The COVID-19 epidemic has brought about many changes in society and the way we work, but the only ones we’ll be discussing today are those changes related to data protection and coronavirus. More specifically, how it relates to customer data and employee data, so that you know what you can and can’t do.
Because there ARE changes to normal ways of treating data/information, and you should be aware of them.
Personal/ Customer Data and Coronavirus
During an epidemic such as COVID-19, data protection norms do shift somewhat. Governing bodies understand that resources that would usually be directed towards compliance are diverted to other, more pressing areas.
Something we’ve spoken about previously in GDPR after Brexit, consent is the pivotal factor in data protection.
However, during times of crisis, consent may not need to be ascertained for the sharing of data.
What does this mean data protection and coronavirus?
Well, the loosened regulations do not mean you can begin treating sensitive information with wanton disregard for privacy.
You must continue to comply with data protection laws and treat data as the sensitive information it is.
Data that you deem necessary to process must only be done so for specified and explicit purposes. Not only that, but those from whom you’ll process data must be informed what will happen to this data:
- Processing activities carried out.
- Purpose of obtaining data.
- Retention period.
Factors such as processing activities and retention period are extremely important when it comes to data storage, a complex issue made simple in our free webinar: GDPR Compliant Data Storage. Feel free to watch the recording we made for anyone who missed it and could do with a few pointers on:
- How to store data
- Where to store data
- Should data be deleted? When?
- What if data can’t be deleted?
Incorrect processing or treatment of data with regards to any of these aspects of data protection has and will lead to fines, take a few minutes to make sure you’re not one of those who get caught out.
In regard to mobile location data, EU member states may use geolocation for reasons such as public health messages in a specific area, warning people about developments with COVID-19.
The important aspect here is that data must be anonymised, meaning that individuals cannot be re-identified.
Healthcare Services, Consent & COVID-19
Health organisations are permitted to send messages to the public, this doesn’t violate data protection laws because:
- a) there’s a pandemic, special circumstances in times of crisis.
- b) these messages are not direct marketing.
The European Data Protection Board (EDPB) has stated that in a state of emergency (as caused by COVID-19), there is ‘a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period’ (source).
What does this mean for GDPR in an emergency situation/pandemic?
GDPR has provisions for the processing of sensitive data in times like this, so there are changes that you should be aware of.
Example of GDPR change due to coronavirus
When the processing of data is necessary in the interest of public health, there is no need to rely on consent of individuals.
Provisions that come into play during times of crisis change the norms of how data is treated, just look at this quote from the EDPB.
‘The processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.’
Data protection and employee health & well-being
- Is an employer allowed to ask for specific health information related to the pandemic?
YES, limited to what is allowed by the national law in the country in which you are operating.
- An employee has coronavirus, are you allowed to inform other employees in order to protect them?
YES. In these cases, common sense has to be used. Yes people’s privacy must be protected, but not at the expense of the health of those around them. Don’t provide more information than is necessary, that way, you can keep all parties happy.
Something we mention in our latest webinar on remote work and data protection, employees should be informed if someone in the team has contracted coronavirus.
Instead of saying, ‘John Smith has coronavirus’ and turning poor John into the office pariah. A more diplomatic solution would be to tell the team that somebody on the fourth floor has contracted COVID-19.
This way, John retains a degree of privacy whilst you as the employer fulfil your obligation to protect your employees health.
- What information is permitted to be processed related to coronavirus?
Only the personal information related to workplace activities/ duties, in accordance with the law of the country in which you are operating.
Coronavirus & data protection confusion
There has been some confusion with regards to what data is considered essential to be collected and shared.
France and Italy are in direct contradiction to the UK, Denmark & Ireland. The former have stated that by no means should employers actively collect information regarding employees (and their families) health and travel history. The latter has said it can be collected and disclosed under GDPR, but to stick to limitations of restrictions.
The lack of consistency can make things a bit complicated, so the table below provides a quick snapshot of what is happening in different countries with regards to collecting employees coronavirus related data.
|Location(s)||Are they collecting employee data related to COVID-19?||Special considerations|
|France & Italy||No||None|
|Denmark & Ireland||Yes||Assess whether data collected can be legitimately processed|
|UK||Yes||Abide by normal safeguards & don’t ask for more than is necessary|
The EDPB has made things much clearer, providing the information is specific, where employers may have a legal duty to report health concerns to a public health authority, companies would not be bound by the GDPR when they need to pass on relevant or requested information.
The consideration that needs to be made is around the word specific, for example, you CAN ask if someone would be a potential threat to others, but health questions should be limited to those legally allowed in the country that you’re in.
When it comes to data protection and coronavirus, it’s really about common sense. If data treatment feels excessive, then chances are, it is.
Effortless Data Protection Compliance
You can make data protection compliance effortless and ensure you don’t get hit with surprise fines by taking a look through the free resources we’ve made available to you, we’ve got everything you could possibly need to know on the subject of data protection in the form of:
- Pridatect Academy with webinars led by industry experts, ebooks if you prefer to download and read through some useful information in your own time and articles from our in-house industry experts such as Lisa Hoffman, DPO at Pridatect.
- Request a demo that we’ll set up for you, given at a time of your choosing. See for yourself how the software can actually benefit you and your company.
Find out what data protection risks your company is exposed to when working from home with our webinar: GDPR Risks When Working From Home.