Information is key to handling any crisis, especially in a health emergency such as the current coronavirus pandemic.
Governments need to know who is infected (and infectious) in order to trace potential contacts and allow them to take steps to mitigate the risks. And businesses will want to keep a close watch on their employees and any visitors, to ensure that they can keep their workplaces safe.
In normal times, information about our health is – rightly – seen as particularly sensitive and worthy of additional protection. Medical professionals are expected to treat health information confidentially, whilst data protection and human rights laws only allow this type of information to be used in narrowly defined circumstances. But these are not normal times. So could our privacy laws actually be hindering the response to COVID-19?
Data protection law does not prevent the collection or sharing of heath data, but it does put in place strict rules on the reasons that such data can be used. For instance, health data can usually only be used where it is necessary to protect the vital interests of the individual or for the provision of their treatment.
There is also a specific condition allowing the use of health data where it is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health“.
That seems like a pretty good definition of the current situation with COVID-19. In recent days, the ICO and the European Data Protection Board have both issued reassuring statements for employers and public bodies, so it is unlikely that organisations will find themselves in trouble for processing personal information where it is necessary to do so to treat patients or protect their staff.
Human rights law provides similar flexibility. Whilst individuals do have a right to their private life, home and correspondence, this is not an absolute right. That means the right to privacy may be overridden where doing so is in accordance with the law, necessary and proportionate, particularly in extraordinary circumstances.
Public bodies are therefore entitled to interfere with privacy to the extent required to deal with public health emergencies. Any new emergency legislation proposed in the coming days may include specific measures to allow additional data collection and usage in an effort to control the spread of the outbreak.
So governmental bodies and employers will be able to collect and use health data to monitor cases, treat the infected and manage any disruption. Most of us will accept the interference with our privacy as a small price to pay to successfully contain the virus.
But what about some of the more innovative responses being considered? In China and South Korea, apps have been developed that utilise location data to track individuals via their mobile phones. If an individual is later diagnosed with COVID-19, the app will alert everyone they have come into contact with. This allows those individuals who receive an alert to take steps to either self-isolate or seek further medical advice. Israel has also announced it will be using location data to track its citizens.
Whilst all this seems attractive to combat the outbreak, it does have significant implications for privacy. How can individuals be sure that their location data isn’t being used for other purposes? What happens if the data is leaked or used inappropriately?
Other potential technological solutions include creating a database of those self-isolating to allow friends and neighbours to provide support, or providing detailed street-level maps of all new cases so that the authorities can provide targeted support at a very localised level. These suggestions raise even more legitimate concerns about possible unintended consequences, such as increasing crime by allowing vulnerable and isolated people to be identified.
Our privacy laws do not specifically prohibit such novel methods of collecting and using personal information, but they do set out a framework within which organisations must operate. New uses of personal information would only be lawful where there is a clear legal justification and where the use of data is both proportionate and necessary.
Even where these tests are met, legal protections governing personal information do not automatically fall away. Organisations must still tell individuals about what they are doing, keep the data secure, and ensure that it is not used for any other purpose.
The success of any innovative measures may come down to how much we can trust our governments and technology companies, neither of which have a particularly good reputation when it comes to protecting the privacy of our information.
We are currently living through unprecedented times. What seemed completely unthinkable yesterday appears entirely normal today, and may prove to be woefully inadequate tomorrow. Everyone is scrambling to keep up as the pandemic progresses and advice changes at an alarming pace.
Organisations must of course do what is necessary to keep people safe and healthy, but they should remember that privacy remains a basic right, particularly when it comes to people’s health and wellbeing.
By Jon Belcher, commercial lawyer with Blake Morgan
Jon Belcher is a commercial lawyer with Blake Morgan, specialising in information governance, data protection compliance, information sharing and freedom of information issues. Jon has wide experience of drafting commercial agreements, with a specific focus on data sharing and processing agreements.
He has advised on the data protection implications of large commercial transactions, including major public sector procurements, complex data export arrangements and direct marketing campaigns. He also acted as lead advisor to clients in the media and utilities sectors in respect of GDPR compliance, and is regularly instructed by public sector bodies and charities in Wales and England on data protection matters.
About Blake Morgan
Blake Morgan is a UK law firm providing a breadth of legal services across the private, public and third sectors with a strong regional presence across southern England and Wales. The firm has six offices: Cardiff, London, Oxford, Portsmouth, Reading and Southampton.
With a long heritage and committed client base, the firm’s partners and teams provide a depth of expertise in their key sectors. The firm aims to deliver exemplary service to its clients and to make a difference through teamwork, integrity and innovation.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.