Personal data is a complicated asset. The use of personal information for the provision of a service, research purposes, identity verification, and a countless array of other objectives that range from benign and boring, to potentially predatory and malicious, has become ubiquitous in modern society. Personal data is an extremely valuable tool; it is capable of being leveraged to inform decisions and policies, and reach such specific and targeted conclusions to complicated questions, that it borders on clairvoyance. As is often the case, there are two sides to this coin. Personal data also presents substantial risk, to the individuals to which that data pertains, and to the organizations using it, which now needs to operate under ever-increasing regulation. Governments and companies alike are rushing to leverage personal data to its utmost capacity and bring this pandemic to a speedy end, while still maintaining the privacy of the sick and vulnerable.
For a law aimed to increase the protection of personal information, it is perhaps surprising that there are provisions within the European Union’s General Data Protection Regulation (GDPR) that allows for the suspension of the rights and requirements of the legislation. Responding to the COVID-19 outbreak is the first instance in which these provisions have been exercised. To better equip itself to fight the spread of COVID-19, the EU is suspending GDPR and loosening restrictions on the processing of what the law calls “special categories” of personal information. These special categories were created to place firmer limitations on types of personal data that presented increased risk, such as race/ethnicity information, political affiliations, and sexual orientation. However, also within this group of special categories is health data. Privacy protections were put in place to benefit the public, but under current circumstances curtailing the access to, and use of valuable health data, it would work against that interest. As a result, France now allows the transfer of personal health data to “any partner involved in the control, prevention and evaluation of the epidemic, in particular the General Directorate of Health.” Italy has issued an ordinance permitting the processing of any personal health data “necessary for the performance of the civil protection function.” Even the U.S. Department of Health and Human Services has announced that there are multiple scenarios under which covered entities may share personal health information without an individual’s consent in order to combat the virus.
This loosening of reins, however, is not absolute. While it is completely reasonable to determine that such a public crisis requires more flexibility, the risks of processing personal data are still very much present and in need of mitigating. Even the ways in which suspensions are being made to the GDPR requirements seem to reflect this fact. Italy’s new ordinance is effective only until July, and France limits its new data sharing policies to “[o]nly the data strictly necessary for the accomplishment of the mission.” While some sharing of HIPAA protected health data within the United States may now be permissible under the cover of serving public health interests, it is still important to protect an individual’s privacy and only share such information to those with a legitimate need to know basis.
As individual enterprises look to their own practices to make decisions regarding COVID-19 and their employee’s personal data, risks will need to be evaluated; in terms of the potential harm to the individual, and the potential benefits to the enterprise and individual, arising from the release of information. As a result, there are items that should be on an enterprise’s checklist to help them weigh the balance:
Sources: