Touchpoint Logo dark grey

Personal data during a pandemic

Suddenly, the world came to a standstill. What few expected to happen in these modern times of constant global travel and interconnectedness has happened. COVID-19 has prompted governments to close national borders, cancel public and private group gatherings and events, and introduce drastic measures to combat the invisible enemy. Many companies have adopted a work-from-home policy. As if in the background compared to the danger of the disease, the thought of privacy and data protection remains. In connection with this, however, questions of a different nature arise.
  1. What can employers do to control the spread of the virus and mitigate its effects, including what additional data they can process on their employees?
  2. How can employers ensure good data protection practices when employees work from home?

The truth is that even in times of crisis (perhaps especially in times of crisis) the laws still apply. Including those concerning data protection. However, the law allows organizations to process additional data to support public health efforts by keeping employees safe and healthy, provided certain safeguards and requirements are met.

This is the interpretation of the Commission for the Protection of Personal Data regarding the personal data in declarations that the Ministry of the Interior collects during the state of emergency in the Republic of Bulgaria. The legislation on the protection of personal data allows the possibility of limiting the scope of the rights and freedoms of citizens under the conditions of Art. 23 of Regulation (EU) 2016/679. According to the Commission, citizens should be reassured that the possibility of limiting their rights, including and the right to the protection of their personal data, does not lead to their violation, because the Ministry of the Interior can only process the data for the purposes of the Law on measures and actions during the state of emergency and should guarantee the security of the processing of the personal data contained in the declarations , through the application of appropriate technical and organizational measures. Whether and in what way the Ministry of Interior will fulfill this requirement of the law remains to be seen.

In the specific case, the measure imposed by the Ministry of the Interior is necessary and proportionate in order to guarantee:

– public health;

– the prevention of crimes (what is the act under Article 355 of the Penal Code), including the prevention of and the prevention of threats to public security, which is undoubtedly the threat of the spread of the virus.

Today, 04/04/2020, the government also presented the new Virusafe application, which will connect patient-doctor-hospital-Ministry of Interior. Through it, users voluntarily provide information about their current health status and, if they wish, fill in data about their chronic diseases.
The information will be collected in a central register and will be sent to state bodies such as local health inspectorates, national headquarters, private doctors, hospitals, the Ministry of Internal Affairs, border police, etc. Only the institutions will have access to the register itself, and that will be the case but only with a digital certificate. The companies that developed the app have confirmed that they will not have access to personal data. GPs will then contact at-risk patients and advise them whether they will need to stay at home or need to be admitted to hospital.

The purpose and importance of the proper use of data to fight the pandemic is clear. But what will happen to the data after the state of emergency is lifted, and how will the developed application continue to function when the need to collect this sensitive data ceases?

And speaking of the protection of the public interest, we cannot fail to touch on the subject of the grounds for data processing by administrators – private entities, when processing medical data related to the COVID-19 outbreak.

A frequently asked question by governments and employers is related to the collection and use of medical data, such as body temperature readings.

One of the basic principles in data processing allows the processing and use of sensitive data in the public interest. Data protection authorities stand ready to help facilitate the rapid and safe sharing of data to combat COVID-19.

What employers need to know:

There are a few general rules that can be gleaned from the regulator’s guidance on COVID-19. A distinction must be made between the data that governments may collect and use and the data that private entities may collect and use, including the legal basis for individual situations. In general, governments will have more room to maneuver when processing personal data in the public interest (eg to protect public health) or even to process personal data in the vital interest of an individual. According to the GDPR, they are explicitly defined as a basis for processing personal data. It may also be possible for private entities to collect and use personal data in the public interest, but there must be a clear, direct and demonstrable link to the public interest. When processing medical and other health data, which includes noting whether employees have been diagnosed as infected or exhibiting symptoms of COVID-19, organizations should exercise restraint in processing only the minimum personal data necessary to fulfill their safety-related obligations workforce, customers and the public. In general, data protection and employment laws limit the amount of detail about employee illnesses that can be recorded by employers. Where necessary and proportionate (ie if there is no other option than to collect data on (suspected) workplace COVID-19 infections), data minimization and confidentiality should be followed as best practice. This means that as little information as possible should be collected and that information should only be available to specific individuals (not to groups of departments) who have a reasonable need to know it. For example, identifying victims of COVID-19 by name should not be allowed. Companies should also exercise restraint when processing data from visitors to its premises. There may be good reason to take a visitor’s temperature before allowing access, but this does not mean that the temperature reading or data relating to the person whose temperature is taken must be retained after the decision to grant access or not.

It is perfectly reasonable in this situation for the organization to carry out a privacy or data protection impact assessment and to implement additional organizational and technical measures in this regard.

С какво да Ви помогнем?

споделете вашата идея и ние ще се свържем с вас

    Find us in Sofia!Varna!London!

    57 Cherni Vrah Blvd., Energy Tower,
    floor 7, 1407, Sofia

    173 Prilep St., Business Center BeeGarden,
    Office 20 9000, Varna

    Flat 12, Woodland court, 12 Penn hill avenue, Poole, BH14 9LZ