March 17, 2020 - Austria
Which Privacy Aspects must Companies Take into Account when Processing Health Data?
Can a company collect data about a (potential) infection with COVID-19?
Both, in case of information on a suspected case and in a confirmed case, special categories of personal data are processed. Whether a company may process such health data of employees, customers, suppliers or other third parties is exclusively governed by Art 9 GDPR. In absence of a concrete legal provision, in practice, only (i) the express consent of the data subject (Art 9 Paragraph 2 lit a GDPR) or (ii) compliance with obligations under labour and social law (Art 9 Paragraph 2 lit b GDPR) can be considered to legally justify the collection of data in such a scenario. Thus, if a data subject voluntarily reports that it has symptoms or even a confirmed case of Covid-19, the information can generally be processed as part of the employer's duty of care to protect other employees who have been in contact with this person.
If health data is to be passed on to other employees in the company, the data minimization principle must be taken into account. In a first step, it is usually sufficient to inform employees on a general basis about the existence of a suspected case of infection in a particular department, location or floor. The data subject should still be treated anonymously. Only in a second step, the name may be disclosed to the employees who have directly been in contact with the infected person during the incubation period. A transfer of data to third parties - e.g. customers or suppliers - must therefore always take place without any reference to the data subject.
Alternatively, the explicit, voluntary consent of the affected person can be obtained. If this is not possible because the person concerned is physically or legally incapable of giving consent, Art 9 Para 2 lit c GDPR may also apply. As a result, processing may be necessary to protect the vital interests of the data subjects or other natural persons.
May a company disclose data about infected persons to an authority?
The authorities responsible under the Epidemics Act (e.g. district administrative authorities) may process health data in accordance with Sec 4 et seqq of the Epidemics Act in conjunction with Article 9 Para 2 lit i GDPR for reasons of public interest in the field of public health. Thus, data may be transferred to the authority at its request.
How long may data on COVID-19 infections be stored?
Since neither the Epidemics Act nor the GDPR stipulates specific storage obligations for private companies in connection with notifiable diseases, the general data and storage minimisation obligation applies: Data may be stored solely for the fulfilment of the specific purpose. In practice, data on infected persons must therefore be deleted or irreversibly anonymised as soon as (i) identification of potentially infected other individuals has been completed, (ii) no more official enquiries are pending or (iii) the data is not required for the assertion, exercise or defence of legal claims.
Are specific security measures required?
When handling sensitive health data, the need-to-know principle is of upmost importance. In such a sensitive area, it must be ensured that only those persons in the company have access to personal data, who actually need it in order to fulfil the purpose. In addition, higher security standards must generally be implemented for sensitive data (e.g. encryption).
Does a company have to proactively inform affected data subjects?
Since informing employees, customers, suppliers or third parties is generally neither impossible nor involves disproportionate effort, any already existing privacy notices pursuant to Art. 13 and 14 GDPR shall be supplemented accordingly to reflect the new processing purpose. However, this can also be done pragmatically within the context of any general information to those concerned that is sent out anyway.
Which additional measures are to be implemented from a data protection perspective?
In addition to the "Hot Topics" already mentioned, the remaining GDPR obligations are of course not to be neglected either: Since the processing and transmission of COVID-19 suspected cases constitutes a new data processing, an amendment of the records of processing activities is required. Further, a data protection impact assessment will usually be obligatory, since sensitive health data of data subjects who require special protection (employees, patients, etc) is being processed. Once the current crisis situation has abated, an increased number of requests for access, information and deletion by the infected persons concerned can also be expected. Accordingly, processes established in the company in this regard must be evaluated so that bottlenecks or missed deadlines can be avoided.
Home Office and Privacy
If a company switches to home office or teleworking, associated risks must be assessed and mitigated accordingly: If, as a result of the crisis, more employees than usual - or even all employees - access data from outside the company, this will usually be accompanied by a general increase in risk, which must be sufficiently taken into account when structuring technical and organizational measures. Thus, it must be ensured that employees keep data confidential and safeguard company and business secrets also when at home. In practice, this starts with keeping passwords confidential and extends to the sensitive handling of telephone calls and video conferences. At the same time, it must also be ensured that the systems used for this purpose are stable in terms of capacity and availability for the large number of external accesses that were not taken into account before the crisis.