International: Concerns about Coronavirus and its spread should "not override privacy and security laws"
The World Health Organisation declared, on 11 March 2020, COVID-19 ('Coronavirus') a pandemic. With the rapid spread of the Coronavirus, organisations around the world are reviewing employment policies and procedures. Additionally, the legal requirement of reporting and disclosure has raised privacy concerns which has led numerous health and data protection authorities to issue guidance on how organisations can ensure compliance.
The French data protection authority ('CNIL') published, on 6 March 2020, its guidance for the processing of, for example, health and employee data regarding Coronavirus.
In particular, CNIL states that, when collecting data relating to symptoms of Coronavirus or the employee's recent movements, employers must avoid collecting data beyond what is necessary for the purpose of managing virus exposure. Julie Schwartz, Senior Associate at Hogan Lovells (Paris) LLP, told OneTrust DataGuidance that, "Companies must refrain from collecting through questionnaires or individual requests information that could qualify as health data (symptoms of fever, high temperature, cough, shortness of breath, etc.) and must not collect information that goes beyond the date and identity of the person potentially exposed and the organisational measures taken (work from home, appointment to the occupational physician, etc.). However, companies can request for employees to inform their Human Resources ('HR') department in case they have visited affected areas. The companies can also raise awareness and remind employees and visitors appropriate actions to be taken."
In addition, CNIL outlines that employers should avoid systematic and generalised collection of data, for instance in the monitoring of employee's temperature. Schwartz outlines that, "Companies must ensure that such data is either right away deleted if it is not necessary to manage the case or, if [the data] is necessary to manage the exposure and other employees' safety and security, is limited to what is strictly necessary. In such a case data must be processed in a careful and confidential way with reinforced security measures, in a transparent way by informing concerned employees, must be subject to specific retention periods, communicated to limited recipients, etc. An exception for processing health data must also be identified, for instance, Articles 9(2)(b) or 9(2)(i) of the GDPR."
Regarding the disclosure of identity of an employee who has contracted the virus, Schwartz indicates that, "A solution could be for companies to inform the other employees that a case, or a suspected case, has been identified in the company, without providing the name of the person, and request them to work from home. The HR department could then ask the sick employee to establish a list of persons with whom he/she has been in contact and then the HR department can contact individually the persons of the list."
Furthermore, CNIL offers guidance on reporting to the health authorities in the event of virus exposure, which Schwartz clarifies "constitutes personal data processing and implies all the GDPR obligations." Schwartz suggests that companies take practical steps such as "adding the processing into the records of processing activities, informing the concerned employees, limiting recipients, applying specific data retention periods, and ensuring the confidentiality and security of data."
Francesca Gaudino, Head of Information Technology and Communications Group at Baker McKenzie (Milan), told OneTrust DataGuidance, "Data protection authorities/supervisors in the APAC region have faced the issue of data processing in such an emergency. In some cases, the approach may not have been aligned with that of European data protection authorities. But w[W]hat is of interest, more than the approach, at a time when we're still combating Coronavirus, are two considerations in relation to the use of data collected in the course of this emergency:
- these data should be kept safe, confidential, and deleted if not relevant: the risk of abuse is high.
- the information should be treated as 'open data', since its value in terms of scientific source is enormous. These data are expected to contain the weapon to defeat Coronavirus and, hopefully, to prepare for possible future variations of the same."
As Coronavirus spread to Europe, the Italian data protection authority ('Garante') was among the first to publish, on 3 March 2020, a special press release including guidance regarding Coronavirus.
In particular, Garante highlights that employers must not collect, a priori and in a systematic and generalised manner, information on the presence of any symptoms of workers and their closest contacts. Giulio Coraggio and Tommaso Ricci, Partner and Trainee at DLA Piper Italy respectively, told OneTrust DataGuidance, "The recommendation is to send a notice to all employees and officers indicating that if they have fever or have been in situations at risk, they should not come to the office. Besides in some cases […] health checks on employees can be allowed, but always after the provision of a privacy information notice. With reference to 'ordinary' officers, body temperature checks can be allowed only under specific circumstances and with their prior explicit consent."
