Data Protection Rights and the Pandemic COVID-19
It was recently reported that the HSE had disclosed to an employer that one of their employees had tested positive for Covid-19 prior to informing the employee of their own test results. The HSE explained in a statement that in “exceptional circumstances”, “if it is considered essential for the public health good”, they would inform an employer of a Covid-19 positive test result prior to informing the employee. The HSE has since requested guidance from the Data Protection Commissioner (DPC) and has suspended the practice in the interim. Nonetheless, the issue has provoked serious concerns regarding the protection of employees’ sensitive medical data and whether there are any “exceptional circumstances” wherein the data protection rights of data subjects can be overridden in such a way.
Guidance from the Data Protection Commissioner (DPC)
Mass Covid-19 screening has been taking place across a number of sectors including meat processing plants and nursing homes, and which involves the processing of large amounts of personal data including employee names, addresses and dates of birth and sensitive ‘special category’ medical data over a relatively short period of time and with a high degree of urgency.
The Data Protection Commissioner has issued advice regarding data protection law and the measures being taken by governments, employers in the public and private sector and voluntary bodies in the wake of the pandemic. Firstly, any protection measures implemented as a result of the pandemic that involves the processing of personal data need to be proportionate and necessary. The pandemic does not give organisations the authority to circumvent data protection standards and the applicable law.
- If an organisation is acting on the advice or direction of public health authorities or other authorities, the processing of personal data and data relating to health is permitted under the GDPR and the Data Protection Act 2018, provided the relevant safeguards are in place to include the deletion of the data under strict time limits, limitations on who can access the data and ensuring that staff are adequately trained regarding the protection of the data rights of individuals.
- Under the Safety Health and Welfare at Work Act 2005, employers are legally obliged to protect their employees. Personal health data can be processed if it decided it is necessary to do so and it is proportionate under the 2005 Act and the GDPR. The data should be processed in a confidential manner meaning that if there is an employee who has tested positive for Covid-19, staff should be advised without identifying the particular employee.
- Organisations must be transparent regarding how they process personal data and sensitive ‘special category’ personal data, why they are collecting this data and how long the data will be retained in plain and clear language.
- Confidentiality must be maintained and the necessary safeguards put in place to ensure the security of the data. There must be a very strong justification for identifying any individual affected by Covid-19 to a third party or colleagues.
- Only the minimum amount of data required to implement the objective of preventing or containing the spread of Covid-19 must be gathered and any decision-making process of an organisation regarding their response to the pandemic which involves the processing of personal data should be retained by the data processor.
While the pandemic has rapidly changed the way organisations are functioning, the fundamentals of data protection remain intact. Organisations must exercise caution when processing personal data and in particular when the data is health-related.
For further information and advice in relation to “COVID-19 and Data Protection Rights”, please contact Daragh Burke, Amorys Solicitors firstname.lastname@example.org, telephone 01 213 5940 or your usual contact at Amorys.