As part of the battle against COVID-19, various significant measures have been introduced throughout the EU that have resulted in a significant increase in the collection of data relating to individuals’ health, location and social habits. Examples of such measures include the contact tracing apps developed by EU Member States to track and trace the transmission of COVID-19, the obligations on businesses to collect and retain details of customers entering their premises and employers implementing temperature screenings.
While combatting the virus is of paramount importance, these measures impact on individuals’ data protection rights and ensuring these rights are protected is also a critical consideration, as illustrated by statements from the European Data Protection Board and others throughout 2020.
For anyone collecting such information, there are a number of key principles to bear in mind:
Transparency: adopt a “no surprises” policy. Be clear with individuals about what information is being collected, for what purposes, who it will be shared with and how long it will be retained
Data minimisation: only collect the information you need. Don’t collect information because you think it might be useful or valuable at a later date. Holding information you don’t need only create unnecessary risk – especially where it is sensitive and related to COVID-19
Purpose limitation: only use information for the purpose for which you have collected it. For example, if you collect information for contact tracing purposes don’t use it for marketing purposes later. Customers won’t thank you for it and it could draw the attention of data protection regulators
Retention: once you no longer need data, such as to comply with legal obligations or retention requirements, you should delete it. It should not be kept “just in case”
Security: much of the information will be highly sensitive for those to whom it relates and so extra care should be taken when storing it. Ensure appropriate security measures are in place, regular reviews are undertaken of the measures and ensure that access to the information is restricted to a “need to know” basis only
An EU approach to health data
While the EU Commission has strived for uniformity of rules regarding the processing of personal data in the EU, there continues to be significant disparity at Member State level regarding the use of health data. For example, any organisation seeking to conduct health research throughout the EU will be aware of the different rules and processes that need to be followed and the challenges such disparity can cause.
The COVID-19 pandemic has underlined the key role that technology can play in improving public health and the importance of utilising health data to achieve those objectives. It has shown disparity in Member State rules and how approaches can stifle progress in this area.
In response to this, the EU Commission announced in November 2020 its intention to work on a secure and patient-oriented use of health data for Europe. It also announced an EU-wide collaboration in this area, through a “European Health Data Space” for better healthcare, better research and better health policy making. The EU Commission considers that a common European Health Data Space will promote better exchange and access to different types of health data such as electronic health records, genomics data, data from patient registries, etc. This would not only support healthcare delivery, i.e. primary use of data, but also for health research and health policy making purposes i.e. secondary use of data.
We can expect to see further significant developments in this area in the coming months and years as the EU looks to unlock the benefits of this EU-wide approach to health data.
Brexit and the free flow of data
One of the few good news stories of 2020 – at least from a data protection perspective – was the Brexit Trade Deal, which was agreed on 24 December 2020.
While the UK did not secure an “adequacy decision” from the EU Commission as it had hoped, the deal provides that on an interim basis the UK will not be treated as a “third country” for the purposes of GDPR and data transfers, as many had feared. This is hugely positive for those transferring data from the EU to the UK. In practice, it means that transfers can continue to take place seamlessly between the EU and the UK, as was the case pre-Brexit. It also means there is no need for companies to put in place transfer mechanisms, such as the EU Commission approved Standard Contractual Clauses.
This is only an interim position and it will need to be reviewed again by mid-2021 at the latest. However, there is cause for some optimism that the UK will secure an adequacy decision from the EU Commission during that intervening period and ensure there can continue to be a free flow of data between the UK and EU. This will be a key issue to watch for those doing business in the UK.
For more information on the interaction between data protection and digital health matters, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.