The pandemic Covid-19 has posed challenges to all the European Member States in terms of democracy and human rights, including the privacy rights and personal data protection.
In trying to fight against the pandemic, governments had to use emergency measures, including the declaration of the emergency status in many cases. Many of the measures include the personal data processing (names, surnames, addresses, telephone numbers, data about the occupation…) and in many cases include the processing of specific categories of personal data (like health data).
In order to offer an adequate health assistance, it is necessary to face with the personal data processing in this context, and in particular of health data, with particular attention.
The adopted measures in order to fight against Covid-19 which involve the personal data processing (including health data) shall be necessary and disproportionate and decisions shall be based on the guidelines and instructions of the health public authorities and other competent authorities.
Here below are mentioned some of the fundamental obligations that the data controller shall keep in mind which the personal data processing during their activities, and be guided by the principles of the General Data Protection Regulation.
Lawfulness
There are many legal basis for the personal data processing according to the article 6 of the General Data Protection Regulation and conditions according to article 9 which permit the processing of specific categories of personal data, like health data, which can be applied into the context of fighting against Covid-19.
Here we highlight some.
In the circumstances in which data controllers operate in compliance with guidelines or instruction of the health authorities or other competent authorities, it is probably that the article 9, paragraph 2, letter i) of the General Data Protection Regulation which permits the personal data processing, including health data, once that guarantees have been implemented. Those guarantees can include the limitation of the access to personal data in order to prevent the misuse, time limitation which are strictly in order to data storage and other measures like the adequate training of staff on the right of personal data.
Employers have also the legal obligation to protect their employees according to the Labour Act (OG 93/14, 127/17 e 98/19) and the Occupational Health and Safety Act (OG 71/14, 118/14, 154/14, 94 / 18 e 96/18).
This obligation, along with the article 9, paragraph 2, letter b) of the General Regulation offers a legal basis for the processing of personal data, including health data, if it is considered necessary and proportionate.
All the processing data must be processed in a confidential manner, the communication with employees about the presence of Covid-19 on the working place shall not bring to the identification of each employee.
It is necessary to guarantee that personal data are not automatically, without the intervention of a natural person, available to a limited number of persons.
In addition it is allowed to process personal data in order to protect vital interests of the defendant or of another natural person, if it is necessary. Health data of a person can be processed in this respect if it is not physically or legally able to give his/her consent. This will be applied only in emergency situation, where it is not possible to establish other legal basis.
Transparency
In the personal data processing, it is necessary to respect the transparency about the implemented measures in this context, including the aim of the recollection of personal data and the storage retention period. Information about the personal data processing shall be provided to responders in a concised, transparent, comprensible and accessible form, by using a simple and clear language.
Confidentiality
Any processing of data in the context of the prevention of the pandemic Covid-19 shall be carried out in order to manage the data security, especially when it is about health data.
It is recommended that paper documents including personal data are stored, for example in locked wardrobes or drawers, under the supervision of an authorized data controller and that the access to personal data stored in a electronic form is provided by using a username and password.
Data volume reduction
Because it is about a special category of personal data, it is necessary to process only the minimum amount of data in order to reach the aim to implement measures in order to fight against the Covid-19 diffusion.
Reliability
It is advisable to fill a document which prescribes for which aim and which data are processed, with which are shared, for how long are stored, which are the rights of data subjects and other relevant information and shall be published in order that interviewed know the eventual processing of their personal data.
It is certainly necessary that the controller documents any decision-making on the measures taken to mitigate the dissemination of Covid-19, which includes the processing of personal data and that it is made known to all employees and other potential respondents.
Latest information and recommendations
The Ministry of Health and the Croatian Institute of Public Health publish the latest information on Covid-19 on their websites on a daily basis. Current data on the number of patients and advice on the safety and protection of the population can be found on site.
The European Data Protection Board (EDPB) adopted a declaration on the processing of personal data in the context of the outbreak of the Covid-19 and guidelines on the lawfulness of processing and specific rules on the use of data in the context of combating the spread of the Covid-19 pandemic.