Covid -19 pandemic creates difficulties for many.

The Covid-19 pandemic has created difficulties for many, especially employees and employers. Many business owners have not been able to continue paying their employees. This has resulted in the laying off of many employees. For employees, apart from anxiety over their own health and despite mortgage moratoriums et cetera, this has created financial difficulties. For employers, and especially SMEs the pandemic has the potential to deal a death blow to a business that took years to build up.

As noted in a previous blog, when set in this backdrop, data protection concerns seem trivial. Nevertheless, just as fundamental rights and freedoms cannot be trampled on in a health crisis, neither can data protection rights. Indeed, because more sensitive categories of personal data are now being processed (health data, particularly)), more care should be taken to ensure that data protection rights under the GDPR are being respected and enforced.

There must be at least one legal basis to process data and all principles must be abided by.  What is often forgotten is that even where derogations from the GDPR apply, the principles must still be respected and applied in any personal data processing operation.  Covid-19 pandemic has created difficulties for many. While the rules should be obeyed even under extreme circumstances, these same data protection rules (such as the GDPR) do not hinder measures taken in the fight against the Coronavirus pandemic.  It is conceivable that in times of emergency such as now, some data protection rules may be relaxed but it is unlikely they will ever be suspended or waived. Still, there have been many questions to GDPRXpert from clients unsure of aspects of GDPR, especially in the specific context of this pandemic. This  Covid-19 pandemic creates difficulties for many.  At this time, we will take a look at some of the most common questions we have been asked.

Question 1.

I have many of my employees working from home at least temporarily. Are there any special precautions employers need to take in relation to personal data?

Answer.

Many people work from home, but clearly these numbers have increased since the pandemic. The first thing that those working from home must do from the outset is create the mindset that they are still working in the office. Remember, it is not feasible for employers to go and assess the suitability, or otherwise, of all ‘work from home locations’ (WFHL),so some basic and normal ground rules need to be emphasised.

Employees must secure their data just as if they would in the office. To do this they must take the normal precautions and act as if  present  at their place of employment.  It is paramount they don’t allow family members, or anyone else, to just walk in to where they have set themselves up. For example, they should never leave personal data on view on a computer screen. Data protection consultants GDPRXpert frequently remind a client that is often the small oversight or lack of attention that leads to data being compromised. Employees should log off when leaving their work station or lock an area if too many people are coming and going. Working from a laptop on a couch is not a good idea if  sharing an apartment or house with others! There should be strict controls on the ability to download personal data from an organisation’s system files.

If no relevant data protection policies are in place, now is the opportune time to enact some to govern how company assets and information can be accessed, where information can be stored, and how information can be transmitted. Employees must be quickly made aware of, and become competent about, the types of information considered to be confidential, trade secret, or otherwise protected. There is much anecdotal evidence of an upsurge in phishing attacks.

In the US there has been a huge rise in fraud schemes related to Covid-19, with many businesses receiving fake e-mails purportedly from the Centre for Disease Control (CDC). These emails contain malicious attachments so employees at WFHL need to be extra vigilant. In all cases these fraudsters are attempting to have their targets access and verify personal information or credentials. Employers must train their employees on how to detect and handle such scams and keep them informed about the latest threats. It is a good idea to have regular video conferencing with staff to facilitate Q&A sessions and update everyone on the latest threats. It also helps staff morale.

Only those whose essential job duties place them in the ‘need to know’ employee classification should have access to ‘special category data’, which includes health data. It is best practice to carefully review any Bring Your Own Device (BYOD) agreements, if any are in place between you and employees. In this scenario, and where special category data are being processed, it is vital that all information is encrypted in transit and while at rest on the device.  For example, many in the healthcare field are now working remotely and collecting health data. In the absence of special arrangements these remote employees should be utilizing company-issued equipment and not saving company data to personal laptops, flash drives, or personal cloud storage services such as Google Drive.

It is true to say that the risks for the employer are numerous, so all care should be taken in relation to BYOD agreements. Any employer should seek to ensure that those practices do not compromise the security of, and your right of access to, your information and data, and that your policies comply with all attendant legal obligations.

In the conventional office working setting it is easy to have a quick word in an employee’s ear if an employer becomes aware of any breach of, or indiscretion concerning, a BYOD agreement. It is more complicated when employees are working remotely. Best and safe practice is  for employers to  consider periodic reminders of the BYOD policy and offer training sessions, as well as ongoing education regarding the importance of protecting the employer’s trade secrets, confidential and proprietary information and data. There should be strict controls on the ability to download personal data from an organisation’s system files.

 

“There is no questioning the advantages of BYOD agreements. It is a growing trend, one that may already be occurring at your company. Employers are implementing policies and practices that permit, or even require, their employees to use their personal electronic devices (e.g., laptops and smart phones) and data services (e.g., backup and file-sharing software) for work-related purposes.  The appeal of such Bring-Your-Own-Device (BYOD) practices for both employers and employees is undeniable. Employers avoid the up-front costs and administrative hassle of purchasing laptops and smart phones as well as employees’ demands for the latest and greatest gadgets, and employees do not have to carry around multiple devices. Overall, this is a much simpler and more efficient way of doing business, right?”(Elaine Harwell, Senior Counsel, Procopio).  There are security considerations nevertheless, and here are some aspects that demand careful attention.

 

Your BYOD policy should cover a broad range of topics, including:

  • Which employees are permitted to use personal devices for work purposes;
  • Acceptable and unacceptable use of personal devices for work purposes;
  • Your ownership of and right of access to all employer data on employees’ personal devices and employees’ lack of privacy rights in that data;
  • Your security and data protection protocols;
  • Your employees’ obligations with respect to maintaining the security of employer data (e.g., a provision requiring employees to protect all devices that contain employer data with a password or PIN);
  • A disclaimer that the employer is not responsible for the security of the employee’s personal data;
  • Reimbursement for the employee’s use of his or her personal devices; and
  • Rules and/or restrictions regarding work-related use of personal devices outside of working hours.

Question 2.

Can an employer let employees know the identity of a co-worker who has contracted Covid19?

 

Answer.

We know that personal data includes an identifier such as a name.  Processing includes inter alia, “…disclosure by transmission, dissemination or otherwise making available…” Therefore, sharing the name of an employee who has contracted Covid-19 constitutes personal data processing. ‘Data concerning health’ under Art.4 GDPR includes any personal data related to the physical or mental health of a natural person …which reveal information about his/her health status. In this instance we have an employee’s name, which is ‘ordinary’ personal data, and data concerning health, which falls under ‘special category data’ under Art.9 GDPR. Processing rules vary depending on the categorisation of the data involved. The legal bases for processing also differ, again depending on the category of the data.

In line with the confidentiality principle, the general rule is that the identity of an affected employee should not be disclosed to his/her colleagues or any other third parties without some legal basis or very strong justification. Having been informed by previous experiences we know that the smaller the business is, the more easily the identity of the co-worker will become known. Even in larger companies a person’s absence will be noticed and lead to unhelpful speculation, much of it on social media, as to who exactly has the virus.  This speculation would be upsetting for those wrongly identified as having Covid 19. It is usually not necessary, and often will not serve a legitimate purpose to disclose the identity of an employee with Covid 19. Employers are under a legal obligation to ensure the health and safety of employees Safety, Health and Welfare at Work Act 2005 ). Informing employees of an infectious disease in the workplace would be a statutory duty (also a common law duty with an attached duty of care). Indeed, employers should carry out a risk assessment to identify the risks of a coronavirus outbreak at work, and implement steps to minimise that risk. That said, (even in the absence of obligations under  health and safety legislation) it would be expected that employees would be informed of any case of Covid 19 in a work setting in order that staff could self isolate or work from home.

Any information disclosed should always be limited to the minimum necessary for a specific purpose. Someone’s identity, normally and generally, should be disclosed only where absolutely necessary and on a strict need to know basis. As evident from a notice by the DPC the key word may be ‘generally’. “Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.”  The DPC also states that “the identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.”We note it does not state ‘without a clear legal basis under GDPR’. There is a world of difference between the two.  Any test of what is ‘clear justification’ either does not exist, or is a subjective test. Who decides what a ‘clear justification’ is? Does a justification have to be set within a legal basis?  The ultimate arbiter on this is the CJEU.  It is a facile exercise to set out a justification for an action, rather than ground it on a legal basis.

