On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID-19 as a global pandemic. This declaration requires public and private organisations to put in place preventative and safety measures to help battle and control the spread of the coronavirus. As a result, organisations will need to implement new policies, practices and procedures in their daily office or other commercial routines. Some of them will involve processing personal data that is subject to data protection or privacy laws.
Here are some typical activities that organisations have implemented as preventative and safety measures regarding COVID-19:
In addition, governments have implemented the following preventative and safety measures:
All of these activities involve processing personal information, including potentially sensitive health-related information, that is subject to data protection or privacy laws.
Organisations need to ensure that these activities are done in a way that complies with relevant data protection or privacy laws and that complies with relevant employment and workplace safety and health laws. Here we consider data protection / privacy compliance.
Generally, there are laws or regulations that govern the collection, use, sharing, storage, disposal, disclosure or transfer of personal information. They need to be reviewed to discover if, and to the extent that, they permit the types of activities listed above and the steps that may need to be put in place to comply with them. Non-compliance with them can get your organisation into trouble with the law in terms of administrative sanctions and criminal proceedings, depending on the jurisdiction.
The Member States of the European Union and other countries in Europe, including the UK, Switzerland, Liechtenstein, Iceland and Norway have data protection / privacy laws. Countries in the Asia Pacific region, such as Singapore, Malaysia, the Philippines, Hong Kong, Macau, Taiwan, Australia and New Zealand have data protection / privacy laws too, while the People's Republic of China have best practice guidelines (namely, the Personal Information Security Standards).
Indeed, globally as at 31 January 2019 there were 132 countries with data protection / privacy laws and at least 28 other countries had official Bills for such laws in various stages of progress.
In most countries (although not in Singapore and Malaysia) the laws apply to both public / government and private organisations. In Singapore and Malaysia, there are other (but reportedly similar) rules to follow when governments process personal information.
Information about the health status of an individual and medical information about them is almost universally considered to be sensitive data because how it is handled may impact the well-being of individuals including, in particular, if details are disclosed against their wishes.
Generally, countries classify health and/or medical data or information as "sensitive personal information" or use a similar term indicating that it requires special treatment. The starting point is that they prohibit processing of sensitive personal information. Then it is allowed only where certain conditions are satisfied or where there is an applicable exemption from such prohibition.
Organisations must comply with data protection / privacy laws and regulations when they process health and/or medical information - including health status - for the purpose of preventative and safety measures to mitigate COVID-19 risks.
When developing and implementing preventative and safety measures to mitigate COVID-19 risks, organisations must take into account the data protection / privacy risks that may arise and the controls needed to mitigate them. They must take into account the entire life-cycle of processing personal data - from collection of the personal data, use and any disclosure of it, to the care of personal data during collection, use and disclosure and to the storage and, ultimately, the disposal of personal data.
All data protection / privacy laws and regulations include principles and requirements in connection with the collection, use, disclosure and storage (including disposal) of personal data. These principles generally carry the heaviest fines or penalties in the event of any compliance failure.
The data protection / privacy laws and regulations do not prescribe exactly what organisations need to do. If they were prescriptive there would be a "one-size-fits-all" approach and many organisations would likely find that they could not carry on their operations efficiently and effectively. Instead, the data protection / privacy laws and regulations provide organisations with flexibility by providing a range of principles. Organisations can implement them in a way that is most appropriate to their own circumstances and context.
However, the starting place is always that an organisation needs to work out what personal data it collects, at what collection points (for example, at service counters or by online forms) and for what purposes. Then it needs to know how the personal data flows internally through the organisation for each processing activity required to fulfil the relevant purpose.
This is the baseline information that the organisation needs to ensure that, at each stage - that is, in collection, use, disclosure and storage (including disposal) - the organisation complies with all applicable data protection principles. In summary, the organisation needs this baseline information so that it can assess the risks of non-compliance, device and implement appropriate risk controls and then document them in its internal data protection / policies and standard operating procedures (SOPs). The outcomes will be described in the Data Protection Notice or Privacy Notice (often misdescribed as a Policy) that it typically posts on its website.
The first step in enabling an organisation to comply with applicable data protection / privacy laws and regulations is to determine very clearly the purpose or purposes of processing personal data. This needs to be done for each of the activities that the organisation will undertake. Given the special rules that apply to processing sensitive personal information, this is especially necessary when it comes to processing health and/or medical data or information.
The second step, which depends on certainty in the first step, is for the organisation to determine if the identified purposes are compliant with the principles in the applicable data protection / privacy laws or regulations. For example, the organisation must determine whether each purpose has a legitimate basis and whether the personal data collected organisation is fair, proportionate or excessive in relation to each intended purpose.
In other words, in practice it is not uncommon to discover that there is a disconnect between the baseline information about what personal data is collected and the purposes for which it will be used - to discover that excessive personal data / personal data that is not relevant to a specific purpose is collected and/or that there is no legitimate basis for collecting it. Collection of such excessive personal data needs to cease and the organisation needs to securely dispose of excessive and/or illegitimately collected personal data collected in the past.
The following are typical examples of how personal information collected in connection with COVID-19 preventative and safety measures is processed at each stage of the information life-cycle. They are likely to apply to most if not all an organisation's COVID-19 preventative and safety activities in order to protect other individuals from infection or to trace those individuals who may have been exposed to infection:
Organisations must ensure that they assign clear responsibility to a specific member of staff and/or department for processing personal data in relation to COVID-19 preventative and safety measures. This includes assigning clear responsibility for the organisation complying with applicable data protection / privacy laws or regulations.
Such compliance must not be overlooked in the understandably harried environment that organisations face in dealing with COVID-19. And it cannot be a case of "I thought someone else was doing that".
Article contributed by
Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP),,, Lyn Boxall (FIP, CIPM, CIPP/A, CIPP/E, GRCP) GRCA) , William Hioe (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP),
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The novel coronavirus, or COVID-19, has been receiving global attention, and co…
Here are some general tips that your organisation can follow at each stage of i…
Can you say NO to the privacy intrusive measures by government authorities?As c…