Further to the same, regarding the employer's treatment of employees and implementation of data protection measures, Nadia Arnaboldi and Mattia Lettieri, Founder of Arnaboldi Consulting Firm and Labour Lawyer and Partner of Lettieri&Tanca respectively, told OneTrust DataGuidance, "Companies are prevented to obtain a 'self-declaration' from employees about the absence of any signs of Coronavirus and other information relating to their private life. Garante has suggested rather to inform employees on the Coronavirus risks and on the actions they can make to prevent and limit the spread of Coronavirus, as well as their right to contact the company medical doctor and their obligation to inform the employer of any danger to health and safety at the workplace as provided for by the labour laws."
In addition, Garante emphasises that the collection of information relating to the symptoms of the Coronavirus is the responsibility of healthcare professionals. According to Gaudino, "The Garante's guidance is fairly firm in affirming that 'do-it-yourself' initiatives should be avoided during this health emergency. The rationale and purpose are to keep an ordered, coordinated, centrally managed approach to the COVID-19 emergency. From a data protection perspective, the risk of an uncontrolled collection of (also) health-related information and then possible misuse, is high. Not to mention the possible consequences in terms of discrimination and uncontrolled reaction, in case inaccurate information starts going around."
Furthermore, many companies are relying on working from home during this period. Coraggio and Ricci offer the following advice, "In order to carefully manage this unexpected situation, companies shall adopt adequate technical and organisational security measures, such as:
- encouraging their employees to use only devices provided by the company, on which adequate security systems should be activated and regularly check or at least to use personal devices provided with a strong antivirus system and regularly carry out accurate anti-malware scans, avoiding the connection of external unprotected hardware. In any case a virtual private network ('VPN') is recommended;
- implementing a PC/smartphone management system to enable remote tracking and assistance by IT specialists; and
- adopting the adequate internal policies to define a 360-degree regulation on remote working, covering, for example, IT devices usage, data breach notification procedure, and authentication security requirements.
Gaudino concurs, "Responsiveness, rapidity, flexibility, reliability, availability are elements which companies should make sure are provided at the right level by their information system, whatever the structure – whether internally owned or outsourced, wholly or in part."
Lastly, the Government of Italy issued, on 9 March 2020, its Law Decree No. 14 ('the Law Decree No.14'). In particular, Arnaboldi and Lettieri concluded that, "Article 14 of the Law Decree No.14 contains special provisions on data protection to manage the Coronavirus emergency for the National Civil Protection Service, the offices of the Ministry of Health and the National Institute of Health, private and public entities operating within the National Health Service as well as other entities entitled to monitor and guarantee the application of the measures of Law Decree No. 6 of 23 February 2020. The Law Decree No.14 allows the aforementioned bodies to exchange and process special categories of data necessary to perform their tasks according to the law and in compliance with Articles 9(2)(g)(h)(i) and 10 of the GDPR and Article 2-sexies(2)(t)(u) of the Personal Data Protection Code, Legislative Decree No. 196/2003 ('the Privacy Code'). The Law Decree No.14 underlines that the data protection principles stated by Article 5 of the GDPR must be guaranteed and appropriate measures must be adopted. Said entities are also entitled to assign specific functions and tasks to individuals according to Article 2-quaterdecies of the Privacy Code by means of simplified and oral procedures, and to avoid any privacy notice or give a simplified privacy notice. The aforementioned special measures are valid until the end of the emergency."
The National Health Commission ('NHC') of the People's Republic of China ('PRC') released, on 4 February 2020, a notice on strengthening information-based support for the prevention and control of pneumonia outbreaks related to the Coronavirus infection ('the Notice'). In particular, the NHC highlighted, among other things, that the effective protection of personal privacy and security is important in providing reliable support for epidemic prevention and control.
