COVID-19: The Layman's Universal Guide to Handling Personal Data Within Organisations

On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID-19 as a global pandemic. This declaration requires public and private organisations to put in place preventative and safety measures to help battle and control the spread of the coronavirus. As a result, organisations will need to implement new policies, practices and procedures in their daily office or other commercial routines. Some of them will involve processing personal data that is subject to data protection or privacy laws.

COVID-19 preventative and safety measures and personal data impacts

Here are some typical activities that organisations have implemented as preventative and safety measures regarding COVID-19:

• Requiring staff and visitors to submit to temperature checks and to declare any medical symptoms of 'flu before entering the organisation's premises
• Requiring staff and visitors to answer questions about whether or not they have been to countries with a large number of COVID-19 infection cases, or in contact with other infected individuals
• Implementing flexi-office or remote working arrangements with the intention of minimising the risk to themselves of exposure to infection (for example, during their commute to the office) and minimising the risk to others (such as their office colleagues) of exposure to infection
• Responding to medical emergencies (for example, where a staff falls ill and medical assistance needs to be called in)

In addition, governments have implemented the following preventative and safety measures:

• Conducting surveillance activities, including contact tracing whenever an infection is reported
• Quarantining individuals, including in isolation wards in hospitals when they have been diagnosed as having been infected with COVID-19 and in home isolation when they have been in close contact with an infected individual
• Monitoring that individuals required to be in home isolation comply with the relevant requirements

All of these activities involve processing personal information, including potentially sensitive health-related information, that is subject to data protection or privacy laws.

Organisations need to ensure that these activities are done in a way that complies with relevant data protection or privacy laws and that complies with relevant employment and workplace safety and health laws. Here we consider data protection / privacy compliance.

Comply with Data Protection / Privacy Laws when dealing with COVID-19

Generally, there are laws or regulations that govern the collection, use, sharing, storage, disposal, disclosure or transfer of personal information. They need to be reviewed to discover if, and to the extent that, they permit the types of activities listed above and the steps that may need to be put in place to comply with them. Non-compliance with them can get your organisation into trouble with the law in terms of administrative sanctions and criminal proceedings, depending on the jurisdiction.

The Member States of the European Union and other countries in Europe, including the UK, Switzerland, Liechtenstein, Iceland and Norway have data protection / privacy   laws. Countries in the Asia Pacific region, such as Singapore, Malaysia, the Philippines, Hong Kong, Macau, Taiwan, Australia and New Zealand have data protection / privacy laws too, while the People's Republic of China have best practice guidelines (namely, the Personal Information Security Standards).

Indeed, globally as at 31 January 2019 there were 132 countries with data protection / privacy   laws and at least 28 other countries had official Bills for such laws in various stages of progress.

In most countries (although not in Singapore and Malaysia) the laws apply to both public / government and private organisations. In Singapore and Malaysia, there are other (but reportedly similar) rules to follow when governments process personal information.

Medical information is sensitive

Information about the health status of an individual and medical information about them is almost universally considered to be sensitive data because how it is handled may impact the well-being of individuals including, in particular, if details are disclosed against their wishes.

Generally, countries classify health and/or medical data or information as "sensitive personal information" or use a similar term indicating that it requires special treatment. The starting point is that they prohibit processing of sensitive personal information. Then it is allowed only where certain conditions are satisfied or where there is an applicable exemption from such prohibition.

Organisations must comply with data protection / privacy laws and regulations when they process health and/or medical information - including health status - for the purpose of preventative and safety measures to mitigate COVID-19 risks.

Data Processing Risks and Controls

When developing and implementing preventative and safety measures to mitigate COVID-19 risks, organisations must take into account the data protection / privacy risks that may arise and the controls needed to mitigate them.   They must take into account the entire life-cycle of processing personal data - from collection of the personal data, use and any disclosure of it, to the care of personal data during collection, use and disclosure and to the storage and, ultimately, the disposal of personal data. 

