Argentina: A privacy perspective on COVID-19 measures
In Argentina, the Agency of Access to Public Information ('AAIP'), the Argentinian data protection authority, has issued several guidelines and recommendations regarding data protection during the COVID-19 pandemic. Gustavo Giay, Diego Fernández, and Manuela Adrogué, of Marval, O'Farrell & Mairal discuss the privacy implications of the changes.
The COVID-19 Guidelines
On 11 March 2020, and days before the state of health emergency was declared, the AAIP issued their first guidelines on how sensitive and personal data must be processed during the COVID-19 pandemic. For instance:
- health data falls under the category of sensitive under the Argentine Data Protection Law 25.326 ('the Law'), deserving more rigorous protection;
- the communication of the name of a patient testing positive for COVID-19 requires the patient's prior consent;
- health institutions and doctors can process and share among them personal data of their patients if they keep said data confidential;
- the obligation of professional secrecy remains even after the relationship with the patient is over;
- to use the patient's health information for purposes different from the ones for which it was collected, the patient's prior consent is necessary; and
- the National Health Ministry, as well as the Provincial Health Ministries, are empowered to request, collect, and transfer to each other or process in any other way health information without the consent of the patients, in accordance with the explicit and implicit powers that they have been given by law.
Moreover, in 2020 the Argentine Ministry of Health ('MoH') launched an app named 'CUIDAR'. The first version of the app allowed people to diagnose themselves through a platform and then receive recommendations on the steps to follow if they have symptoms that coincide with COVID-19 and information on care and prevention. The app is capable of collecting geolocation information from its users in order to recommend steps to follow according to the symptoms that were entered into it. In this way, in order to be able to carry out public prevention and mitigation policies related to COVID-19, the MoH can use the information in the app to map risk areas, as well as areas where social distancing cannot be achieved and that could increase the spread of the virus. The characteristics of the database corresponding to the CUIDAR app are detailed in Provision 3/2020 issued by the Under Secretariat for Open Government and Digital Country.
In relation to the above, the AAIP carried an ex officio investigation into the CUIDAR app in order to verify its compliance with the Law. The report analyses different aspects like the lawfulness of the processing of personal data, the legal basis for data collection, security principles, data quality principles, retention periods, and international transfers, among others.
Among the different matters covered in the report, it is of particular interest that according to the AAIP, the user ID validation mechanisms implemented by the app are adequate and in compliance with the security principle in Section 9 of the Law. However, the AAIP underscored that, to validate individuals' identities, the app prompts them to type in their ID numbers jointly with a validation number. Notably, and recalling that in 2019, a security breach in the Ministry of Domestic Affairs' systems resulted in unauthorised access to the IDs of thousands of Argentine citizens, the AAIP recommends implementing a different method to verify user´s identities. In addition, after listing the app's security measures, the AAIP suggested implementing the security measures recommended under Resolution No. 47/2018.
Moreover, according to the AAIP, the proportionality principle implies that controllers should not process more data than it is necessary to for a given purpose. In that regard, and taking into account the app's two purposes, the report deemed that the processing of symptoms consistent with COVID-19, as well as the user's location and telephone number, are proportionate for the purpose of evaluating whether or not that user could be infected and, if so, to connect the user to the health authorities. Lastly, the AAIP highlighted that the app does not monitor user geolocation in real time and, if it did, thorough assessment and legal justification would be required.
In this context, the AAIP published a series of recommendations for the use of applications that can geolocate their users, by recalling that in accordance with the Law, the monitoring of the location of individuals is not prohibited, provided that such monitoring is carried out in a manner which respects the human right to privacy. The AAIP lists fundamental principles on data protection applicable to geolocation tools, whether they are used by the public or private sector, or both. Location data is defined as 'information collected by a network or service about where the user's phone or other device is or was located.' Similarly, the AAIP understands that location data can be inferred by GPS, cell towers, Wi-Fi, Bluetooth, or combination of signals. All information regarding a person's location and/or movements constitutes personal data protected by law, and therefore its processing must have a valid legal basis, pursuant to Article 5 of the Law. Finally, the Data Protection Authority also recommends carrying out a Privacy Impact Assessment prior to the implementation of this type of tool in order to control and mitigate its risks, as well as to assess its feasibility.
The CUIDAR app has been relaunched in December 2021 with new features, which will be effective on January 2022. These new features relate mainly to the vaccination certificate. Consequently, the app now informs whether the user has been vaccinated, how many doses have been taken, and where those vaccinations took place. Users can display their vaccination status directly from the app. In addition, the CUIDAR app details if the user has taken a COVID-19 test in the last 48 hours and displays the results.
There is already a governmental app named 'Mi Argentina' that, among other things, is aimed at certifying that a person has received a COVID-19 vaccine by displaying a COVID-19 Vaccination Certificate. It contains the name of the vaccine the person received, batch number, dose number, vaccination centre and date when the vaccine was applied. Individuals who were vaccinated against COVID-19 in a foreign country may demonstrate to the Argentine Ministry of Health that they were vaccinated abroad using the same app to process a sworn statement of vaccination. Foreign individuals vaccinated in Argentina who do not have an Argentine ID card may request their COVID-19 Vaccination Certificate at the health centres determined by each jurisdiction.
