This article is part of a 5 part series authored by AnantLaw partners
Part 2: Treatment of data collected during Covid-19 outbreak: International Jurisdictions
On March 13, 2020, the data protection authority of Belgium, issued a guidance for the employers in relation to treatment of data collected with respect to COVID-19 (“Belgium Guidance”). The Belgium Guidance suggested that the employers may not conduct generalized and systematic checks on employees (e.g., temperatures). Checks on employees concerning their health is suggested to be carried out by the occupational physician. Further, the tests cannot be arbitrarily conducted by the employers, and that there should be some justifiable reasoning and a positive presumption that an employee has been exposed or shows symptoms of COVID-19. The Belgium Guidance also suggests that the employers may not ask an employee to fill out a form about his/her health situation or recent travels as this is likely to create a social stigma or social panic. Further, the Belgium Guidance recommends that employees should be encouraged to voluntarily disclose symptoms, if any, or recent travel details to areas which are adversely hit by COVID-19 to the occupational physician. The employers should maintain secrecy about the data pertaining to a person infected by COVID-19 and such data should be shared with other employees, if required, only on no-name basis. Further, any data processed by the employer in response to COVID-19 should be within the four corners of Article 5 of General Data Protection Regulation (“GDPR”) which deals with lawful processing of personal data. This is in line with the guidance issued by other European Economic Area regulators including France, Germany, Hungary and Czech Republic.
The United Kingdom’s independent authority is set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It lays down guidelines concerning the treatment of data collected during COVID-19, for the organizations including corporate houses, in form of Q & A (“UK Guidance”). Amongst other things, the UK Guidance attempts to answer (i) Can an employer or a company disclose the names of the infected persons to other employees or third parties? (ii) Can an employer conduct systematic checks on employees or visitors or collect other health related data directly or indirectly? (iii) Can an employer share employee’s health information to authorities for public health purpose? (iv) As most of the staff would be working from home, are there any measures which should be taken by the organization to ensure information is secured? The UK Guidance, while responding to the aforesaid questions, recommends that with respect to question (i) that data of infected person(s) can be shared with the employees but on no-name basis. With respect to question (ii), employer can reasonably ask the employees about their travel history or symptoms (if any) and if this approach doesn’t work, the employer can collect the information only in a limited manner with appropriate safeguards. Further, dealing with question (iii) according to the UK Guidance, the UK data protection law doesn’t restrict the employers from sharing the employee’s information with the public health authorities for the purpose of public health. The UK Guidance further clarifies with respect to question (iv), that although there is no explicit prohibition on working from home, the organizations need to adopt the same kind of security measures that they would use in normal circumstances with respect to organization’s data.
In the USA, though there is no robust data protection legislation1 like GDPR in European Union, under the Health Insurance Portability and Accountability Act Security Rule, the covered entities are expected to implement reasonable and appropriate administrative and technical controls to protect the confidentiality of protected health information. The US Department of Health and Human Services also released a bulletin outlining when disclosure of such information is allowed, and that though information can be released for public health purposes, to avoid a serious and imminent threat; even such disclosure should be limited to the minimum necessary to accomplish the public health purpose.
China has taken a proactive approach to showcase protection of personal information. Collection of personal information should be limited to key groups (confirmed cases, suspected cases, close contacts of confirmed cases), and it should not constitute de facto discrimination against individuals of targeted geographic locations. Institutions collecting such information shall be responsible for the maintenance and protection of such data. While employers in China may collect their employees’ personal data, such collection should be limited to that required for a legitimate and just purpose, and the informants must consent to and be notified of the purpose and scope of such collection. Such collection is also permissible in Hong Kong and Singapore. Further, in China, collected information can only be shared with third parties in specific situations, such as a public health emergency or to assist the government in inquiries or investigations, among others. This information can be retained by the employer till the purpose of such collection remains, after which the data should be deleted or anonymized.