Governments and businesses have introduced mechanisms for health tracking and reporting, including contract-tracing and self-reporting apps, to tackle the COVID-19 pandemic. Whilst these mechanisms have been introduced to protect people, the European General Data Protection Regulation (GDPR) requires compliance from companies and institutions in relation to data protection and privacy laws.
Regulators, like public and private organisations, were unprepared for the pandemic. However, after some adjusting they were able to provide guidance on how to interpret existing legislation during the crisis.
The European Data Protection Board released a statement in April regarding GDPR’s applicability in these exceptional times. The Board emphasised that the GDPR rules must be adhered to, even during times of crisis, and that they may be more vital in these cases than ever.
Whilst European regulators and the European data protection supervisor do not think the pandemic nullifies GDPR rules, there is a consensus among them that its rules are flexible enough to accommodate emergency measures while placing adequate safeguards. GDPR does permit national governments to act in public interest. However, in doing so they must limit the data they use.
Organisations are collecting information from personnel, such as whether they have self-isolated or self-quarantined. Many companies may do this by collecting device location data, and this data would according to the GDPR be considered personal data and therefore be protected.
What organisations need to understand is that under GDPR rules they can only collect as much personal data as is strictly necessary for the purposes being pursued. Organisations are also required by the GDPR to have a legal basis for processing personal data, the relevant one being for the purpose to limit the spread of the virus and protect employees’ health.
Other things that organisations should have in mind is that disclosure of information to personnel about COVID-19 cases within the organisation should be limited to that which is necessary. Organisations must also be transparent by informing affected individuals about the use of their data.
According to data protection laws, data must be protected against cyber risk and unauthorised sharing. A personal data breach is any breach of security that leads to accidental or unlawful destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.
The current working conditions related to remote work can increase organisations’ vulnerability to the threat of such breaches. For instance, an employee might fall victim to a hacker attack or lose personal data during a power failure at home.
Many people working from home now use unsecured devices and internet communications with a lower level of protection than those used in corporate and institutional networks. Deloitte recommends that organisations should develop and implement procedures for the protection of personal data as part of remote work.
This includes giving employees information about the risks to personal data, such as phishing attacks disguised under “clickable” information about coronavirus. In addition, companies should provide employees with laptops, mobile phones and other equipment necessary to secure VPN connections for remote working.
It is necessary to take certain public-health measures in these exceptional times to reduce the spread of the virus. However, governments and companies must balance this with protecting data-protection rights to ensure continued compliance with GDPR during the ongoing pandemic.
Words by: Kristin Klungtveit
Loading More Content