In light of the outbreak of COVID-19 being declared a pandemic on 11 March 2020, the Privacy Commissioner for Personal Data has issued guidelines for employers and employees on the collection and use of personal data in a public health emergency (“Guidelines”).
To control the spread of the virus and to protect employees, employers may find the need to implement measures such as collecting health data and travel history from employees, and in the unfortunate event of a confirmed COVID-19 case in the organisation, the employer may have to consider disclosing details of the infected employee to other members of the company. Social distancing is another important aspect in “flattening the curve” and many organisations have adopted flexible working arrangements, which may require enhanced security measures on data protection.
We have summarised the salient points of the Guidelines below:
- General approach:
- While there may be a legitimate basis for collecting additional personal data to control the spread of disease, employers must still adhere to the data protection principles ("DPPs") under the Personal Data (Privacy) Ordinance ("PDPO") in collecting and processing personal data for COVID-19 purposes.
- This means, for example, that the collection and processing of employees’ personal data must be specifically related to and used for the purposes for which it is collected. The scope of data collection and duration of retention must also be necessary, appropriate and proportionate to the purposes to be achieved.
- The least privacy intrusive measures should be adopted. Generally speaking, a self-reporting system is preferred to an across-the-board mandatory system where health data is collected indiscriminately.
- If the collection of such data is not covered by an organisation's existing privacy notices, a fresh Personal Information Collection Statement (PICS) must be provided at the time of or before the data collection to inform employees of the data being collected, the purposes for such collection (e.g. protection of public health), and the classes of persons (e.g. public health authorities) to whom their data may be transferred. It is also a good and ethical practice to inform the employees in the PICS how long the data will be retained by the employer.
- Temperature or other health data: It is generally justifiable for employers to collect temperature measurements or limited information about medical symptoms that may be related toCOVID-19 from employees and visitors solely for the purpose of protecting the health of those individuals.
- Travel history: Given the global spread of COVID-19, it is generally justifiable for employers to ask for travel data from employees who have returned from overseas, especially from high-risk locations. The data collected should be purpose-specific and must not be excessive.
- Third-party disclosure:
- Personal data collected by employers for the purposes of managing the COVID-19 outbreak must not be used or disclosed for other unrelated purposes, unless express and voluntary consent is obtained or statutory exemptions apply.
- In the event that an employee contracts COVID-19, the employer may inform other employees, visitors, the property management company, etc. about the fact of an employee has been infected with the virus, but it will not be considered necessary or justifiable to disclose the name or other personally identifiable information of the infected employee.
- However, under DPP 3, it will not be considered a contravention of the PDPO for an employer to disclose the identity, health and location data of infected individuals to the Government or health authorities solely for the purposes of tracking down and treating the infect employee, and tracing his or her close contacts.
- Data retention: Personal data collected for the purposes of managing issues related to COVID-19 must be permanently deleted once the purpose of collection has been fulfilled (e.g. when there is no evidence suggesting that any employees have contracted COVID-19 or have had close contact with an infected person after a reasonable period of time).
- Data security measures: Employers must adopt all practicable steps to safeguard personal data collected (e.g. by storing it in a locked cabinet, encryption, restriction of access, etc). This is particularly important for medical and health data which is sensitive in nature and may cause significant harm to the data subject if the information is not adequately protected.
- Data security for working-from-home arrangements: Flexible working arrangements generally entail the transfer and use of documents and data away from the workplace, which may result in increased risks to data security. Employers should establish formal procedures governing the handling of personal data to minimise transfers of information outside the physical or digital work environment, e.g. to require approval to be obtained before transferring files from work to home, the redaction of personal data from documents prior to transfer, encrypting files, ensuring that home internet connections are secure and maintaining logs to record the movement of data.
The full Guidelines are available here.