COVID-19 DATA PROTECTION GUIDELINES
Our Company via the Emergency Response Team – ERT is using all available resources and planning to continue our activities in a safe and workable manner. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data and in all cases it should be recalled that any measure taken in this context must respect the general principles of law and must not be irreversible. Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.
Currently we are operating in shifts which exponentially increased the levels of remote working, these are challenging times and as we are taking all measures to protect our people we must also be vigilant to protect our data and the relevant data subjects.
By processing data we need to consider some important issues:
The COVID-19 Data will include information about individuals from our group or those visiting for whatever reason our premises, this information may be about travel movement specially for the team of engineers, symptoms related to COVID 19, body temperature and any action taken on this respect, i.e. sending people back home, or prohibiting their entry into our offices, or informing about health vulnerability etc. This data is considered sensitive data under GDPR as it refers to the physical health of a natural person and as so, requires special protection.
The GDPR foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where collection is necessary for reasons of substantial public interest in the area of public health, where there is the need to protect the vital interests of the data subject as control of an epidemic or pandemic as the current case.
We must keep at all times our employees, staff, collaborators, visitors etc, informed about the purposes of processing (health and safety), the legal basis (public interest and protection of life), the retention period (to be destroyed as soon as feasible); who has access (access is restricted to the ERT). The data subject must also know who to contact in case of retrieving, requesting to delete (when possible), to amend or to stop processing such data. All other general information on processing of personal data is provided at our privacy notice herein.
The information collected shall be minimum and proportionate
The information shall only be used for necessary purposes such as managing the immediate health risk and making decisions as to actions required. The ERT provided guidance on protocol for recommended actions on risk scenarios – including, who will be notified in the event that someone tests positive. In general, only the minimum amount of information shall be collected to comply with the principle of minimization and this information should be available only for those who need to know.
Any subsequent processing for related purposes, such as lessons learnt about planning, management and business continuity matters, shall be carried out with genuinely anonymized data to the extent possible and any unnecessary information shall be deleted and will not be used for any other purpose specially not for any sort of assessment that may be in detriment to the data subject.
We shall not forget that individuals’ privacy is a matter of great importance, but it is not an unlimited right and needs to be balanced against other duties, rights and interests, such as the employer’s health and safety obligations, duty of care and responsibility to ensure business resilience and continuity. Good practices, genuine intentions, careful thinking, documentation of the decision-making process and implementation are a must to our Group.
Deletion of data
Test results, health status data shall only be used for the related purposes and retained for the period necessary to identify risk scenarios and to take immediate action. The ERT may retain the data to follow up with those who have tested positive or suffered symptoms to ensure they have appropriate support and know when they should self-isolate and when it is safe to return to the office, retention may also be necessary to comply with legal obligations. If some of this information is generated in hard copy (i.e. visitors’ confirmation/forms that they have not been exposed to the virus), these records shall be destroyed, as well as all other related data once the purposes are fulfilled.
Do not compromise security
This information (as with all personal data) shall be processed and retained securely in line with good practice. This also means that guidance and protocols on what should be collected and who gets to see it will be very important and data controller/processors shall not deviate from the protocol.
The processing of such sensitive data is based on the necessity to perform the employment contract (on the assumption that ensuring health and safety is either an express or implied term of the employment agreement), that the processing is necessary to comply with legal obligations (again relating to health and safety) or, in extreme cases, that the processing (e.g. sharing information with a healthcare professional) is necessary for the individual’s vital interests. Vital interests are, however, only relevant in cases of an emergency.
Update records of processing
Records shall be kept updated and data subject must have easy access to their own information at all times by a simple request to the ERT at email@example.com.
Any sharing of COVID-19 data must be avoided and will only occur: (i) with authorization or recorded acknowledgement of the data subject, or (ii) if needed to be disclosed for the safety and interest of the data subject in cases of emergency or (iii) if requested by law. If data sharing is necessary on a controller-to-controller basis (for example, with medical services, healthcare providers or public authorities (such as public health organizations), our group with the assistance of our DPO will carry out proportionate due diligence.
The European Data Protection Authorities (DPA) are taking different approach on the restrictive ways to deal with issues related to the COVID-19 data, in general it is important to know that our group will pursue: (i) to keep people informed of our processing protocols, including any need or legal request for sharing data (ii) collect the minimum necessary data, (iii) expose such data to the minimum number of people, (iv) make sure the data is well protected by technical and organizational measures, (v) delete all data as soon as possible, (vi) not to use the collected data for any other purpose (vii) follow good practices at all times, (viii) to provide easy access to the data subject’s records; and (ix) always to keep records of any required actions involving the data processing and data subjects.
In case there is any question regarding the processing of COVID-19 Data, please do not hesitate in contacting us at the Legal Department firstname.lastname@example.org