 

 

From a practical perspective, to allay fears amongst all employees who are wondering how close their contact was with the infected employee, a common sense approach would be to ascertain whether the infected employee would consent to his identity being made known to his/her co-workers, with the aim of more effectively safeguarding those co-workers. For example, if a worker in a very large manufacturing plant became infected it would cause undue stress to many employees if no other information was forthcoming from the employer. Employees will worry and wonder about how close they were to the infected individual. If an employer is too specific about the area of the plant where the infected employee worked, it may be tantamount to naming the individual. The circumstances and details of any particular case will determine the nature and quality of the dilemma facing the employer.

 

There is no avoiding the reality that not knowing who exactly in your place of employment has contracted Covid-19 will cause undue stress on that person’s co-workers.  As noted many times, data protection rights under the GDPR, and data protection and privacy rights under the Charter and the European Convention on Human Rights respectively, involve a balancing exercise with other rights. In cases like the present one, the unprecedented circumstances involved in the whole scenario suggest to us that a common-sense approach is an option that many will consider.  It is an approach that carries some risk. In normal circumstances a person’s identity should not be disclosed, but in very extreme situations, such as the present one, a justifiable case could be made for releasing a person’s identity.

This action is still fraught with danger, and if an employee files a complaint it will be up to the DPC at first instance to give a decision. An employer’s justification in releasing the identity of the coronavirus victim may not withstand scrutiny by the DPC.  The best advice is not to release a person’s identity unless you have obtained explicit written consent from the employee. Where explicit consent is not forthcoming our advice would be to state that a co-worker, who cannot be named at this time, has contracted covid-19. How much more information is conveyed to co-workers is dependent upon the particular, and possibly unique, circumstances of an individual situation.

There will be cases   where, for example, an employer will conclude that the health and safety of all employees is best served by disclosing the identity of the employee with Covid-19. In such a situation, and because of the statutory duty on the employer by virtue of health and safety, there is at least an arguable case. Remember, although set in a different work context, ‘the indications of impending harm to health arising from stress at work must colleagues may be infected, but they should only reveal their names if national law allows it; if they can justify that such a step is necessary: and only after the affected workers have been be plain enough for any reasonable employer to realise he/she should do something about it’. (Hatton v Sutherland [2002] 2 All E.R. 1)

Ultimately, the roadblock may be formed by the twin concepts of ‘necessity’ and ‘proportionality’ that permeate through the GDPR and EU law.Views on the issue are by no means unanimous across the EU. A most recent guidance note from the European Data Protection Board says ‘employers should inform staff that colleagues may be infected but they should only reveal their names if national law allows it if they can justify that such a step is necessary; and only after the affected workers have been informed/consulted beforehand.’ Earlier we saw the slightly differing view from the DPC guidance. The U.K. ICO also takes a slightly different view. “You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals  and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees as well as a duty of care. Data protection doesn’t prevent you doing this.” The identity of affected individuals must not be disclosed to their colleagues or third parties without a clear justification.

The Appropriate Lawful Bases.

The HSE and other public health authorities would be seeking details concerning any Covid- 19 case in any context. Certain information is always needed so that authorities can effectively carry out their functions. Only recently Covid-19 was declared a ‘notifiable’ infectious disease under recent legislation. Medical doctors are mandated to report cases to the Medical Officer under the Infectious Diseases (Amendment) Regulations 2020. There is no equivalent legislation covering employers. Strangely, employers are not mandated to report infectious diseases to the Health and Safety Authority. Employees under the 2005 ct are mandated to report to their employer or the employer’s nominated registered medical practitioner if they become aware of any disease which affects their performance of work activities that could give rise to risks for the health , safety, and welfare of others at work. A clear duty is imposed on all employees to protect themselves and others. However, employers under the 2005 Act are under a legal obligation to protect employees from issues that affect their health and safety, in a negative manner. Clearly, this could easily be construed to include the novel coronavirus. This could act as a lawful basis for processing personal data.

Processing could also be justified on the basis of Art.6 (1(d) that it is ‘necessary to protect the vital interests of the individual data subject (employee) or other persons (other employees or other people). An employer could also find a legal basis for processing the personal data under Art.6 (1) (f) GDPR where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”  Where an employer relies on this legal basis, he/she should document the ‘legitimate interests assessment’ that has been made.

