At times like these, we often hear that "data protection goes out of the window" or "safeguarding and public safety trumps GDPR". In fact, though there are incredible pressures on everyone, data protection has never been more important. It's not something to be overlooked as we all start processing data in new and different ways.
So here is an overview of some of the technical considerations of sharing data and its legality under GDPR and the Data Protection Act 2018. In these answers, we find that nothing "trumps" data protection, rather consideration has already been given to these eventualities.
Firstly, the legality of processing data.
Some personal data for anyone in an emergency health care situation will have their data processed under vital interests. Article 6(1)(d) of GDPRstates that processing is lawful if “necessary in order to protect the vital interests of the data subject or of another natural person.” For special categories of data, Article 9(2)(c) similarly provides that processing is lawful where it is“necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
There are other more complicated questions which we will look at here:
1. Contact without consent
The ICO FAQs inform that public health authorities can contact us about COVID-19 without prior consent. Many of us have already received emails and text messages encouraging us to stay at home sent by internet and telecoms providers at the instruction of the government.
This is allowed for in GDPR under Article 9(2)(i) which states: (in part) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health..."
Additionally, this is expanded win Recital 54 which includes: "The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject."
This is processing as a task in the public interest - it's not to be used by employers as a method for other purposes...but could be used by employers to inform staff about public health issues in the workplace (for example, to communicate with staff and parents about school closures).
2. Public sharing of data
There are currently public databases and apps with details of coronavirus patients - though mostly these seem to be from Asia. South Korea's app which traces people's locations and informs others if they may have been in close proximity to an infected person (see geolocation data, below) is a case. There are others including publicly accessible Google spreadsheets and published by the Open COVID-19 Data Curation Group, intended to aggregate data in order to facilitate research and aid in the development of strategies to track and trace. Whilst not containing names it does contain age, location, gender, symptoms, onset dates, travel history.
The ICO also advises in their FAQ that you can share information on your employee's health with the public health authorities.
The GDPR was remarkably prescient in relation to this. Recital 46 includes: "Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."
And what about where individuals have travelled from one country (where they are known to have been infected) to another? How can public health authorities be warned? Does that not go against international data transfers?
Again, the GDPR has you covered. Article 49(1)(d) provides for this when: "the transfer is necessary for important reasons of public interest". And Recital 112 adds very usefully that this could be "for example in the case of contact tracing for contagious diseases".
3. Geolocation data
There's a key difference in Europe and where GDPR applies and other locations here. A key part of South Korea's strategy has been to use an app to track and trace where infected people have been and to push out information to others who may have been in close proximity. Israel, Singapore and Iran are reported to have similar approaches that could impact on civil liberties - in Korea this app could easily allow the identification of individuals and their whereabouts could reveal other private (special category data) such as sexuality, political and religious affiliation. Phone data and social network data could easily identify where you have been and who you were within 2 metres of at any time. Israel is actively tracking anyone who has been infected.
In the US, using this data is still under consideration. In Europe (and likely what will happen in the US) is that this data will be aggregated and anonymised to assist in modelling of the disease spread by showing how effective social distancing is and providing movement maps. But it's unlikely to be used to track and inform directly about who and when you came in contact with as this is considered too high an invasion of privacy. Under GDPR this is covered under restrictions on profiling (Article 22(1) and Recital 71). The recital includes "The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing". It continues to make clear that profiling "consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements..."
It has been reported to have been a key element of South Korea's fight against COVID-19, and there are health professionals that think such an approach would help here. Article 9(2)(i) and Recital 54 may cover it "The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject.", but otherwise why not ask for consent?
If you have any questions about data and coronavirus, or anything else get in touch at