Data protection authorities have issued more detailed guidelines on the processing of personal data in order to prevent the spread of the coronavirus pandemic. According to the office of the Data Protection Ombudsman personal data may be processed in order to prevent the coronavirus, as long as the processing is necessary and proportionate. The European Data Protection Board has given similar guidelines. Data protection legislation does not restrict public health measures or the prevention of infectious diseases, but the standards set out in the legislation must be taken into account in the processing of personal data also when preventing the coronavirus.
Processing of personal data to prevent the coronavirus
The starting point of the processing of personal data is that the processing must always be necessary and proportionate. According to EU’s General Data Protection Regulation, health data belongs to the special categories of personal data and its processing is prohibited. Personal data belonging to the special categories can be processed only if an exception to the prohibition under the GDPR applies.
Anonymous statistics on the coronavirus pandemic may however be published if an individual cannot be identified from the data. Data protection legislation does not apply to the processing of anonymous data. However, all data from which an individual can be identified directly or indirectly may be classified as a personal data. Therefore, when publishing statistical data, it must be carefully assessed that it is not possible to identify an individual based on anonymous information per se or a combination of certain information.
Processing the personal data of employees in cases of coronavirus
The information that an employee has contracted coronavirus is health data, and under the employment privacy legislation, employer is under an obligation to maintain confidentiality of employee’s health data. If an employee is diagnosed with a coronavirus infection, the employer must not report in at or outside the workplace. The employer can, however, express at a general level that the employee has been prevented from performing his or her duties. It is also permitted to inform other employees in general terms that there is a potential or confirmed coronavirus infection in the staff. However, it must be borne in mind that under the Communicable Diseases Act, only a doctor can order someone to stay at quarantine.
However, the information that an employee has returned from a travel to a risk zone, nor that the employee is in quarantine, if the reason for the quarantine is not specified, is not health data.
In general, the employees’ health data may only be processed by people whose duties include such processing, for example a relevant employee of the HR team. The employer must define in advance the tasks that involve processing of health data, or name those persons, whose tasks include processing of such data. Data concerning the employee’s state of health must be kept separate from the employee’s other personal data, and it must be erased immediately when there are no longer grounds for storing it.
- Data protection legislation enables processing of personal data to prevent the spread of the coronavirus. Such processing primarily concerns competent public health authorities and, to some extent, other actors, such as employers. Health authorities may process personal data in the context of the epidemic and to monitor its spread in accordance with national law and the conditions set out therein. A concrete example of such processing is the processing of data needed to trace an infection, and the infectious disease register. For employers, the processing may be based on, for example, performing legal obligations related to occupational safety, taking however into account the requirements mentioned above.
- The General Data Protection Regulation and other data protection legislation must be complied with when processing any personal data related to the coronavirus.
- The processing of personal data is always based on the necessity of the processing and there must be a legal basis for the processing.
- Employer is under an obligation to maintain confidentiality of employee’s health data.
- Coronavirus pandemic statistics may be published if an individual cannot be identified from the anonymous information.
Statement by the European Data Protection Board on the processing of personal data in the context of the COVID-19 outbreak
Statement by the GPA Executive Committee on the Coronavirus (COVID-19) pandemic
Article by the Office of the Data Protection Ombudsman