Unless you have been living under a rock for the last few months, you have probably heard about the Coronavirus and how it has been sweeping the glove with such danger. It is not only highly contagious but those that are infected may not even show the symptoms that have been recorded so far in the early or infectious stages. It is also important to note that for all the public health reasons that people who are already infected are isolated to mitigate viral spread. If that is not done, the risk just increases with each passing day.
At the same time though, this is where the GDPR or the general data protection regulation and public health could be seen to be at odds. On one hand, you have the rule to protect the data that you have and at the same time, protect the general public with the information that you may have? During such a public emergency, shouldn’t GDPR take the back seat?
Many companies are struggling to put new processes in place to cope with the potential risks that are carried with Covid-19. It is important to understand how the EU data protection law applies to the current set of circumstances. There are several tips to ensure data protection compliance during this period and these are the simplest ways:
Read More: Top 5 Benefits of Educational Games for Kids
- The panic factor: You’re going to see a lot of this. Businesses may need to collect and your personal information about their employees so that they are able to enforce the best protocols against the virus and also so they can give the best advice to their workforce to avoid the risk of exposure. It is also important to know that it is a time sensitive issue and that thee requirements of data protection law will apply to every company that holds personal information.
- What information do you hold?: When you are looking at GDPR compliance, you have to hold a certain amount of personal data and that requires a high level of protection too. This means, for you to hold his data, you need to have a specific level of security that is highlighted under article 9 GDPR. Now, in the UK, there is a requirement under the health and safety at work etc Act 1974 for companies to take measures to look after the health and welfare of their staff. As such, they have to collect specific information that would include confirmed diagnosis to safeguard their staff. So, there is the question of taking information about health conditions, but there is a limit as to what the employers can ask. It should in fact be the NHS or the health professionals identifying the condition as opposed to advising on appropriate steps for the business.
- Do I need to collect information as a business owner? Not necessarily. If the business is considering from a commercial perspective to position itself generally to deal with the outbreak, it may need to rely on many other grounds to justify the collection of data. So, if using any grounds as per GDPR to process data with respect to corona-virus, the business should justify processing of the information and be sure to keep its appropriate policy document.
- Who do you share this data with? The company has to protect the personal data that it holds. When there is information about their employees that is about the corona-virus, the business will be expected to protect this information much better than the general information it normally collects about its employees. So, it would be easier to provide a hotline number so that there is clear reporting as opposed to a personal discussion. So. the staff does not know who does or does not have the virus.
- Hold only what you need: A basic principle of GDPR is to focus on data minimization, so don’t have more data than what you should have. In this respect, it would be tempting to ask for information that is not required – the simplest idea would be to keep the information at the most basic level. Only data points that would help you need to be stored and kept. The remaining data that does not help can be discarded. Their travel records, if they have tested positive etc are the things you should hold and many other things that do not hold value with respect to the corona-virus pandemic can be deleted.
- Transparency goes a long way: As it would be with any bit of personal information, it is important to explain to the person why their data is being stored or even asked. How would it bemused and what rights are in relation to the entire procedure. if the business thinks it is imperative to hold the data to deal with the corona-virus issue, notify your employees about it. Give them updates regularly about it and inform them about the data that would be sued and the ones that would be deleted.
- Accurate information is perfect information: Keep your records accurate, this is not only an aspect as per the GDPR compliance, but out of date information can undermine the results of the procedures that you are trying to implement. Deleting the data that you do not need is also very important to ensure that you have only the information that is accurate and that you are not holding data that might create an inaccurate report.
- Remember if you have to transfer data: Many MNCs would have to move data around and that can be risky proposition. GDPR requires that personal information shared out side the EEA needs to be protected responsibly. If a business does not have a GDPR international data transfer mechanism in place, it would not be able to share data across. So double check if data needs to be moved and if so, have the necessary backups.
The most important part of dealing with this pandemic is to keep calm and not panic. This is a scenario that the world has never seen in the past and it is very important that we work together to bring down the situation we are in. Businesses should ensure they have the right policies in place, so they can process information in compliance with the law.