In certain cases the person’s identity will be needed. For example, authorities may need to interview the employee who has contracted the disease. Recital 46 GDPR states “some types of processing may serve both important grounds of public interest (lawful under Art.6 (1) (e) ) and the vital interests of the data subject (Art.6(1)(d)), as for instance where processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread…”  Where the employer shares information, the sharing should be in compliance with GDPR and, most especially, the principles. In many cases employees themselves may fully consent to having their identities made known or they will make it known themselves.  If so, in those cases the personal data will have been ‘manifestly made public’.

It is questionable whether the consent of an employee to processing of his /her own personal data would constitute valid consent. It has not been definitively set out in the context of the employer/employee relationship but Recital 43 makes it clear consent is not a valid legal ground “where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority…” GDPRXpert has not found any case law to support the view that an employer/employee relationship would satisfy the ‘clear imbalance test’. Undoubtedly, the average employee could feel pressurised into giving consent.  It is something that will fall for future decision on a case by case basis. What is noteworthy is that the reference to a clear imbalance in the context of an employment relationship, which had been included in an earlier draft of the GDPR, was deleted in the enacted regulation.

Health Data Processing

Where data concerning health are involved, the situation changes. As we know there is a general prohibition on the processing of ‘special category’ data, which includes data concerning health. There are a number of exceptions to this broad prohibition, including under Art.9 (2) GDPR and sections of the DPA 2018. These provide potential legal bases for processing health data for the purposes of Covid-19 containment. S.46 DPA 2018 and Art.9(2)(b) permit the processing of health data where necessary and proportionate for the purposes of exercising or performing any right or obligation under Irish employment law – employers are legally obliged to ensure the safety, health and welfare at work of their employees. Specific measures to safeguard the fundamental rights and interests of the data subject (employee) must be taken.

Perhaps the most appropriate legal basis for processing health data is found under Art.9(2)(i) GDPR and s.53 DPA 2018, both of which provide exceptions to the general rule. Here the processing is deemed necessary for reasons of public interest in the area of public health such as protecting against cross border threats to health. Both must be underpinned by law (EU/Member State) providing suitable and specific measures to safeguard rights and freedoms of the data subject (employee). Examples of suitable safeguards would be limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.

S.52 DPA 2018 and Art.9(2)(h) GDPR also offer a sound legal basis as both provide, inter alia, for processing for the purposes of preventative or occupational medicine, and for assessment of the working capacity of an employee. Necessity and proportionality are always underlying considerations.

Question 3.

Can employers ask for travel and medical information from employees and from visitors coming to the workplaces of employers?

Answer.

Employers as we noted earlier are under a legal obligation to protect the health of their employees and to maintain a safe place of work. (Safety, Health and Welfare Act, 2005). There would be justification for employers asking employees and visitors about recent travel, in their efforts to prevent or contain the spread of Covid-19 in the workplace. This would be especially so, where they are worried about any possible travel to Covid-19 hotspots. Employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms. If travel has taken place as part of an employee’s duties then those details are known already to an employer. The question then becomes one of asking about personal travel destinations and the presence of any Covid-19 symptoms.

In Ireland the DPC has given recommendations on Covid-19 and these support the view that it is reasonable to ask an employee such questions. Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. It is advisable to be sensible when asking employees to provide personal information about their likelihood of risk and not to ask for more than you genuinely need.

Out of the 28 national data protection authorities of European Union member states, some 20 EU countries have issued specific guidance regarding COVID-19 and data protection so far. We are beginning to see several core principles emerge from this guidance:

  1. COVID-19 sensitive personal data, such as medical symptoms and diagnosis, travel history, and contacts with those who have been diagnosed can be processed on the basis of safeguarding public health.
  2. The fact that an employee has tested positive for COVID-19 can be disclosed, but identifying information about the individual, in particular the individual’s name, should not be disclosed.
  3. European DPAs have scrutinized if not discouraged or prohibited mass surveillance techniques by data controllers, such as use of questionnaires or temperature checks, other than those performed by health authorities.
  4. Security measures must still be implemented to protect COVID-19 personal data.

