Data protection during the health crisis: is GDPR confronted with Covid-19?

Data protection is confronted with unprecedented challenges during the coronavirus times.Covid-19 pandemic is a durability test of GDPR (the EU general data protection regulation) because it is the first time when the data protection law goes through a large-scale public health crisis. The lessons learned will definitely affect and modify the law in future.

When it comes to health, data is treated very carefully as this data category is considered extremely sensitive. Under the GDPR, health data usually requires explicit consent. An exception which allows personal data processing without consent is prescribed in Article 9 that states that processing of personal information is possible when it is necessary to protect “against serious cross-border threats to health.”

Putting it in a nutshell, the crisis resulting from coronavirus becomes the legal ground for data collection and processing. But there is still the need for confidentiality, data minimization, purpose limitation and data security, so the law cannot be obscured.

Companies are trying to learn a fine line between privacy and protecting public health. Employers are trying to understand how to interact with their employees and whether it is appropriate to ask them about their travel plans, require to complete medical questionnaires or to take their temperature.

The experts generally agree that if a staff member is infected, it is permissible for the employer to notify other people of potential risks but without mentioning the name of an employee who was tested positive. Moreover, the data protection authorities say that it is absolutely okay to ask whether the employees have recently been in high-risk places or have been interacting with persons infected with the Covid-19. However, if the employees’ temperature is being taken upon entering a building, that could subject the company to liability.
Some scientists believe that tracking people’s movements using the phone signals and location data would slow down the spread of the virus. However, it would not be legal since the use of location information does always require consent without an exception.

What happens over the next few months is still unclear but when the health crisis will begin to resolve, the businesses will have to consider what to do with the collected data and especially if the data was collected without consent. If the company is keeping the personal information, it needs no have a legal basis for keeping it. GDPR generally encourages to get rid of data that is no longer needed and companies have to remember that the more sensitive data is, the greater stimulus there is to delete it.

Read our blog to keep abreast of all actual and interesting technology news.