The global outbreak of novel coronavirus (COVID-19) has prompted a variety of legal concerns. As companies seek to adopt a range of mitigation strategies, many organisations are increasingly submitting and receiving requests for health information on individuals. This article considers the data protection issues arising from such requests.
In light of the prevalence of COVID-19, organisations that provide on-site services are likely to face increasing questions from other parties about the health of employees assigned to customer-facing positions. For example, a service provider deploying a team of people into a client's office for several weeks may need to satisfy the client that no members of the deployed team have tested positive for the virus or recently travelled to a particular destination. They may be required to give evidence or details to verify such statements.
While it seems prudent for businesses to gather information to ascertain whether visitors or contractors pose a heightened health risk, the accumulation of personal data – particularly as it relates to health and medical issues – poses a number of potential legal challenges.
In countries where data protection laws exist, the collecting organisation will need to consider the legal impact of obtaining and holding such information.
In Europe, for example, medical personal data would be considered a "special category" of data under the EU General Data Protection Regulation (GDPR). There is a requirement to process any such data on the basis of specified lawful grounds and to provide information on the data collection activity to the individual. Any organisations intending to gather, and potentially disclose, personal data would therefore need to assess the lawful basis for such collection.
While the use of personal information for emergency treatment is likely to be acceptable on grounds that it is necessary to protect a person's life (under the 'vital interests' ground for processing in the GDPR), the sharing of health information or other personal data for risk assessment purposes should be considered more carefully. Appropriate processes must be followed to ensure compliance with laws relating to the collection, storage, use and further disclosure of the data.
In legal regimes without formal data protection laws, there will still need to be some consideration of privacy-related obligations in the general law. For example, the disclosure of personal information without the consent of the concerned individual may be construed as an offence under criminal codes in various Middle East countries. Similarly, the electronic collection and disclosure of such information may constitute an offence under cybercrime legislation.
Medical practitioners will be under general professional obligations not to disclose information directly to employers without consent, as well as industry-specific legislation such as HIPAA in the USA and general privacy laws.
Any change in data collection or processing activities must be considered in light of the organisation's existing policies and prevailing data protection laws. If an employer or other party is seeking additional information about individuals – particularly sensitive information such as medical data, but also travel history and other personal details – there should be appropriate legal grounds for the request and adequate safeguards incorporated to address the additional legal risk.
At a practical level, a policy of engagement and transparency with staff should go a long way towards mitigating the risk of staff complaints. Any information that is shared should be suitably anonymised where possible to avoid implications under privacy or data protection laws and legal assurances obtained from the recipient.
Consents for disclosure should be duly recorded and sufficient details provided to individuals (data subjects) where appropriate to meet relevant legal obligations.