For the past few weeks, we've been hearing the word Coronavirus non stop. With new pieces of news and information spread daily from the media, there has been an increasing level of panic globally. The World Health Organisation even estimated that 89 million medical masks would be needed for the Coronavirus every month.
When this type of epidemic happens, in addition to the disease, misinformation spreads. Proof of this is that many online platforms, such as Twitter or Facebook, have been forced to implement mechanisms to avoid fake news and redirect users to reliable sources of information. This mix of fear and misinformation helps to generate widespread alarm that can have a significant impact from both a social and economic point of view.
As a result, many companies and organisations have implemented action plans to prevent the spread of the virus. Many of them, for example, are betting on remote work, as well as restricting business trips. However, some organisations have gone one step further and have implemented ways to find out if individuals visiting their offices have any kind of symptoms or have been in any risk areas recently (which nowadays include countries such as China, Japan, Saudi Arabia or Italy). This is also happening in schools, universities and other public institutions.
All these measures undoubtedly seek the laudable objective of ensuring health. However, where is the limit? To what extent can personal data be requested for this reason? Would we be prepared to use millions of personal data in order to find out who has or has had the virus and who has not? Or which buildings the people who are incubating it live or work in? Or to monitor which people have recently gone to the pharmacy to buy some medicine?
It is important to note that health data is a special category of data that requires a higher level of protection in most privacy laws around the world, including the EU's General Data Protection Regulation and the UK Data Protection Act 2018. Therefore, the processing and transmission of such data can only take place in case of some of the exceptions included in the laws, to which a set of security measures must be added to ensure the integrity and confidentiality of the data.
Many organisations are starting new processing of special categories of data without assessing the privacy implications. What exception could apply to these processes to make them legitimate? Can they rely on the health-related public interest in this context? Is it necessary to obtain consent? Is the collection of all the data we are asking for truly justified? Could we achieve the same purposes by using less data? These are all aspects that should be analysed before starting the collection of health-related data on the basis of the Coronavirus.
The CNIL has recently indicated that employers must avoid the collection of personal data for purposes that are not strictly necessary for the management of the virus exposure and they must implement sufficient measures to ensure the protection of individuals’ privacy and personal data.
In addition to this, there should be an obligation to adequately inform individuals about the processing of their personal data, as well as an assessment of whether a Data Protection Impact Assessment is necessary (e.g. for processing specially protected data on a large scale). It is also important to design a retention schedule for this kind of processing, as it will probably a temporary process and organisations should not keep these sensitive data of visitors, employees or other individuals for a long time.
In conclusion, the Coronavirus epidemic is clearly a global concern that must be addressed. It is good that organisations want to help reduce the risks, but let’s not forget that laws still exist. Therefore, before starting to take measures to prevent the spread of the virus, it is necessary to remain calm and design a plan that takes into account all the consequences at the operational and legal levels, including privacy and data protection matters.
The text alerts are also affecting shops and restaurants that infected people visited before their diagnosis was confirmed. While the texts do not identify the patients – other than giving their gender, age range and assigning them a case number – they do reveal the names of shops and restaurants they visited before they were tested