A state of emergency, but no amnesty

Announcements from the European Data Protection Board and other data protection authorities on GDPR and Covid-19 ("corona")

By Associate Anders A Christie  

The GDPR creates some headaches at this time of crisis. The Covid-19 pandemic results in additional processing of personal data. Yet, severe restrictions are placed specifically on the processing of health information in the GDPR.

The European Data Protection Board ("Data Protection Board"), which is the EEA area's data protection authority, has recently commented  on the situation. The Data Protection Board has declared that defeating corona and complying with GDPR are compatible, but the correct procedures must be followed. There is no amnesty. The Norwegian Data Protection Authority says it is not letting up on the enforcement of privacy regulations.

The Data Protection Board poses several questions:

• Can an employer give notice regarding infected employees?
• Can a company ask employees and visitors for personal data?
• Can an employer test employees?

The Data Protection Board does not answer any of these questions clearly, but provides certain guidelines.

The Data Protection Board states that measures must be as muted as possible. It is essentially saying that alternatives to the processing of personal data must be considered, such as implementing precautionary measures.

Specifically, it is saying that an infected person must be notified prior to any internal notification by the employer. In addition, notification must preserve the dignity and integrity of the employee.

Predicting when a notification compromises dignity or integrity is challenging. If you decide to notify, it would be wise to assess whether the notification may be limited to a certain group, such as management.

When should the company collect personal data in its fight against corona?

Unfortunately, neither the Data Protection Board nor the Norwegian Data Protection Authority specify when an employer may collect information related to corona. The Danish Data Protection Authority states that it permits data collection (but not health information) from employees. The fact that a person is infected is health information, while isolated information about returning from high risk areas and about quarantine is not, according to the Norwegian Data Protection Authority. However, ordinary personal data which is compiled, may add up to health information. The distinctions are vague. It is also difficult to know when an employee's personal data becomes his close family's personal data.

When should you process corona-related personal data?

Strategy 1: Implement precautionary measures without requesting personal data

If your business implements precautionary measures, the processing of corona-related personal data may be minimized. You also avoid the risks associated with grey areas.

Strategy 2: Request corona-related personal data in addition to precautionary measures

Another strategy is for the company to ask employees and visitors for corona-related information. This strategy increases the risk of violating GDPR, and it may be unclear whether this leads to gains in infection control over and above the precautionary measures. For certain businesses, however, it may be appropriate.

The GDPR and the Personal Data Act (2018) permit processing of necessary personal data and health information about employees. Although this is based in law, such a strategy may be more trouble than it is worth. By requesting information, employers may receive random, unstructured personal data that need to be controlled. The processing and assessments must also be documented - even during corona - which the Norwegian Data Protection Authority adamantly stresses. The data flow must also be under control. A secure collection channel must be created. For example, if employees respond by email (which can often be read by unauthorised third parties on the way between sender and recipient), the security level probably does not meet minimum GDPR requirements (art. 32). In addition, the definition of "necessary" processing of personal data is unclear.

It is also important to keep any personal employee data in-house. Sharing specific information with third parties, such as customers, is not recommended. The Norwegian Data Protection Authority states that third parties should only receive general information, e.g. that an employee is unavailable.

It may also seem prudent to ask visitors for corona information, but this is another fuzzy area. The assessment of the legal basis is different than for employees.

Recommendation

For most companies, our recommendation is to keep the processing of corona-related personal data to a minimum. Always consider whether you can solve the challenge just as effectively without processing such personal data. There is every reason to be careful regarding infection alerts, testing, and comprehensive questions aimed at visitors. For most companies, clear precautionary measures are preferable.  

Associate Anders A Christie is part of Bull & Co's Technology team. He works with IT contracts, privacy and data security law. The subject of his master thesis was use of Big Data within the GDPR framework. 

Anders may be reached on aac@bull.no or +47 92 21 69 60.