This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.
As offices, shops and other businesses across the UK begin to reopen in the coming weeks and months, their employees and customers will be returning to a very different place of business to the one they left behind. Just as the places at which we all work and those we visit will have changed, the expectations and experiences of employees and visitors will have changed substantially too. One major difference may be in the widespread use of COVID-19 contact tracing apps among the UK population. We have previously blogged on how these contact tracing apps are intended to work and the UK’s approach so far and the regulator’s reaction.
The data stored in these apps may indicate the likelihood that an employee or visitor has or could transmit COVID-19 to others. This information is potentially very useful for businesses as they try to manage the risks of reopening their premises. But there is a catch: depending on how the app has been designed, it could be deemed to be showing sensitive personal health data to businesses under European and UK data protection laws. Whilst it is still unclear how the UK NHS app will be designed, we have assumed in this blog that the app will show some form of personal data. We discuss the data protection obligations businesses may be under, and the extent to which they may be able to use this personal data.
Processing personal data: the first hurdle
For the processing of personal data to be lawful, businesses must identify a lawful basis for processing it under Article 6 of the GDPR. Acts which constitute the processing of personal data include “collection”, “retrieval”, “disclosure” or “use”; demanding to see an employee’s or visitor’s contact tracing app would involve data processing. For this to be lawful, businesses will likely need to show that they have a legitimate interest to process the relevant personal data. In the case of the COVID-19 pandemic, preventing viral transmission within workplaces and premises is likely to be a sufficient ground to meet this requirement, particularly where employers are subject to statutory or other health and safety obligations.
In certain cases, this lawful basis can be overridden by the rights of the individual. In the context of an employer processing the data of an employee, the employer ̶ which needs to maintain a healthy workforce and fulfil its duty of care to employees ̶ and the individual ̶ who wants to avoid becoming ill with COVID-19 ̶ arguably have an alignment of interests.
Processing health data: a special case
In addition, data concerning health is a special category and processing it is prohibited unless an exception applies under Article 9 of the GDPR. Three exceptions could apply in this context:
- Consent: A business can process an individual’s health data if the individual gives explicit consent. However, there are two issues with relying on this exception. First, the GDPR defines consent as an “unambiguous indication of the data subject’s wishes”, meaning that a business can only see an individual’s tracing app if the individual wishes them to do so; they have the right to refuse. Secondly, the ICO’s guidance on consent notes that there should be no imbalance of relationship, making consent particularly difficult in an employee/employer context (given the risk of an employee feeling compelled to provide consent, for fear of the potentially negative consequences of refusing). The ICO recommends employers look for an alternative basis where possible.
- Necessary under employment law. The employment law obligations exception only applies if: (i) the processing is necessary to perform obligations imposed by law; (ii) the employer has an appropriate policy in place; and (iii) additional safeguards, such as the retention of processing records, are implemented. The relevant obligations imposed by law will likely relate to the health and safety of employees in the workplace. This topic will be discussed further in a subsequent blog. If a business is going to rely on this exception, it must satisfy the remaining conditions by ensuring that it has a document in place which explains its compliance with data protection principles as well as its retention and erasure policies. In addition, employers may also be able to rely on the ground that the processing is necessary to assess whether an employee has the capacity to effectively and safely work. In this case, the assessment would have to be made by a healthcare profession or someone who owes a statutory duty of confidentiality to the employee.
- Necessary for public health. For this to apply under the GDPR, the collection has to be required for reasons of public interest in the area of public health, such as to protect against serious cross-border threats to public health. In the UK, the processing must cumulatively be:
- necessary for reasons of public interest in the area of public health; and
- carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under the law.
Businesses should only process the minimum amount of data that they need to fulfil their original purpose. In this context, therefore, they should ensure they do not collect unnecessary or excessive information from individuals when accessing their contact tracing app. For example, businesses will likely need to know whether a tracing app has informed an individual whether they have come into contact with someone who has tested positive for Covid-19. They may not need to know further details about the underlying health of that individual, if that information is available in their contact tracing app.
The GDPR also requires businesses to undertake a data protection impact assessment (DPIA) for any type of processing which is likely to result in a high risk to individuals, and particularly if it plans to process special category data on a large scale. Businesses will also have to ensure that any data they process and store is held safely and securely.
From an employee relations perspective and in order to comply with the GDPR’s transparency requirements,whichever exception is relied upon it would be prudent for employers to explain clearly and simply the data that is going to be collected and the reasons for that collection – providing as much reassurance to employees as possible that the processing is important for protecting their health and the health of their colleagues or customers, and that their data will be handled with appropriate care.
While the ICO has not issued any specific guidance on how data protection laws should be interpreted in relation to contact tracing apps, it has provided general guidance of the application of data protection laws during the COVID-19 pandemic. In particular, it has stressed that data protection laws allow for “appropriate and proportionate safeguards for individual’s personal information [while also allowing] for a recognition of the public interest, for instance in the use of apps, research projects and digital tools that rely on large personal data sets.”
We therefore expect that businesses will generally be able to rely on a combination of their legitimate interests, and the employment law and / or public health exceptions for processing special category data related to employee health. But the applicability of these grounds is not guaranteed, and legitimate interests and other lawful bases for processing should remain under continuous review, taking into account the nature of the pandemic threat and, hopefully, its recession with time. As a result, businesses should take a belt and braces approach to processing this data. They should have an appropriate policy in place, comply with the additional safeguards and, where possible, obtain explicit consent from the data subject to increase the likelihood of being sufficiently covered. This should also be combined with appropriate messaging to ensure the reasons for the data collection are sufficiently understood and the likelihood of challenge is minimised.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?