How to Stay Compliant with GDPR Laws for COVID-19 Health-related Data

The global COVID-19 outbreak has many organizations scrambling for health information to control the spread of the virus, especially for contact tracing purposes.
Contact tracing is the process of identifying, monitoring, and following up with individuals infected with the virus, or those who have come in contact with an infected person. However, health data privacy concerns have been raised regarding contact tracing that involves tapping into personal health information.
Below, we'll take a look at how you can remain compliant with General Data Protection Regulation (GDPR) laws despite the COVID-19 situation.
The Rules for Personal Data Processing Under GDPR
GDPR is a legal framework that sets guidelines for the collection and processing of personal data from those who live in the European Union (EU).
When processing that data, individuals must be informed that their information will be processed and how it will be used must be made clear to them. This includes any data being used to stop the spread of COVID-19, the use of which must also be clearly communicated and documented.
The European Data Protection Board (EDPB) released a statement in March 2020 detailing the rules surrounding health data privacy and COVID-19.
“It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”
Your Responsibilities as a Business
Businesses need to ensure personal data processing is lawful and secure. Emergencies such as the COVID-19 pandemic may, in some cases, lift some restrictions, but responses must always be proportional and limited to the emergency period only.Alert anyone whose data is being collected, telling them when it’s happening and why, and for how long it will be stored. As with any other time, this information should be made clear and easily accessible. If you’re using electronic sign-in software at reception, make this statement visible and clear on each page.
It’s also important to have adequate security measures in place to ensure all that data doesn’t end up in the wrong hands. In fact, having this information somewhere where the user can see it not only reassures them—it also makes your business look trustworthy and reliable—something that’s always a good thing when personal information is concerned.
Personal Data Protection vs. Fundamental Rights: Which Has Priority?
Fundamental rights are a group of rights that are protected against encroachment. The EU describes fundamental rights as obligations of the EU and its member states towards everyone in the EU, as set out in the Charter of Fundamental Rights of the European Union.
The charter establishes the right of everyone to privacy and personal data protection—as well as the rights to physical and mental integrity. So, does one take priority over the other?
The short answer is ‘no’. According to the EDPB, data protection is not given priority over fundamental rights. It is a balancing act, though. For example, the GDPR acknowledges that health-related data may need to be processed when other fundamental rights are at stake, especially when the wider public is involved.
Leniency Surrounding Compliance
Does the exceptional circumstance that is the COVID-19 outbreak excuse non-compliance? As mentioned before, it’s a tricky balance between protecting data and protecting human health. The short answer is, again, ‘no’—though there are some grey areas. For example, there are privacy regulators outside the EU who have taken a more lenient approach according to MedTech Europe.
How to Collect Visitor and Employee Health Information
Creating a safe space for your employees and visitors should be a priority, both now, and as we emerge from the global pandemic.
According to the European Data Protection Board (EDPB), employers should “only access and process health data if their own legal obligations require it.”
When it comes to screening questions and GPS mobile tracking, the proportionality principle applies.
A VMS with contact tracing is useful when it comes to tracking. Visitors just need to scan your QR code to register. You can enhance workplace safety further with SwipedOn’s COVID-19 visitor screening features—or use these as a standalone screening tool.
With SwipedOn, visitors can answer visitor screening questions about recent travel and health issues. This is important now, and will continue to be as a step towards protecting regions from second waves, or even subsequent pandemics. Reception can then either grant or deny access to the building based on their answers and possible risk.
The least intrusive solutions should always be given preference. Under extraordinary circumstances, more invasive tracking could be considered proportional. Using contactless, electronic sign-in systems to collect health-related data from anyone who visits the premises is less invasive than mobile tracking, yet still offers a degree of protection.