What the foregoing has shown is that some issues around data protection in the context of the Covid-19 pandemic are complicated. The coronavirus pandemic has brought forth evidence of how interpretations of some articles in the GDPR vary within jurisdictions. Member states (MS) have been given some latitude in making changes and additions to the GDPR, but Covid-19 has exposed a lack of consistency in interpretation of portions of the GDPR across the EU. This is something we will look at closely in the future, and as the pandemic expands in a potentially lethal manner globally.

Patrick Rowland, GDPRXpert.ie.

We are GDPR and Data Protection consultants with bases in Carlow/Kilkenny and Mayo, offering a nationwide service.

For more details visit www.gdprxpert.ie

The ongoing Covid-19 raises life and death questions.

The ongoing Covid-19 pandemic raises life and death questions all over the globe. Data protection concerns in this context appear trivial and insignificant. As the DPC has stated, “data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data”. Nevertheless, some questions raised will remain as contentious issues long after Covid-19 has been clinically controlled. There is no need to remind anyone how the pandemic raises life and death questions. People are getting sick and many people are dying .
Identified and Identifiable


There was much debate and controversy surrounding the lack of specific geographic details provided by health officials in relation to confirmed cases of Covid-19. One view was that the GDPR was being cited as a reason not to provide more precise details as this could lead to someone’s identity being disclosed. Remember that from Art.4 (1) “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name…location data…or to one or more factors specific to the physical…cultural or social identity of that natural person;”.It is well established that non- disclosure of a person’s name, in and of itself, is not always a guarantee of anonymity.
Even when special category data processing is allowed by derogation, it does not mean there is any derogation from the applicability of data protection principles. On the contrary, these are always applicable. In fact, it is especially important to abide by all data protection principles in relation to these more ‘sensitive categories’ of data, to use the term from the old Data Protection Acts. Unquestionably, a person’s identity could quickly become public knowledge if a very precise geographical location was provided by the public health authorities. It would not be long before people would be able, by a process of elimination and observation, (hopefully, not surveillance!) to identify people in a particular area that were in isolation because they had tested positive for the virus or had been in recent contact with someone who had tested positive.
                                Location data


Although the health authorities are doing their best to ensure a person does not become identifiable, the possibility of this happening increases directly as the information disclosed becomes more detailed .Take the case of the un-named school that was closed because students had recently returned from a school trip to Northern Italy. Health authorities consistently refused to name the school, despite the fact it had been immediately identified on social media. Their policy of non-disclosure was rendered meaningless.

The truth is this type of information becomes public knowledge very quickly. In the midst of a pandemic people are understandably more inquisitive, and it is quite possible anyone who was on the school trip to Italy and succumbed to the virus would be identified in a timely manner. What is clear so far is that the health authorities are determined to keep information to a minimum so that precise geographical locations are not revealed. This is why we have been hearing about a case in the South or the East etc. but no towns or cities had, at least initially, been named. Some politicians prefer more specifics on locations of so-called clusters of infection.
Different views or rationales can be taken of this policy approach. One view is that naming the location precisely might, in combination with other information available to local residents, make an individual or individuals readily identifiable. This could cause panic to people in the immediate region and distress to patients and their families. Another view is that if the precise location was given, then residents in proximity to that area might be on higher alert leading to greater caution in their personal social interactions. The policy has been defended on other grounds by Dr. Tony Holohan. It is seen as designed to protect the privacy of individuals on the basis that people are less likely to come forward if they fear their identity will be made known. This would be another hurdle in the race to quantify and track the extent of the pandemic.

For the public interest/of public interest 

All views have their merits but any view carries an underlying interpretation of what is ‘for the public interest’. Undoubtedly, the question is a subjective one, and in instances such as a public health emergency caused by a pandemic, what constitutes the “public interest” is properly evaluated by the health authorities and the government. Within this context, under Art.9 (2)(h), Art.9(2)(i) and S.53 DPA 2018 lie the specific exceptions to the general prohibition on processing of special categories of personal data, which includes health data. Derogations from the general prohibition are allowed, but subject to suitable safeguards having been put in place to safeguard fundamental rights and freedoms of the data subjects. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.

There are many lawful bases for processing personal data. Consent is one of them but it is by no means the strongest. It can be withdrawn at any time. Indeed, the GDPR provides for the legal grounds to enable competent public health authorities (and employers) to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.

