used / processed only on a need-to-know-basis, especially if an individual is suspected to have contracted the virus, is undergoing quarantine or is being tested.
- Do not disclose any personal data unnecessarily - it might, for example, be able to be disclosed to government health authorities and/or to private hospitals and clients, but not more broadly. Consult your compliance or data protection officer if you are unsure about whether a disclosure is consistent with the basis upon which personal information was collected.
- Only disclose personal information to the extent necessary even when sharing data within an organisation (for example, with a headquarters department or with a branch office).
- Refrain from sharing any personal data relating to specific individuals on social media (such as photos, video or audio clips) consistent with your internal data protection and social media policy.
- Do not discuss the health condition of any individual in public or in areas where you may be heard. In short, don't gossip!
- Do your due diligence and put in place strong contracts with vendors or other third parties when personal information is being disclosed to them, including where it is transferred to an entity in another country. (Do not overlook putting in place strong contracts with vendors hired to collect personal data on behalf of the organisation.)
Storage/Disposal of Personal Information
- Protect all personal information whether being sent by email or stored in physical or electronic records. This includes any hard drive or log books used by an organisation and/or by its vendors.
- Be aware of where all records are kept or stored including those in shared network drives and used and stored in freely available SaaS services.
- Put in access controls, especially for remote workers. This includes any sharing or storage on a public cloud.
- Refrain from using scraps of personal information for recording personal or sensitive information especially from the external public.
- Delete or dispose any personal information when the relevant activity has been completed and the intended purposes have been fulfilled.
Article contributed by Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP)