With the rapid spread of the novel coronavirus (COVID-19) worldwide,(1) many countries have been stepping up their efforts to contain the spread. One critical aspect of containment is contact tracing, which enables the quick identification of infection clusters and the testing and quarantine of identified individuals.
Business owners in the private sector have become invaluable partners of contact tracing efforts through their conduct of temperature screening and collection of information on employees, occupants and visitors to their premises. In so doing, large amounts of personal data may be collected, including names, contact numbers, health status and travel history, giving rise to concerns over how such personal data may be collected, processed and used.
The Personal Data Protection Commission issued advisory guidelines clarifying that although COVID-19 falls under the emergency exception under the Personal Data Protection Act ("PDPA"), such that personal data may be collected, used or disclosed without consent for purposes of safeguarding the health of the occupants and contact tracing and other response measures, such collected personal data remains subject to all other data protection obligations under the PDPA.
These obligations include, but are not limited to, the obligation to protect personal data by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risk, and the obligation to cease retaining such personal data as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served and retention is no longer necessary for legal or business purposes. Such personal data may not be transferred outside of Singapore except in accordance with the PDPA.
Business owners should take proper precautions to prevent the commingling of such personal data with other sets of personal data in their possession, and to prevent unauthorized disclosure of such data, except to cooperate with health officers appointed under the Infectious Diseases Act, who have the power to require any person to furnish any information within his knowledge or to produce any book, document or other record, to investigate any suspected outbreak or prevent the possible spread of an infectious disease.
Like Singapore, the Personal Data (Privacy) Ordinance ("PDPO") in Hong Kong also provides exceptions in emergency health situations to the general rule that personal data cannot be used or disclosed for a purpose other than the original purpose of its collection or any directly related purposes. These exceptions can be considered to have kicked in as COVID-19 has been added as one of the notifiable infectious diseases under the Prevention and Control of Disease Ordinance.
The Privacy Commissioner has clarified that "there are sufficient legal and justifiable bases" on which the government may collect and use information obtainable offline or online with the aid of devices, applications, software or supercomputers with a view to tracking potential COVID-19 carriers or patients in the interests of both the individuals concerned and the public(2).
However, save for registered medical practitioners who are required to notify the Centre for Health Protection of the Department of Health of all suspected or confirmed cases of COVID-19, there are no reporting requirements imposed on the private sector.
Accordingly, business owners should nevertheless observe the Data Protection Principles under the PDPO as a matter of best practice and as far as reasonably practicable. For instance, an employer may request its employees to undergo medical examination and submit health forms, but in so doing the employer should clearly set out its purposes of collection (including for the assessment of health risks and possible sharing of the data with government authorities), and ensure that the data collection is necessary, adequate and not excessive, and that the data collected is held securely.
Following a brief state of confusion, the Italian Data Protection Authority ("DPA") issued recommendations on 2 March 2020 on data governance compliance in the context of the COVID-19 outbreak.
The DPA recommended that employers refrain from any generalized and systematic data collection and processing such as the collection of health and travel declarations from its employees, which may not be compliant with the basic principles of the General Data Protection Regulation ("GDPR"), and may even expose the employer to claims of unjustifiable discrimination. Needless to say, business owners should not ask the same of their customers.
Instead, the DPA noted that the current emergency legislation already mandates self-reporting, which requires individuals who have been to countries with a sizeable number of cases or who had been within the quarantined areas in Italy within the last 14 days to declare their travel history to the public health or civil protection authorities, which are the sole entities entrusted by the government to tackle this emergency. The latest law decree issued on 9 March 2020 further confirmed the authorization for data sharing between public health and civil protection authorities to manage the emergency and to ensure the proper diagnosis and health care of confirmed cases.
Employers can still be proactive by implementing recommendations issued by the public health authorities on safety and sanitation, arranging for staff to work from home wherever possible, and rescheduling non-urgent activities and meetings. Employees in turn should be socially responsible and report any biological risk factors such as infection with COVID-19.
On 12 March 2020, the UK Information Commissioner's Office ("ICO") issued an official statement clarifying that UK data protection law does not prevent the processing of personal data where it can be reasonably concluded that this is needed to protect individuals and public generally, as the safety and security of the public remains the compelling public interest in the current health emergency(3).
For example, the law does not prevent the sending of public health alerts which are vital to the management of health risks and incidents such as COVID-19, nor does it prevent the use of technology to facilitate safe and speedy consultations and diagnoses.
UK employers are allowed to enquire whether employees or visitors have been to a high-risk territory or if they have been in contact with anyone who has had symptoms of the virus, but otherwise employers should not collect more information than is required to protect the health of the wider workforce and other members of the public, and ensure that such data is not shared other than on a need-to-know basis where there is justification to do so.
What it boils down to for UK employers is a question of proportionality and, at this stage – given the global pandemic is not currently regarded as being so serious in the UK as it is in certain other countries – forcing people to submit to forms of more detailed data collection that verges on privacy intrusiveness, such as compelling individual employees to undertake medical examinations before they can work in the office, is less likely to be justifiable.
However, if the situation in the UK worsens (e.g. if a state of emergency is declared), it is foreseeable that more intrusive forms of data collection and processing may start to become justifiable.
In the United States, privacy regulations like the Health Insurance Portability and Accountability Act ("HIPPA") Privacy Rule are forcing public health officials, governments, healthcare providers, businesses, and the like who are dealing with COVID-19 to navigate the tension between protecting individual privacy and protecting public health. The HIPPA Privacy Rule (the "Privacy Rule") protects the privacy of individual's health information.
The U.S. Department of Health and Human Services ("HHS") recently issued a bulletin to ensure that HIPPA covered entities and their business associates (e.g., healthcare providers, etc.) who are responsible for safeguarding the privacy of individual health information are "aware of the ways that patient information may be shared under the HIPPA Privacy Rule in an outbreak of infectious disease or other emergency situation[s]," and to "serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency."(4) (emphasis supplied)
According to the HHS bulletin, the Privacy Rule permits covered business entities and their business associates to disclose protected health information without individual authorization only: (i) to public health authorities; (ii) to anyone to prevent a serious and imminent threat to the health and safety of a person or the public; (iii) to family, friends and others identified by the patient as involved in the patient’s care; or (iv) to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care. All other disclosures are prohibited.
What this mostly means for employers is, unless an employee voluntarily discloses or authorizes the disclosure of their health information, the employer may not inquire into the employee's health status. Employers should, however, be allowed to inquire about whether employees have traveled within high-risk areas or whether employees have been in contact with anyone who has symptoms of the virus.
The varying positions across different countries offer an intriguing look at how to strike the correct balance between private and public interests in emergency health situations. It is clear, however, that data protection obligations have not been thrown out the window.
As the COVID-19 situation continues to evolve and spread across continents, it is difficult to predict how long these personal data collection and contact tracing efforts will be required to be in place. During this time, business owners should remain guided by the regulations and recommendations issued by local government authorities, and continue to comply with their data protection obligations.