Since COVID-19 vaccination is voluntary in Argentina, pursuant to Section 6 of the MoH Regulation No. 2883/2020, to enter or leave the country, for example, individuals are not required to have a COVID-19 Vaccination Certificate. Thus, the certificate would not be strictly implemented as a vaccine passport, at least for the moment.
From 1 January 2022, a complete vaccination schedule against COVID-19 will be required for people aged 13 years and up to participate in activities considered to be of higher epidemiological and sanitary risk, such as attending indoor dance clubs, senior and student trips, and massive indoor or outdoor events of more than 1,000 people in accordance with Section 1 of the Regulation No. 1198/2021. The vaccination schedule must have been completed at least 14 days prior to the activity or event and be accredited through the already mentioned CUIDAR app. Jurisdictional authorities and entities of the national public sector may require the accreditation of the complete COVID-19 vaccination schedule for additional activities according to the epidemiological situation, the local vaccination plan, and the progress in the vaccination coverage against COVID-19. The AAIP has not made any comments regarding the sanitary passport yet.
Labour law perspective
From the labour law perspective, employees entering Argentina to work must comply with all immigration, labour, and sanitary obligations to prevent risks. Currently there is a more flexible position for foreign employees entering into Argentina, though administrative and immigration requirements may vary going forward depending on the spread of COVID-19.
Currently, for the purposes of entering Argentina to work, in addition to filing a specific sworn declaration, the following requirements apply:
- Argentine residents: are exempted from isolation if they are fully vaccinated (at least 14 calendar days before entering Argentina) and submit a negative PCR test 72 hours before entering the country. Otherwise, if they are not fully vaccinated, they must be quarantined and undergo a PCR test on the seventh day of entry, which, if negative, will bring the isolation to an end.
- Non-resident foreigners: with regard to non-resident foreigners who need to enter Argentina for work, a full vaccination schedule and COVID-19 health insurance is required. Otherwise, a consular endorsement may be requested to authorise the employee's boarding. However, such authorisation is subject to the discretion of each consulate. Additional requirements, such as isolation and/or additional PCR tests may still apply.
Due to the new Omicron variant of COVID-19, there are specific, stricter requirements for employees coming from or having been in Africa within the last 14 calendar days prior to entering Argentina. In such circumstances, the employee must: mention such circumstances in the sworn statement, submit a complete vaccination schedule 14 calendar days prior to entry, provide a negative PCR 72 hours prior to the beginning of the trip and another test upon arrival to the country, and comply with preventive isolation and PCR testing on the tenth day after the PCR sample is taken at origin, the result of which must be negative.
Another important labour matter is implementing the necessary measures to prevent risks, especially in case of returning to on-site work. Due to the decrease of positive cases and other COVID-19 related morbidities, returning to on-site work is nowadays possible, under a full or hybrid remote and on-site working scheme. For such purposes, there are specific minimum requirements to prevent risks, including those set forth in the relevant safety protocols, which may vary according to the company's activity.
It is subject to debate whether employers can request their employees to be fully vaccinated to return to on-site work. In principle, receiving a COVID-19 vaccination is, until now, a personal and voluntary decision. As such, employers may recommend employees to be vaccinated but they cannot force them to vaccinate. However, the employer is obliged to protect the employee's health, and therefore, there is a position that construes that in order to protect the health and safety of all employees, employers would be able to only allow those fully vaccinated to attend work at the company's premises. Still, as mentioned, this matter is subject to debate and there are different interpretations and positions. Thus, each company must analyse the applicable requirements as well as define the measures that shall apply to minimise risks.
COVID-19 vaccine guide
The AAIP published the Access to Information, Personal Data, and COVID-19 Vaccine Guide ('the Guide'), outlining the criteria for processing and disclosing the personal data of individuals who have received the COVID-19 vaccine. The Guide aims to balance the publics' right to access public information with the data subjects' right to privacy.
In the Guide, the AAIP distinguishes three different scenarios for processing and disclosing the personal data of individuals who have received the COVID-19 vaccine:
- General vaccination data: which includes the data of individuals who have been vaccinated in accordance with the rules set forth by the MoH, complying with appointments and the corresponding vaccination phases. Pursuant to the Guide, this kind of personal data may only be published if dissociated from the individual.
- Public officials and employees: information as to who has received the COVID-19 vaccine should be deemed as public information because public officials and employees have a lower expectation of privacy than other citizens, vaccines were purchased with public funds, and the public must have the power to control who is deemed as 'strategic personnel' by the Argentine Government.
- Individuals that have been vaccinated outside the scope of the official vaccination plan and phases provided under the plan: the public interest in knowing who received irregular vaccination priority (meaning outside the scope of the official vaccination plan) outweighs any potential harm to the individual's right to privacy.