Personal data is a complicated asset. The use of personal information for the provision of a service, research purposes, identity verification, and a countless array of other objectives that range from benign and boring, to potentially predatory and malicious, has become ubiquitous in modern society. Personal data is an extremely valuable tool; it is capable of being leveraged to inform decisions and policies, and reach such specific and targeted conclusions to complicated questions, that it borders on clairvoyance. As is often the case, there are two sides to this coin. Personal data also presents substantial risk, to the individuals to which that data pertains, and to the organizations using it, which now needs to operate under ever-increasing regulation. Governments and companies alike are rushing to leverage personal data to its utmost capacity and bring this pandemic to a speedy end, while still maintaining the privacy of the sick and vulnerable.
For a law aimed to increase the protection of personal information, it is perhaps surprising that there are provisions within the European Union’s General Data Protection Regulation (GDPR) that allows for the suspension of the rights and requirements of the legislation. Responding to the COVID-19 outbreak is the first instance in which these provisions have been exercised. To better equip itself to fight the spread of COVID-19, the EU is suspending GDPR and loosening restrictions on the processing of what the law calls “special categories” of personal information. These special categories were created to place firmer limitations on types of personal data that presented increased risk, such as race/ethnicity information, political affiliations, and sexual orientation. However, also within this group of special categories is health data. Privacy protections were put in place to benefit the public, but under current circumstances curtailing the access to, and use of valuable health data, it would work against that interest. As a result, France now allows the transfer of personal health data to “any partner involved in the control, prevention and evaluation of the epidemic, in particular the General Directorate of Health.” Italy has issued an ordinance permitting the processing of any personal health data “necessary for the performance of the civil protection function.” Even the U.S. Department of Health and Human Services has announced that there are multiple scenarios under which covered entities may share personal health information without an individual’s consent in order to combat the virus.
This loosening of reins, however, is not absolute. While it is completely reasonable to determine that such a public crisis requires more flexibility, the risks of processing personal data are still very much present and in need of mitigating. Even the ways in which suspensions are being made to the GDPR requirements seem to reflect this fact. Italy’s new ordinance is effective only until July, and France limits its new data sharing policies to “[o]nly the data strictly necessary for the accomplishment of the mission.” While some sharing of HIPAA protected health data within the United States may now be permissible under the cover of serving public health interests, it is still important to protect an individual’s privacy and only share such information to those with a legitimate need to know basis.
As individual enterprises look to their own practices to make decisions regarding COVID-19 and their employee’s personal data, risks will need to be evaluated; in terms of the potential harm to the individual, and the potential benefits to the enterprise and individual, arising from the release of information. As a result, there are items that should be on an enterprise’s checklist to help them weigh the balance:
- Do not reveal the identities of individuals to the public or provide information that could accurately identify people who are under investigation for exposure to COVID-19.
- Be prudent with your employees in sharing the latest CDC information regarding prevention and efforts by government and businesses in limiting exposure of people to COVID-19.
- Use continued due diligence in collecting, using, and storing health information of employees. Publicizing of employees who have contracted the disease is counterproductive.
- Assess your organization’s third-party relationships, including business and strategic partners, which might involve the transfer, sharing or release of employee data.
- Ensure that proper authentication and authorization controls are in place to access sensitive information. How does the organization verify the identity of calls wishing to either access their health information or inquire about the status of its employees?
- Continue with security efforts to monitor networks and access for anomalies, since others may think your attention is diverted to pandemic issues.
Data privacy regulations are still attempting to nail down the balance between extracting value from personal data and protecting the individuals that are the sources of such data. The managing of the COVID-19 outbreak by governments worldwide will represent the equivalent of case law, further fine-tuning our understanding of where and when to protect personal data, and where and when to leverage it. In the meantime, Marvin and Company remains ever vigilant to work with enterprises to ensure their privacy and security posture is effective.