Privacy, HIPAA, Security and GDPR – COVID-19 Considerations - McDermott Will & Emery

Privacy, HIPAA, Security and GDPR – COVID-19 Considerations

Overview


 

Introduction

Privacy, HIPAA, Security and GDPR


The introduction and spread of COVID-19 to communities across the globe has created numerous privacy and security compliance questions and challenges. Below, we address several frequently asked privacy and security questions, including those related to: (1) health care providers, health plans and health care clearinghouses in the United States (“Covered Entities”) and their services providers (“Business Associates”) that are subject to HIPAA; (2) businesses that are not subject to HIPAA, but who collect information that could be useful in reducing the spread of COVID-19; (3) cybersecurity considerations; and (4) businesses that process data concerning individuals in the European Economic Area (EEA) and are subject to the General Data Protection Regulation (GDPR).

Click the linked questions below to see their answers:

HIPAA FAQs (For Covered Entities and Business Associates)

  1. Are there any information security risks that we should be addressing in our response to COVID-19?
  2. What types of disclosures are we permitted under HIPAA to make to local, state, federal and international public health agencies?
  3. May we disclose information about a patient or plan member’s COVID-19 diagnosis to other persons who may have been in contact with the patient or plan member?
  4. May we share a patient or plan member’s COVID-19 diagnosis with the patient or plan member’s employer in order to allow the employer to take precautions against further infection?
  5. How do we respond to requests from the news media about the COVID-19 cases we are treating?
  6. As a Business Associate of multiple Covered Entities, we hold health data that we could analyze to provide insight on COVID-19 exposure, spread patterns and mortality. Does HIPAA allow us to leverage health data in this manner?
  7. We are a Covered Entity health care provider and would like to expand our use of telehealth during the COVID-19 public health emergency.  What should we consider from a HIPAA compliance perspective?

Personal Information FAQs (For All Businesses)

  1. If we collect personal information, such as travel or geolocation data, likely to be of interest to third parties in their efforts to respond to COVID-19, what do we need to consider before using or sharing this information?
  2. What if our privacy policy sufficiently describes the types of personal information we are collecting, but our intended use or sharing of the personal information in response to COVID-19, including with government agencies, will be novel or unexpected to our guests or consumers?
  3. If we learn that an employee, guest or customer has tested positive for COVID-19, what information may we disclose?
  4. If a government agency requests information about our employees, guests or customers, what do we need to consider from a privacy perspective in complying with such a request?
  5. If we disclose information to a government agency about our employees, guests or customers in relation to COVID-19, do we need to inform the individuals that we shared this information?

Cybersecurity Considerations and FAQs (For All Businesses)

  1. How can companies prepare their employees, contractors and others to identify and avoid the unique cybersecurity threats related to online communications about COVID-19?
  2. What are the cybersecurity issues or risks in increasing remote work?
  3. What additional cybersecurity concerns or risks should companies be aware of in these circumstances?

GDPR FAQs (For Businesses Subject to the EU General Data Protection Regulation)

  1. Are there GDPR considerations when dealing with the COVID-19 crisis?
  2. Are there special rules in the GDPR about how to handle information about COVID-19?
  3. Are there any special rules to consider when transferring sensitive personal data to a controller outside of the EEA?

 


HIPAA FAQs (For Covered Entities and Business Associates)

Are there any information security risks that we should be addressing in our response to COVID-19?


Access Controls

As the number of states and localities affected by exposure to COVID-19 grows, there is increasing interest in patients and plan members who test positive for COVID-19, or who are deemed “persons under investigation.” As a result, there is an increased risk that health care provider and health plan personnel who have access to electronic health records (EHRs) and plan administration resources could inappropriately access patient records to find out who may have contracted COVID-19 within their communities. Under the HIPAA Security Rule, Covered Entities must implement reasonable and appropriate administrative and technical access controls to protect the confidentiality of protected health information (PHI).

Health care providers and health plans should consider taking steps to ensure proper access to patient records by:

  1. Reminding their workforce members of the difference between appropriate and inappropriate access;
  2. Putting in place extra protections for COVID-19 patient records (e.g., “VIP” or “break the glass” status, which automatically notifies appropriate personnel when access to the patient record occurs);
  3. Regularly reviewing audit logs for inappropriate access by personnel; and
  4. Taking appropriate action if a violation occurs.

Remote Performance of Essential System Functions and Redundancy

If COVID-19 impacts the workforce members of a health care provider or health plan, the provider or plan’s information technology and security personnel could be among those infected with COVID-19 or subject to self-quarantine. In these circumstances, the health care provider or plan might need to rely on personnel working remotely or outside contractor support to perform essential information security responsibilities, such as incident response or necessary security updates to information systems.

Health care providers and health plans should review their emergency mode operation plans to ensure that:

  1. Information technology and security personnel can remotely perform essential system functions in a secure manner; and
  2. The health care provider or plan has sufficient redundancy to ensure that personnel or contractor support staff are available to perform essential security functions in the event that personnel are unavailable due to COVID-19 infection or quarantine.

Heightened Susceptibility to Phishing Attacks and Scams

According to the US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA), malicious actors are using COVID-19 as a pretext to send emails with attachments or links to fraudulent websites to trick victims into downloading malware, revealing sensitive information or donating to fraudulent charities or causes.

Health care providers, health plans and their business associates should consider sending a security reminder or bulletin to personnel to remain vigilant against potential cyber-attacks and scams by:

  1. Not clicking on links or opening attachments contained in unsolicited emails;
  2. Using only trusted sources, such as government websites, to obtain up-to-date, fact-based information about COVID-19; and
  3. Not responding to solicitations by email to reveal personal or financial information.

Other Cybersecurity Considerations

Please consult our Cybersecurity Considerations and FAQs for additional considerations.

 


What types of disclosures are we permitted under HIPAA to make to local, state, federal and international public health agencies?


The Office for Civil Rights of the US Department of Health and Human Services, which enforces HIPAA, has released helpful guidance on COVID-19-related uses and disclosures, and our responses are reflective of this guidance.

Under HIPAA, Covered Entity health care providers may disclose PHI about individuals who are suspected of having contracted COVID-19 to public health authorities that are authorized by law to receive such information for preventing or controlling the spread of disease. “Public health authorities” include agencies or authorities of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that are responsible for public health matters as part of their official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency.

Under HIPAA, health care providers may also, at the direction of a public health authority, disclose PHI to a foreign government agency. Some states have mandatory legal requirements to report infectious disease cases, such as COVID-19, to state or local public health authorities.

Health care providers may report COVID-19 cases to federal, state and local public health authorities that are tasked with tracking COVID-19 cases and performing COVID-19 testing. Such disclosures should be limited to the “minimum necessary” information needed by the public health authority to conduct activities to control the spread of COVID-19. In addition, Covered Entity health care providers must keep records of disclosures made to public health authorities in order to be able to accommodate requests from individuals for an accounting of disclosures.

Generally, Business Associates may disclose PHI to public health authorities only if the disclosure is required by law or permitted under its business associate agreements with Covered Entity customers.  On April 2, 2020, the US Department of Health and Human Services, Office for Civil Rights (“OCR”) announced in a Notice of Enforcement Discretion that it would not impose penalties against Covered Entity health care providers or their Business Associates for a Business Associate’s good faith uses and disclosures of PHI for public health and health oversight activities during the COVID-19 nationwide public health emergency.  For more information regarding OCR’s notice, please see McDermott’s On the Subject: OCR Waives Penalties for Certain PHI Use, Disclosure by Business Associates during COVID-19 Emergency.


May we disclose information about a patient or plan member’s COVID-19 diagnosis to other persons who may have been in contact with the patient or plan member?


