The Coronavirus (COVID-19 or SARS-CoV-2) pandemic has resulted in unprecedented challenges worldwide. Amongst these, businesses are finding it difficult to reconcile the need to share information quickly and effectively with their obligations under relevant data protection legislation.
ISOLAS LLP Partner, James Montado, and Associate, Michael Adamberry, who amongst a wide range of practice areas specialise in Privacy & Data Protection, and Banking & Regulatory Services, comment on some of the key considerations for businesses during these challenging times.
A perfect storm
As the rate of the spread of COVID-19 increases exponentially, Europe now finds itself at the epicentre of the pandemic. Governments are looking to ensure business continuity, whilst having to engage emergency lockdown protocols for their citizens. Last week, ISOLAS commented on how Majesty’s Government of Gibraltar (HMGoG) had implemented a set of immediate economic measures to allow Gibraltar’s economy to weather the storm ahead, with further measures announced by the Chief Minister this week.
Some businesses, practically overnight, have had to adjust to the emergency legislation, which although focused around preventing long-term damage to the Gibraltar economy, has led to some businesses having to temporarily suspend business altogether, whilst others resort to remote working, or working telematically (i.e. merging telecommunications and infomatics, resulting in telematics).
No Data Protection considerations left behind
As businesses adapt to the new normal, new challenges arise for those that are not accustomed to remote working; from sourcing suitable equipment to staff training, to employment and HR issues. Some may be tempted to shift the priority of ensuring adequate data protection downward on the list of business concerns as they focus on how to keep their business afloat in the midst of the rapidly developing socio-economic crisis.
As financial and human resources are diverted away from regulatory compliance and information governance work, this creates an inevitable risk of potential regulatory action. However, provided that organisations can reasonably justify the need to prioritise other areas, and that they do not completely forget about Privacy & Data Protection, various regulators, such as the Gibraltar Regulatory Authority (GRA) have signified that a more lenient approach will be taken, penalising only those that have a flagrant disregard for their legal and regulatory obligations, or those who take no steps at all to at least try and address these.
Some key questions and answers
The Gibraltar Regulatory Authority (GRA) has released guidance on what businesses need to know. The UK’s Information Commissioner’s Office (ICO), which is respected as one of the leading supervisory authorities worldwide has also commented on the recent outbreak in its newsletter. Some of the key points raised are as follows:
- What if some deadlines are missed due to lack of resources?: Acceptable, provided the business can justify how resources are being diverted and mitigate the damage (i.e. send holding replies).
- Does remote working breach data protection legislation?: Not necessarily. Provided the business has adequate data security and ensures the right technical and organisational requirements are in place, it should allow home working. The organisation should avoid, as far as possible reliance on employee’s personal equipment, and this should be limited as far as possible or if absolutely necessary, further steps should be taken to ensure that.
- Can I inform my staff that a person has contracted COVID-19?: Yes, but within limits. So long as there is a justifiable purpose to disclosure, this will generally be seen as acceptable. If the intention is protection the other workers (e.g. sending vulnerable people home), the organisation may be able to justify its action. Organisations still need to think about whether they can achieve this aim by disclosing the minimal amount of data possible. For example, do you really need to name them? Can you identify instead what part of the building/department is expected to have been affected? Consider that knowing that an employee has contracted COVID-19 can lead to a considerable stigmatisation and have an adverse effect on the fundamental rights and freedoms of natural persons. Further, consider that in smaller organisations, individuals may be readily identified even if they are not named and the importance of having a valid justification for the disclosure will be paramount.
- Asking employees about high-risk areas & contact with infected persons: Acceptable, but as the pandemic spreads, this could just be anywhere outside the home or remote working environment. In such cases, employers cannot monitor every movement of the employees, but can periodically request confirmation that they have not allowed themselves to be exposed to the virus (not necessarily needing to confirm whom the infected individuals are).
- Entry restrictions and temperature checks: Acceptable to an extent, given this involves special category data, there needs to be a prevention of abuse, and the least invasive measures should be considered (e.g. non-invasive temperature taking, rather than subjecting everyone to medical examination). The justification is as above; ensuring health and safety in the workplace. You do not need to gather lots of information about employees or visitors to your premises, but if checks do reveal an issue, the organisation needs to think about how it will manage this, and how it will secure this information, which should be much more restricted than other non-sensitive data.
- Sharing information outside my organisation: Acceptable to an extent, as you always need a valid reason to share personal data. Confirmation that someone has contracted COVID-19 is GDPR Art.9 special category data relating to health, and therefore you need a lawful basis under GDPR Art 6. plus another lawful basis in GDPR Art 9, and then consider whether certain tests (e.g. the health data test) contained in the Data Protection Act 2004 apply. You also need to consider who you are disclosing to. Some cases are more clear cut, such as requests from competent authorities, where employer has to transmit information to such authorities in accordance with statutory obligations. Other cases may require you to question that authority, and this underpins the need to ensure a request is legitimate and has appropriate statutory/regulatory footing or other official authority.
- Can I collect private mobile phone numbers / use Facebook?: Yes, but within limits. You may want to warn employees at short notice as to office closures, infection, breaches of security etc. However, consider whether you will rely on consent (GDPR Art.6(1)(a)) or on “legitimate interests” (GDPR Art.6(1)(e)) as your lawful basis and to what extent you can justify this. Is it also possible to reduce communications or find an alternative method or communicating that does not reveal personal numbers?
Other employer considerations:
Given an employer’s duty of care towards other employees, and to ensure the occupational safety and health of their employees, this “employment, social security and social protection” justification (GDPR Art.9(2)(b)) could provide sufficient justification in many of the above cases. The next weeks and months will also likely see an increase in the reliance of “vital interests” (GDPR Art.6(1)(d)) as a lawful basis, together with other justifications such as “preventative and occupational medicine” (GDPR Art. 9(2)(h)) and “public health” (GDPR Art.9(2)(i)).
James Montado said: “As signalled by both the GRA and ICO, the top line here is a recognition of the importance of allowing information to flow rapidly and to slow down the spread of this virus. Data protection laws should not stop businesses from doing that, and are designed not to hinder information flow, but to ensure that valid justifications are considered. Common sense should always prevail, and there may be legitimate and proportionate aims pursued by data controllers that outweigh the fundamental rights and freedoms of natural persons- but let’s take some time to think about what those are and how we can document these assessments.”
If you would like any further information on your Privacy & Data Protection obligations, or would like ISOLAS to conduct an independent audit of your policies and procedures.
Please contact James Montado on james.montado@isolas.gi or Michael Adamberry on michael.adamberry@isolas.gi.