Suddenly, the world came to an almost complete standstill. What few expected to happen in these modern times of continuous global travel and interconnectedness did happen after all.
COVID-19, or the Coronavirus, has caused governments to close national borders, issue ‘shelter at home’ warnings, and cancel public and private group gatherings and events. Many companies have adopted policies and remote work practices requiring or allowing their employees to work from home in situations where their responsibilities can be managed off-premise.
At TrustArc, we receive a lot of questions about the privacy implications of the COVID-19 pandemic. What are employers allowed to do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees? How do employers ensure good data protection and governance practices for employees working from home?
In this blog, we address the most common challenges organizations currently face.
Health Data on the Work Floor
Even in times of crisis (perhaps particularly in times of crisis), the law still applies. This is the case for labour laws, for medical legislation, and also for privacy and data protection laws. Safeguards cannot just be thrown out of the window. That said, in many jurisdictions, the law permits organizations to process additional data to assist public health efforts by keeping employees safe and healthy, provided that certain safeguards and requirements are met.
Guidance from the Regulators
One frequently asked question by both governments and employers relates to the collection and use of medical data, like body temperature. Earlier this week, the Executive Committee of the Global Privacy Assembly (GPA), a worldwide consortium of privacy and data protection regulators, released a statement on this issue:
“We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”
The GPA also published a special webpage where guidance from national regulators and other authorities on how to deal with COVID-19 related data issues is posted. This guidance is not limited to specific regions or regulators but rather covers GPA members worldwide.
What Employers Should Know
Even though we recommend you review the specific guidance available for the country where your organization operates, there are a few general rules that can be deduced from the regulator guidance on COVID-19.
- A distinction needs to be made between data that governments can collect and use, data that private entities can collect and use, and the permitted legal basis for each. Governments in general will have more room to maneuver when processing personal data in the public interest (e.g. to safeguard public health) or even to process personal data in the vital interest of an individual.
- Under the GDPR and other laws, these are explicitly identified as grounds to process personal data. For private entities, collection and use of personal data in the public interest can also be possible, but there needs to be a clear, direct and demonstrable link with the public interest.
- When processing medical and other health data, which includes noting if employees have been diagnosed as infected by or show symptoms of COVID-19, organizations should show restraint in only processing the minimum personal data necessary to carry out their obligations related to the safety of the workforce, customers, and the public.
- In general, data protection and labor laws restrict the amount of detail on employee illnesses that employers can register. When it is necessary and proportional (i.e., if there is no other option but to collect data on (suspicion of) COVID-19 infections in the workplace), as a best practice, data minimization and confidentiality must be respected. This means that as little information as possible should be collected and that this information should only be accessible to specific persons (not departments or groups) with a legitimate need to know it.
- For example, identifying victims of COVID-19 by name generally should not be allowed. Companies should also show restraint when processing data from visitors to its premises. There might be a good reason to measure the temperature of a visitor before allowing access, but that doesn’t mean the temperature reading or data related to whose temperature was read should be retained following the decision to provide access or not. In many jurisdictions, processing medical or other health data may require an organization to complete a privacy or data protection impact assessment and implement additional procedural safeguards and security controls.
- Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process for which reasons.
- Under almost all data protection regulations around the world, the transparency requirement is a key principle. Information should be accessible, and easy to understand and include the reasons why (additional) data needs to be processed.
Working from Home
For many organizations, the Coronavirus crisis is the first time they will allow large groups of employees to work from home. In addition to impacting IT resources, it also requires organizations to consider a renewed approach to their data use and data protection practices. Even for organizations where employees are used to working from home, it is advisable to review and, where relevant, revise policies and procedures to ensure that personal data will remain secure at all times.
This review should also include an assessment of the organizational, physical, and technical risks involved in working from home and accessing systems and data remotely and the security measures that may be advisable, such as using secure Wifi networks and company-authorized VPNs.
Though there may not be an alternative to working from home, conducting a privacy or data protection impact assessment of the working from home processing may help identify the risks to the rights and freedoms of your employees, customers, and business partners. It also allows you to identify mitigation steps that your workers at home can implement, like the implementation of certain technical and organizational measures.