The Cyberspace Administration of China also released, on 9 February 2020, a general notice on the protection of personal information and use of Big Data to support the prevention and control of the Coronavirus ('the General Notice') which highlighted that personal information obtained by individuals or organisations on the grounds of epidemic prevention and control cannot be collected without data subjects’ consent, except if the agencies are authorised by the Health Department of the State Council of the People's Republic of China, in accordance with the applicable laws.
In addition, the General Notice outlines that personal information collected for epidemic prevention and control, as well as disease prevention shall not be used for other purposes. Moreover, the General Notice notes that the collection of personal information should be limited to key groups such as diagnosed persons, suspects, and close contacts of diagnosed persons, and not generally target specific areas. Finally, the General Notice clarified that any organisation or individual who discovers that the collection, use, or disclosure of personal information is in violation of laws and regulations may report it to, among others, a public security department in a timely manner.
Galaad Delval, Data Protection Officer at Chen & Co. told OneTrust DataGuidance that, "In the short-term, companies have been collecting more employees' health information than usual in response to local regulations, [however,] the real challenge will [be visible] in the […] long term [when it is determined] whether such information will be duly stored or erased […].”
The Personal Data Protection Commission ('PDPC') released, on 2 March 2020, a frequently asked question ('FAQ') on Coronavirus. In particular, the PDPC highlighted that organisations may collect, use and disclose personal data of visitors during the outbreak of the Coronavirus without consent pursuant to Sections 1(b) of the Second, Third and Forth Schedules to the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA'), and that organisations may collect visitors' National Registration Identification Card ('NRIC') information, Foreign Identity Numbers ('FIN'), and passport numbers when necessary for identification purposes.
Charmian Aw, Counsel at Reed Smith LLP, told OneTrust DataGuidance, ''If an organisation does collect NRIC information which is regarded to be of a higher sensitivity, then more stringent security measures should be in place to protect that data from any unauthorised access or similar risks. To give an on-the-ground perspective, it does not appear that organisations in Singapore fully understand the potential impact, as many are still using manual logbooks visible to the public to record NRID information. [Furthermore], collecting employee health data by way of temperature screening and/or health declarations has now become a much more regular and commonplace practice with employers in Singapore. If, after the Coronavirus situation has normalised, an organisation is found to have kept all of the health declarations and the data records retained include NRIC information, it will face a greater risk of potential breaches of the PDPA.''
The Office of the Privacy Commissioner for Personal Data ('PCPD') has issued statements on monitoring individuals afflicted by the Coronavirus, as well as clarification that the right to life under the Hong Kong Bill of Rights Ordinance, is absolute and supersedes the right to privacy.
Mark Parsons, Partner at Hogan Lovells International LLP, told OneTrust DataGuidance,
"Employers in fields that are more sensitive to the risk of contamination, such as health services, may be seeking to obtain medical records, travel records or other information with a view to enforcing workplace policies relating to [the Coronavirus]. The key implications for the Personal Data Protection Ordinance 1995 ('PDPO'), assuming the collection is justified, are to ensure the collection is proportionate and not excessive to the purpose, that the data is held securely and used on a 'need to know' basis and it is securely destroyed once the need to [use such data] has lapsed. The fact that the PDPO is a 'notification-based regime' does not mean that personal data may be collected against the data subject's will […] In the employment context, for example, depending on the specific circumstances an employer may be expected to provide an employee with the choice to work from home rather than provide medical records. Under Hong Kong law, an employer would be required to evaluate less privacy-intrusive alternatives to the collection of personal data considered sensitive."