All data protection / privacy laws and regulations include principles and requirements in connection with the collection, use, disclosure and storage (including disposal) of personal data. These principles generally carry the heaviest fines or penalties in the event of any compliance failure.

The data protection / privacy laws and regulations do not prescribe exactly what organisations need to do. If they were prescriptive there would be a "one-size-fits-all" approach and many organisations would likely find that they could not carry on their operations efficiently and effectively. Instead, the data protection / privacy laws and regulations provide organisations with flexibility by providing a range of principles. Organisations can implement them in a way that is most appropriate to their own circumstances and context.

However, the starting place is always that an organisation needs to work out what personal data it collects, at what collection points (for example, at service counters or by online forms) and for what purposes. Then it needs to know how the personal data flows internally through the organisation for each processing activity required to fulfil the relevant purpose.

This is the baseline information that the organisation needs to ensure that, at each stage - that is, in collection, use, disclosure and storage (including disposal) - the organisation complies with all applicable data protection principles. In summary, the organisation needs this baseline information so that it can assess the risks of non-compliance, device and implement appropriate risk controls and then document them in its internal data protection / policies and standard operating procedures (SOPs). The outcomes will be described in the Data Protection Notice or Privacy Notice (often misdescribed as a Policy) that it typically posts on its website.

Knowing the specific purposes when processing personal data

The first step in enabling an organisation to comply with applicable data protection / privacy laws and regulations is to determine very clearly the purpose or purposes of processing personal data. This needs to be done for each of the activities that the organisation will undertake. Given the special rules that apply to processing sensitive personal information, this is especially necessary when it comes to processing health and/or medical data or information.

The second step, which depends on certainty in the first step, is for the organisation to determine if the identified purposes are compliant with the principles in the applicable data protection / privacy laws or regulations. For example, the organisation must determine whether each purpose has a legitimate basis and whether the personal data collected organisation is fair, proportionate or excessive in relation to each intended purpose.

In other words, in practice it is not uncommon to discover that there is a disconnect between the baseline information about what personal data is collected and the purposes for which it will be used - to discover that excessive personal data / personal data that is not relevant to a specific purpose is collected and/or that there is no legitimate basis for collecting it. Collection of such excessive personal data needs to cease and the organisation needs to securely dispose of excessive and/or illegitimately collected personal data collected in the past.

COVID-10 Activities that involve processing sensitive personal data

The following are typical examples of how personal information collected in connection with COVID-19 preventative and safety measures is processed at each stage of the information life-cycle. They are likely to apply to most if not all an organisation's COVID-19 preventative and safety activities in order to protect other individuals from infection or to trace those individuals who may have been exposed to infection:

• Collect personal information such as contact details and likely health condition, including body temperature, from staff and visitors for the purpose of monitoring their health condition
• Screen health profile (health status) and recent travel destinations of all employees and visitors
• Provide personal information to the human resources department as well as managers or supervisors of the respective functions or departments (for example, when arranging meetings or when running internal or external events)
• Evaluate or make travel arrangements for staff that involve using and disclosing personal information
• Retain the names and contact details of all staff and visitors for contact-tracing purposes
• Disclose personal information to help public health authorities trace people who may have been exposed to COVID-19 if one or more individuals become ill shortly after visiting the organisation or attending an event
• Transfer medical records to another country for COVID-19 treatment of the individual or to assist in their diagnosis

Organisations must ensure that they assign clear responsibility to a specific member of staff and/or department for processing personal data in relation to COVID-19 preventative and safety measures. This includes assigning clear responsibility for the organisation complying with applicable data protection / privacy laws or regulations.

Such compliance must not be overlooked in the understandably harried environment that organisations face in dealing with COVID-19. And it cannot be a case of "I thought someone else was doing that".

Article contributed by

Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP),,,  Lyn Boxall (FIP, CIPM, CIPP/A, CIPP/E, GRCP) GRCA) ,  William Hioe (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP),