COVID-19 has raised many questions about how to balance protecting consumer data privacy with the greater need for collecting and sharing health information with the government and other parties for public safety.
Is it legal to ask employees and visitors entering buildings if they have experienced coronavirus illness or symptoms? Are companies allowed to disclose if an employee has tested positive? How long should companies hold on to personal data they receive?
Data protection authorities around the globe have issued guidance and information for safe data sharing while still protecting consumers. In Europe, the General Data Protection Regulation (GDPR) that went into effect about two years ago provides a framework to achieve both.
PULSE talked with Punit Bhatia, a privacy and sourcing advisor and speaker at IAOP Summits, on what’s allowed and why having GDPR is positive and does not hinder the fight against the pandemic spread.
“These are exceptional times but that doesn’t mean you put GDPR aside,” he says. “You should use the provisions of GDPR.”
First, GDPR does not prohibit the collection of data for health reasons. It does, however, require parties to “collect the right data for the right purpose,” he says.
“Data protection laws do not stand in the way of the provision of healthcare and the management of public health issues,” Bhatia says. “Nevertheless, there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.”
Under the laws, hospitals, governments and private sector companies have legitimate reasons to collect health data during COVID-19 to protect and inform others but specifics on individuals should not be disclosed with others that do not need this information. If an employee has coronavirus it is not necessary to tell the entire company just those who need to know, he explains.
Also, parties should only collect the minimum amount of data needed, Bhatia says. For example, a company may ask if employees have been in contact with anyone who has had the virus but doesn’t necessarily need to know everyone the worker has interacted with or all the countries they have recently visited.
Companies also need to be transparent when collecting data and should have a strategy for how long they will keep the information, according to Bhatia.
People should be given a choice if they don’t want to disclose information – such as employees opting instead to work from home or visitors choosing not to enter your building, he says.
COVID-19 Data Checklist
In summary, companies should follow these guidelines when collecting data:
- Have a legitimate purpose – A legitimate interest or legal obligation is needed to seek health data
- Define what data you want to collect – This can be voluntary disclosure with a simple yes/no form or asking more specific questions about symptoms, infection and contacts
- Decide how long you will keep the data – For example, three or six months or a year
- Create a privacy notice – This can be part of an existing form to collect data, a separate form or on a website
- Keep key stakeholders informed – Notify key staff through email or an online meeting about the steps you will be taking