To print this article, all you need is to be registered or login on Mondaq.com.
One unanticipated consequence of the COVID-19 pandemic has been
the huge increase in the collection of personal data.
With much of the world’s population working remotely for
extended periods, people have had to quickly sign up to digital
tools and communications platforms, often without fully
understanding how those tools may be collecting their personal
data, or worse, knowing that the companies behind those platforms
will harvest their data, but having no alternative other than to
accept. At the same time, their smart home devices are capable of
recording confidential conversations and their phones are able to
track their movements with increasing precision. Should these
workers venture outside their temporary home offices, new
surveillance and tracking measures monitor adherence to “lockdowns” and public health authorities are
increasingly sharing medical data, all in an attempt to keep the
virus under control.
The invasiveness of these measures varies from jurisdiction to
jurisdiction. Some governments have asked people to download apps
to enable contact tracing. Others are using geo-fencing technology
to make sure people stay within the “fence”. At the other
extreme, details of infected peoples’ age, gender, and their
most recent location have reportedly been broadcast via text
message to anybody within a particular radius. The response has
been spurred by national interests and to date has not been
coordinated. The European Commission and European Data Protection
Board are working to coordinate app development and related issues
and have issued guidance (respectively) on the use of personal data
to help contain the virus, with a view to increasing uniformity.
Unfortunately, early iterations of some apps have led to
suspensions due to security, adoption and privacy concerns.
While governments may be able to rely on national security or
public interest exemptions under local data protection laws to
collect and share personal data during times of crisis, individuals
are increasingly concerned about how their personal data may be
used, with whom it may be shared and the impact on their rights.
The spectre of stigmatisation is already evident. There is also a
longer-term concern as to how some of these increased collection
measures will be “rolled back” once the crisis ends, or
indeed if they will be reduced at all.
Data Protection Rights and Obligations
For most European-style data protection regimes, personal data
must be processed fairly and lawfully and used for a legitimate
purpose that has been notified to the individual. Personal data
holdings should not be excessive in relation to the purposes for
which the data was collected and should be securely purged once
those purposes have been fulfilled. If personal data are processed
for any new purposes, this processing can only be undertaken if
there is a legitimate purpose for doing so which has been notified
to the affected individual.
Data protection laws generally give individuals the right to
access personal data held about them and to request that any
inaccurate data be corrected or deleted. Businesses are obliged to
cease processing personal data once the purposes for which that
data has been collected have been exhausted. Data retention periods
vary, but each data controller must determine for how long data
should be kept and ascertain how they might be securely deleted
once the purposes for holding the data have been satisfied (in this
case, once the crisis ends).
Where personal data holdings are shared between parties,
contractual or other provisions should be put in place between the
data controller and the third party processor to ensure that any
personal data is processed only for authorised purposes, that all
data is stored and transmitted securely and that incident response
plans are in place in the event of a data breach. Use of
subcontractors by the service provider without the prior approval
of the data controller should be prohibited, particularly where
international transfers of data are involved.
As lockdown restrictions are eased and workplaces and other
locations begin to reopen, employers and organisations will need to
put appropriate measures in place to keep people safe. Those
measures are likely to further impact the use of personal data.
Some of the scenarios most frequently asked about by employers are
>Can I use temperature checks or thermal cameras to monitor
staff and members of the public for symptoms?
Generally, European-style data protection laws, including the
General Data Protection Regulation (GDPR) do not
prevent you from taking steps to keep your employees and the public
safe, but they do require you to be responsible with the personal
data you collect, only collect what is required and ensure it is
handled with care. As you will be processing information that
relates to an identified or identifiable individual, data
protection laws will bite. Personal data relating to health is
generally classified as “sensitive personal data” or,
under the GDPR, as “special category data” and therefore
attracts additional levels of protection.
When deciding whether to use more intrusive technologies,
especially for capturing health information, you need to carefully
consider the purpose and context of its use and be able to justify
using it. Any monitoring of employees needs to be necessary and
proportionate, and in keeping with their reasonable expectations.
Can you achieve the same results through other less
privacy-intrusive means? If so, then the monitoring may not be
considered proportionate or appropriate. A data protection impact
assessment is vital in helping to determine what methods may be
most effective and proportionate, taking into account the
circumstances of the business and its employees.
Protecting legitimate business interests and complying with
legal requirements to provide a safe working environment for
employees are likely to be potentially appropriate legal grounds
for carrying out such checks, however consider whether less
intrusive measures may be more useful, taking into account
government guidance on measures to combat the spread of the
>How often should I check for symptoms?
This will depend on the social distancing and other measures
that your organisation needs to put in place. Any testing of your
staff, and subsequent processing of their health information,
should be reasonable and proportionate to their specific role and
As an employer, and therefore a data controller for your
employees’ health information, you will need to decide the
appropriate length of time between tests. For front line staff who
interact with the public and those who may be more vulnerable, more
regular testing may be appropriate. Consider also any relevant
government guidance on incubation periods and related matters.
You also have a responsibility to ensure that you hold accurate
personal data. The health status of an individual may change over
time, so if you record the results of any checks, you should ensure
those records are accurate by including the date and time of any
result. Any decision to send staff home or otherwise impact their
employment should be based on factually accurate information
available at the time the decision is made.
>Can I keep lists of employees who were previously
symptomatic or who tested positive?
Yes. If you need to collect specific health data about
employees, you need to ensure the use of the data is actually
necessary and relevant for your stated purpose. You should also
ensure that the data processing is secure, and consider any duty of
confidentiality owed to employees.
As an employer, you must also ensure that such lists do not
result in any unfair or harmful treatment of staff. For example,
any decision based on inaccurate information being recorded, or a
failure to acknowledge an individual’s health status changing
over time, may be unfair.
Any such lists should only be retained for as long as they are
needed to serve their purpose and should not be used for any other
purposes. Consider any local government guidance on this aspect
also, as further scientific knowledge around incubation periods is
emerging over time.
>Can I use CCTV or other recorded images to assist with
The analysis of recorded images could assist with contact
tracing. You should assess whether this is necessary in the
specific circumstances. Analysis of CCTV footage could reveal
sensitive aspects of an individual’s behaviour. Employees have
legitimate expectations that they can keep their personal lives
private, so you should consider speaking to the individuals who
would be affected and providing advice on appropriate measures such
as self-isolation. Your approach should be guided by your existing
employee monitoring policy.
>How do I avoid collecting too much data?
For special categories of personal data, such as health data, it
is particularly important to collect and retain only the minimum
amount of information you need to fulfil the stated purpose.
In order not to collect too much data, you must ensure that the
data collected are:
- sufficient to properly fulfil your
- relevant and have a sensible link to
that stated purpose; and
- limited to what is necessary –
you should not hold more data than you need to fulfil that
A person’s entire medical history is unlikely to be
reasonable if in fact all that is required is a temperature test
Privacy should not be a casualty
As a result of the COVID-19 pandemic, most people accept and
appreciate the need for extraordinary steps to protect the most
vulnerable and the community at large. The measures being developed
in response to the virus must, however, take privacy issues into
account, have one eye on the long-term use of the data being
collected, and ensure privacy is not another casualty of the
Originally published 02 July, 2020
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.