As businesses introduce strategies to manage the outbreak of Covid-19 and begin implementing business continuity plans, they should take a minute to consider their obligations under the applicable data protection legislation.
As the UK remains in the ‘Containment Phase’ for now, businesses are providing employees with information on how best to prevent the spread of Covid-19 such as washing your hands. However, as the number of Covid-19 cases increases, businesses are implementing containment policies that include asking employees to share and report their location (including for personal and business travel) as well as providing health information on request. Location data constitutes personal data under data protection law and health information is ‘sensitive personal data’, which requires additional consideration.
What do businesses need to consider?
- Fair and lawful processing: In order to collect and process employee location and health data businesses should consider their ‘legal basis for processing’ under data protection law (i.e. legitimate interest, consent etc). Is additional processing of data in response to Covid-19 compatible with the purposes for which it was initially collected and have you provided fair processing information?
- Storage: Data security requirements still apply to the processing of personal data. This means businesses must ensure they have organisational and technological processes in place to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data.
- Anonymisation: Anonymisation should always be used with caution as personal data must be ‘truly anonymous’ meaning the individual is no longer indirectly or directly identifiable. In South Korea safety guidance texts were sent to citizens which included the past movements of people recently diagnosed with Covid-19 and while they were believed to be anonymised, individuals were indirectly identified through the information disclosed in the texts. Had this happened in the UK, it would likely have been an infringement of data protection law.
- Do any exemptions apply? There are exemptions under data protection law for personal data processed where required by law, to protect the public (subject to defined categories) and in relation to health (under limited circumstances).
- Data Protection Impact Assessment (DPIA): Consider undertaking a DPIA to assess the risk of processing personal data with any changes your organisation is implementing. Undertaking a DPIA will help you identify and reduce any data protection risks.