Gabriel Garcia Marquez’ 1985 novel, “Love in the Time of Cholera” tells of the doomed relationship between two lovers at a time of widespread disease in their country. Trying to ‘get it together’ against such a backdrop must, in some way, be similar to the challenge faced by most DPOs these days – trying to maintain a compliant set of data management principles when all around you, people are trying to come to terms with exceptional and extra-ordinary demands on their attention.
DP compliance must appear well down the list of priorities for those who are struggling with the real threat of personal illness, unemployment, business failure, extended school closures, cancelled state exams and concern for elderly or vulnerable family members. And so it should.
There are more than enough sources of information available providing guidance on health, hand-washing, social distancing and voluntary self-isolation. There is no need to repeat that guidance here, and we won’t. However, for reference, we recommend:
But despite the difficulties posed by these extra-ordinary times, life goes on – just as it did in the Marquez novel. Indeed, the very principles on which the GDPR is based act as a quick-reference guide for the kind of habits and behaviours we should be adopting in the coming weeks and months.
Transparency and Proportionality
At a time when we might be inclined to set all structures aside in the interests of survival, we are encouraged to adopt a reasonable and measured approach to this crisis – consider the privacy and concerns of others, no need for excessive or dramatic responses, no requirement for unnecessary or pointless measures.
I have seen several questionnaires being ‘imposed’ by organisations seeking information from staff and visitors to their premises, seeking information on their health, their recent travel and their living arrangements – including information on their car-pooling buddies and their domestic ‘situation’. It does not take a DP expert to know that this is excessive, no matter how well-intentioned the initiative might have been.
The underlying principle of Article 9 applies here – any processing of health or personal information which is not explicitly permitted is prohibited. This continues to apply in times of pandemic, cholera or global warming.
Purpose and Minimisation
Where information is being sought out of concern for staff welfare, employers should be open and transparent about this, explaining (as required by Article 13) why the data is required, with whom it may be shared and how long it will be held.
In compliance with Principles 2 and 3, only the minimum data required for these purposes should be sought, and it should then only be used for those purposes. Remember that, for the most part, the data being gathered will relate to an individual’s health, requiring an additional level of scrutiny and protection under the Regulation.
That said, Article 9 permits the appropriate, proportional processing of such data where it is necessary for the vital interest of an individual or those with whom they are in contact, for the provision of medical care, for the administration of preventative or occupational medicine, for research and for the protection of public health.
Organisations should avoid the temptation to ‘hoover up’ additional information that might be available from other sources, however – social media, vehicle trackers, mobile phone records and lifestyle applications – the old adage continues to apply: “Just because you can does not mean that you should”. In order words, just because data is technically available does not mean that its use is lawful or permissible.
Security and Integrity
Where data is acquired – by employers from staff, or by health workers from patients and those presenting with symptoms – appropriate measures need to be in place to ensure that this information is treated sensitively and professionally. We live on a small island and it is inevitable that we will know people affected or infected by this virus over time. What we do with that data will be the measure of us – it should be treated confidentially, appropriately and with respect for the privacy of the person involved and their family and colleagues.
Where possible, statistics can be built without needing to know the identity of the individuals involved – we have seen this during the nightly news updates from the Health Services, and it is an example we should both admire and follow.
This too, as they say, will pass – in time, the data gathered during these extra-ordinary days will no longer be needed or relevant, and we need to prepare a retention schedule accordingly – only keeping what is necessary for our purposes, and anonymising or deleting what is not needed.
Compliance with other legislation
Data Protection is not the only regulation being called into play these days – many other obligations and responsibilities apply – employment law, health and safety considerations, contract responsibilities with regard to service delivery and force majeure, social welfare, labour relations and equality legislation will all come under scrutiny as we react and respond to the many difficulties posed by this insidious, spiky disrupter. At times, like a love affair during a crisis, worrying about such things will seem pointless and out of place.
Any yet it is these rules and obligations which will give us the standards, the measure and the lawful basis on which to make the decisions we need to make at a time when much of what we consider to be ‘normal’ has been turned on its head.
Lastly, this crisis presents an ever-changing landscape about which we are learning new information daily – we can only encourage people to heed responsible sources of news and healthcare, and to follow the guidance issued in relation to the measures we can all take.
In a time of crisis there will always be opportunists who try to steal your personal data. Check out our Phishing Quiz to see how many phishing emails that you can spot.