The Korea Communications Commission ('KCC') announced, on 11 February 2020, that together with the Korea Internet & Security Agency it had focused on the dissemination of official documents containing personal information of Coronavirus patients online, monitoring related posts, and requesting deletions pursuant to Article 32-4 the Act on Promotion of Information and Communications Network Utilisation and Data Protection. In particular, the KCC highlighted that the act of distributing personal information that can identify a specific individual, except for information released by the authorities in relation to the Coronavirus, may be subject to civil and criminal penalties for infringements of privacy.
The U.S. Department of Health and Human Services' Office of Civil Rights ('OCR') released on, 3 February 2020, a bulletin ('the Bulletin) on sharing patients' information in relation to the Coronavirus for Health Insurance Portability and Accountability Act of 1996 ('HIPAA') covered entities and their business associates. In particular, the OCR reminded covered entities that the requirements of the HIPAA Privacy Rule should not be set aside during an emergency.
The OCR Bulletin outlines the limited situations under the HIPAA Privacy Rule which allow for the disclosure of protected health information without a patient's authorisation, including:
- treatment information;
- information necessary to carry out public health activities;
- disclosures to family, friends, and others involved in an individual's care and for notification;
- disclosures to prevent a serious and imminent threat; and
- disclosures to the media or others not involved in the care of the patient.
The Bulletin reminds covered entities to maintain the principle of minimum necessary disclosure to accomplish their purposes. However, concerns about the privacy obligation and Coronavirus extend far beyond HIPAA covered entities.
Anne Kimbol, Assistant General Counsel and Chief Privacy Officer at HITRUST Alliance, told OneTrust DataGuidance,"The most important thing companies not covered by HIPAA can glean from this Bulletin is that concerns about Coronavirus and its spread do not override privacy and security laws. The Family Medical Leave Act of 1993 and the Americans with Disabilities Act of 1990 ('the ADA'), as well as any state or local laws on employee health data, still apply. So, be careful. The Centers for Disease Control and Prevention ('CDCs') has said that employers should notify workers if an employee has tested positive for Coronavirus, but that the ADA confidentiality requirements still apply. This can be a delicate balance to maintain, but when in doubt, the CDC or the Department of Labor [shall be contacted]. The legal consequences of failing to abide by confidentiality requirements range from a governmental investigation and possible penalty or fine to a possible lawsuit by the individual whose information was exposed."
The Bulletin states that it is important for covered entities to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Furthermore, pursuant to the ADA, employers need to balance their obligation to avoid unnecessary and excessive medical inquiries which are prohibited, unless the inquiry is voluntary or job-related, and consistent with business necessity. The CDC and OSHA have created websites reminding organisations of their obligations under the Occupational Safety and Health Act of 1970 ('OSHA').
Kimbol stated that "The most apparent requirement under the OSHA relating to Coronavirus is the requirement to have a workplace that is free from recognised hazards that are causing or are likely to cause death or serious physical harm. Doing a review of the workplace for potential risk areas and ensuring mitigation efforts are enhanced – they can be as simple as encouraging social distancing and providing greater access to disinfectants – is something that should be part of regular corporate hygiene practices. These practices can be critical to providing a safe workplace concerning Coronavirus exposure. Employers should also know that OSHA has added Coronavirus to the list of recordable illnesses if an individual is infected on the job."
Amelia Williams, Angela Potter, Edidiong Udoh, Keshawna Campbell, Theo Stylianou Privacy Analysts
Comments provided by:
Julie Schwartz Senior Associate
Hogan Lovells LLP
Francesca Gaudino Head of Information Technology and Communications Group
Baker McKenzie (Milan)
Giulio Coraggio Partner
DLA Piper Italy
Tommaso Ricci Trainee
DLA Piper Italy
Nadia Arnaboldi Founder
Arnaboldi Consulting Firm
Mattia Lettieri Labour Lawyer and Partner
Galaad Delval Data Protection Officer
Chen & Co. Law Firm
Anne Kimbol Assistance General Counsel and Chief Privacy Officer
Charmian Aw Counsel
Reed Smith LLP
Mark Parsons Partner
Hogan Lovells International LLP