COVID-19: Can organizations release personal information of employees to the government or a public agency?

In the Philippines, the simple answer is YES.

Due to the COVID-19 pandemic, organizations are in uncharted territory on how to keep employees safe and still be able to follow the data privacy/protection law. Most organizations are in a quandary on whether personal information about the health of employees can be shared with the government or a public agency, “particularly without the consent of the relevant individual”. The secret to unlocking that quandary lies in understanding the principles that underpin data privacy / protection law and applying them in any particular set of circumstances. See ‘What Can Organizations Do?’ below for a checklist to help organizations get started. 

What we have to deal with 

Due to the COVID-19 pandemic, many new terminologies have become bywords in the corporate world - person under monitoring (PUM), person under investigation (PUI), social distancing, self-isolation, home quarantine, etc. Government use words such as enhanced community quarantine (ECQ) or circuit breaker. The general public still say “lockdown”. 

Who would have imagined that aside from surrendering an ID to enter an office or building, visitors now also need to submit to temperature checks. Companies are monitoring the health status of their employees in unprecedented ways due to the contagiousness of the coronavirus. They are collecting personal information such as employees’ contact exposures, travel history, client meetings and maybe even the health status of employees’ family members. 

In most ASEAN countries, there are laws and regulations that require infectious diseases to be reported to the government. In the Philippines, there is the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act (RA11332). In Singapore, there is the Infectious Diseases Act (Chapter 137), while in Malaysia there is the Prevention and Control of Infectious Diseases Act 1998. These laws require not only medical institutions and medical professionals, but also private institutions and workplaces to accurately and immediately report notifiable diseases and health events of public interest to the relevant government agency. In some cases, the national government, together with local authorities, sets up disease surveillance units. 

There are also various laws that require employers to provide a safe working environment. Employers generally do so: installing guards on dangerous machinery, controlling noxious chemicals, fumes and dangerous liquids, properly ventilating factories and offices, guarding against various other physical hazards, providing first aid facilities, reporting workplace incidents and accidents, etc. Taking at least reasonable steps to shield employees from diseases, including infectious diseases is always on the list too. But generally this does not appear high up on an employer’s ‘to do’ list. Employees might catch a cold or even a seasonal ‘flu, but beyond perhaps keeping them away from the workplace for a few days and causing some loss in productivity, such infectious diseases are little more than minor irritants. COVID-19 and its potential health consequences is very clearly different. There is debate around the extent to which employers may need to protect their employees from COVID-19 infection in the workplace, but little or no argument about employers having some such obligation. 

So, in this time of the COVID-19 pandemic, companies need to comply with laws about notifying infectious diseases, etc., while also securing the safety and well being of their employees and complying with data privacy / protection obligations. It is reasonable to assume that even after the imposed lockdown is lifted or modified in some ways by governments, and perhaps for quite a long time afterwards, a new norm in employee monitoring will need to be adopted by organizations. 

What can organizations do to comply with data privacy / protection laws? 

Risks to be aware of

• Not understanding the relevant lawful basis for processing for each processing activity relating to COVID-19.
• Unauthorized processing of personal data (for purposes unrelated to the COVID-19 purpose) where employees have not given consent or unaware of the unrelated processing.
• Personal data leakage or accidental disclosure, malicious intent or staff negligence.
• Excessive disclosure of information.

Actions needed

• NOTICE to employees.
• Guidelines and Code of Conduct for authorised staff governing disclosure of personal data - including rules about who may disclose personal data for COVID-19 purposes, when they may do so and in what way they may do so. 
• Standard Operating Procedures when disclosing personal data to any authorized government agency. 
• Determine the minimum necessary to disclose to achieve the relevant purpose. For example, if the purpose is contact tracing does the employee’s name need to be released or merely their working location? If their working location needs to be disclosed, to what level of detail? 
• Record the disclosures of personal data, including both what was disclosed and why it was necessary to disclose it.

Review your processes 

• What kind of personal data do you collect for your processes? Do you collect only what is necessary? •What are the means of collection? (Email, health declaration forms, etc.) 
• Do you only collect, use or disclose personal data based on the specific purpose? 
• What categories of entities are personal data disclosed to? •What are your purposes in disclosing personal data? Would that be consistent with the purposes that were specified?

Best practices for Staff

• When disclosing personal data, limit disclosure to the legitimate purposes that have been determined and specified by the organisation.
• Do not disclose personal data to other unauthorized parties or individuals. Do not gossip!
• Mitigate the identified risks associated with disclosure of personal data.
• Stop processing personal data upon fulfillment of the specified purpose.
• Consult your DPO/legal counsel when in doubt.

Companies need to put in place the proper mechanism or standard operating procedures to carry out its accountability and compliance with the relevant laws. It has an obligation to provide the necessary protection to a data subject’s personal information. And be mindful of balancing the legal requirement vis-a-vis data subject rights.

Contributed by Edwin Conception FIP, CIPM, CIPT, CIPP/E

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.