Privacy during Covid-19 – FAQs

The Covid-19 pandemic has rocked the entire world to its very core, forcing many countries to declare a state of emergency. Whilst this pandemic presents substantial issues regarding the wellbeing of individuals and the general public, companies, associations and governments must keep in mind that even during a crisis, the laws regulating privacy and data protection must be adhered to and a balance between considerations vis-à-vis the right to privacy and public health must be pursued.

What is data relating to health?
Data relating to health provides information about an individual’s health, diagnosis and relevant treatment. Since is it so sensitive, health data is deemed to be a special category of personal data, which is attributed further protection under the current legal regime, led by the Regulation [EU] 2016/679, or as otherwise known, the General Data Protection Regulation (‘GDPR’). An example of health data is the information that someone has contracted the coronavirus (Covid-19) or that they are experiencing symptoms. The fact alone that someone is in quarantine, does not by itself necessarily constitute health data in the prevailing circumstances where quarantine is even imposed on people who are not tested positive for Covid-19.
Does the GDPR obstruct measures taken in the fight against the coronavirus pandemic?
It could (if misinterpreted), but it should not. Privacy-related and other vital societal interests such as the fight against communicable diseases should not be treated as a zero-sum game. It is possible to uphold both interests; indeed it is essential that both are upheld. This is achieved by respecting general principles of law, including in emergency situations. Restrictions of fundamental rights such as the rights to privacy and data protection as enshrined in the EU Charter of Fundamental Rights may be legitimate, in particular in times of emergency; however such restrictions must be proportionate and limited to the emergency period, i.e. reversible.
 Can we collect information from employees or visitors in relation to COVID-19?
Yes, however you should collect as little information as is reasonably necessary for preventing or managing COVID-19. Collection of personal data should be in accordance with the so-called principle of ‘data minimisation’ which states that personal data should be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’ This also means that, unless necessary, such personal data collected should be erased immediately and not stored. If it is sufficient to do so, data subjects should remain anonymous (as is the case when data subjects have their temperature measured before they enter a supermarket). Equally as important, such data collection should be lawful and fair – data subjects should be aware that their data is being collected and the purposes of its collection. Relevant instructions issued by the Department of Health to employers should be followed. The EDPB has stated that, in the employment context, the GDPR foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health (Art. 9.2.i), on the basis of Union or national law. At this stage, however, no relevant national law has been implemented.
Can we tell staff that a colleague or visitor has or may have contracted COVID-19?
Yes, you may inform your staff that a colleague or visitor has or may have contracted COVID-19, but you should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace. Once again, it is recommended you proceed in accordance with the data minimisation principle, only disclosing personal information that is relevant and limited to what is necessary in relation to the purposes for which they are being disclosed. Providing identification details, such as a name, may not be necessary in order to prevent or manage COVID-19. If disclosure is warranted, this should be done on a ‘need-to-know’ basis. Whether disclosure is necessary should also be informed by advice from the Department of Health.
Can staff work from home?
The General Data Protection Regulation (GDPR) and the Data Protection Act (cap. 586 of the Laws of Malta) do not prevent employees from working remotely, however the EU data protection principles will still apply. The Employer should ensure that the cybersecurity policies it has established (if any available) should be applied during flexible working arrangements and set out the responsibilities for cybersecurity.
How can we protect personal information when working remotely?
Secure laptops, mobile phones, data storage devices and remote desktop clients and ensure all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including antivirus software) and have strong passwords. Remind your employees to use work email accounts not personal accounts for all work-related emails in particular those that contain personal information and implement multi-factor authentication for remote access systems and resources (including cloud services); and instruct employees to only access trusted networks or cloud services.
Can an employer request more specific details of their employee’s illness on medical certificates in light of the situation in relation to COVID-19?
The application of the principles of proportionality and data minimisation are particularly relevant here. The employer should only require health information to the extent that national law allows it.
Is an employer allowed to perform medical check-ups on employees?
The answer relies on national laws relating to employment or health and safety. Employers should only access and process health data if their own legal obligations require it.The employer should only be informed of significant findings (i.e. condition of health) from the health surveillance carried out by the doctor it engages to visit an employee where this is necessary and must take into account any medical confidentiality. Therefore when a doctor who is engaged by the employer carries out a visit, the doctor may inform the employer that the employee (patient) has Covid-19 without delving into any necessary detail on the symptoms. For insurance purposes, it can be considered ‘necessary’ according to GDPR for the employer to know the health condition of the employee as some contracts of employment bind the employer to settle a sum in the event of demise. On this point it is to be noted that where a flexible/ remote working arrangement is adopted, the employer remains responsible for the employee’s health and safety.
In the light of the recent list of ‘vulnerable’ persons, does an employee have to specify to its Employer under which category he/she falls? 
The application of the principles of proportionality and data minimisation are particularly relevant here. The employer should only require health information to the extent that national law allows it.

Do you have any questions surrounding privacy and the Covid-19 pandemic? Send us your queries via private message on our Facebook page, or send us an email on info@mitla.org.mt.