A valid distinction needs to be made at the outset between what is “for the public interest” and what is “of interest to the public”. I am fairly certain that it was Minister Simon Harris who was recently criticised for making a distinction between the two, but he was correct in his assessment. What he was trying to explain was that because some information is ‘of interest to the public’ does not mean its disclosure is made legitimate or justifiable by a motive of public interest. Would disclosing the information do more harm than good? It has elements of the harm principle of the utilitarian philosophy espoused especially by J.S. Mills and Jeremy Bentham. In essence, the lesser harm for the greater good. The courts and many statutes frequently refer to the public interest but “ there is no single satisfactory definition of what the public interest is”.( See, Kelleher, Privacy and Data Protection Law in Ireland, 2nd ed. at p.175) It might be more incisive to simply ask what is in the best interests of the public at large.

In the context of a Freedom of Information case in an Australian Federal Court, Justice Brian Tamberlin wrote the following:
The public interest is not one homogenous undivided concept. It will often be multi-faceted and the decision-maker will have to consider and evaluate the relative weight of these facets before reaching a final conclusion as to where the public interest resides. This ultimate evaluation of the public interest will involve a determination of what are the relevant facets of the public interest that are competing and the comparative importance that ought to be given to them so that “the public interest” can be ascertained and served. In some circumstances, one or more considerations will be of such overriding significance that they will prevail over all others. In other circumstances, the competing considerations will be more finely balanced so that the outcome is not so clearly predictable. For example, in some contexts, interests such as public health, national security, anti-terrorism, defence or international obligations may be of overriding significance when compared with other considerations.( McKinnon v Secretary, Dept. of Treasury [2005]FCAFC)

The term eludes precise definition but at its core is concern with the welfare or well-being of the general public and society. Data protection law and GDPR have often to be balanced against other rights such as freedom of expression. Today we are seeing with Covid-19 government actions how the public interest motive in the area of public health far outweighs personal rights and freedoms. What is, or indeed what is not, in the public interest often depends on the context in which it is being examined.

Mr Justice Barrett in Dublin Waterworld v National Sports Campus Development Authority [2014] IEHC 518(7 Nov 204) stated, “disputes are likely to be of interest to the public but that does not make their resolution a matter of public interest”. S.53 DPA 2018 uses the terms “for public interest reasons in the area of public health including… ”  The terminology of Art. 9(2)(i) is similar and refers to “processing necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health…”
Processing of special categories of personal data including health data is clearly permissible under GDPR and the DPA 2018. “Processing” under the GDPR includes, amongst others, “dissemination”, but this does not mean it is permissible to freely share the information with the general public. Dissemination, as a form of processing must itself follow the data protection principles and respect, amongst others, the principle of purpose limitation.

If the personal data is initially collected (processed) for the public interest in the area of health, is the dissemination (for example, through the coronavirus daily briefings) in line with this original purpose? It is likely that the answer is yes. The best informed view is that the dissemination just represents another type or form of processing and the purpose remains the same. Anyway, Art. 6(4) GDPR allows for a ‘compatibility (of purpose) test’, in situations where the processing is for a purpose other than that for which the data have been collected and is not based on consent or Union or Member State law. The concept of “public interest” at general law is wide –ranging and expansive. A classic dictum is that is of Lord Hailsham that “the categories of public interest are not closed” (D v National Society for the Prevention of Cruelty to Children [1978] AC 171 at 230)

There are… several different features and facets of interest which form the public interest. On the other hand, in the daily affairs of the community events occur which attract public attention. Such events of interest to the public may or may not be ones which are for the benefit of the community; it follows that such form of interest per se is not a facet of the public interest  (DPP v Smith [1991) 1 VR 63 at 75).

The public interest is not the same as that which may be of interest to the public. We have seen in many previous blogs how data protection rights do not exist in isolation, nor do they trump other rights. At any time the Government can decide to be more forthcoming and more specific with information concerning Covid -19. The deciding factor will be whether it is in the public interest to do so. If that time ever comes the government will still be mindful of the obligation to protect the anonymity of any individual who may have contracted the infection.
In an upcoming blog we will share common data protection concerns in the context of the coronavirus that have been raised by many of our clients through our website.

Patrick Rowland, GDPRXpert.ie
We are GDPR and data protection consultants with bases in Carlow/Kilkenny and Mayo, offering a nationwide service.
For more details visit www.gdprxpert.ie

Latest News