Covered Entity health care providers and health plans may, without first obtaining a patient or plan member’s consent, disclose information about a patient’s or plan member’s COVID-19 status to persons at risk of contracting COVID-19 if state law authorizes the Covered Entity to notify such persons in conducting a public health intervention or investigation or if the Covered Entity has a good faith belief that the disclosure is necessary to prevent or reduce a serious and imminent threat of COVID-19 exposure. Regardless, the Covered Entity health care provider or health plan should communicate with the affected patient or plan member first, if possible, and explain the public health benefits of notifying individuals who the affected patient or plan member may have exposed to the virus.

In all cases, even when the patient or plan member affirmatively approves such disclosures, Covered Entity health care providers and health plans should limit these disclosures to the minimum necessary to allow the individual to be aware of their exposure and seek medical attention if appropriate.

Please refer to OCR’s FAQs on “COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities” for guidance on how Covered Entities may share PHI with first responders (such as paramedics, other health professionals, fire department personnel, and law enforcement officials) who are at risk of infection due to interacting with a patient or plan member with COVID-19.


May we share a patient or plan member’s COVID-19 diagnosis with the patient or plan member’s employer in order to allow the employer to take precautions against further infection?


HIPAA generally does not permit Covered Entities to disclose PHI to a patient or plan member’s employer without the patient or plan member’s written authorization. The potential presence of COVID-19 at a patient or plan member’s workplace does not in itself provide an exception for the health care provider or health plan to notify the patient’s employer. Covered Entities may communicate concerns about potential workplace spread to public health authorities, identifying the employer. Public health authorities may then work with the patient’s employer to react appropriately to limit the spread of the virus. As noted above, health care providers may in some states notify individual employees of potential exposure to a patient with COVID-19.

To the extent that an employer conducts workplace surveillance of COVID-19 exposure (e.g., testing all or a portion of employees for disease status) as a result of federal, state or local workplace safety requirements, health care providers or labs working with the employer to conduct testing would be permitted under HIPAA to reveal test results directly to the employer who has requested the testing.

Please see our FAQs for US and Multi-National Employers for additional employer-focused resources.

 


How do we respond to requests from the news media about the COVID-19 cases we are treating?


HIPAA does not permit Covered Entities to disclose PHI—including basic demographic information such as names, addresses or dates of birth—to the media without the individual’s authorization. As a result, Covered Entities must be careful when discussing the status of specific COVID-19 cases with the media.

Hospitals and other health care facilities may disclose aggregate information to the media about the number of patients they are treating with confirmed or suspected COVID-19, but should be careful about revealing information about how the patient was exposed to COVID-19 or general information about where the patient lives, as this may allow the media to identify the patient through publicly available sources. Information must exclude all the following identifiers to avoid classification as PHI under HIPAA:

  • Names;
  • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code in certain circumstances;
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images;
  • Any other unique identifying number, characteristic or code; and
  • Any other information that the Covered Entity knows could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the difficulty in discussing an individual’s patient’s status without revealing information about the dates of their care or where they live, Covered Entities may elect to limit disclosures to the media to aggregate counts of patients or plan members that are currently receiving care for COVID-19.

 


As a Business Associate of multiple Covered Entities, we hold health data that we could analyze to provide insight on COVID-19 exposure, spread patterns and mortality. Does HIPAA allow us to leverage health data in this manner?


Many companies in the healthcare industry are looking to do whatever they can to combat the spread of the virus and identify disease trends. In particular, companies that have access to large data stores may be considering different analytical products they could create to provide additional insight on exposure and spread patterns, and trends in disease morbidity and mortality.

Companies seeking to perform such data analytics on PHI or to de-identify PHI in their possession to perform analytics must consider the following before doing so:

  • To the extent the company needs to perform such analytics on PHI, the company must evaluate whether the activity would be considered “research” under HIPAA; and
  • Regardless of whether the data is PHI or de-identified, the company must ensure that it has permission from the Covered Entities that provided the data to use the data for such analytics.

Under HIPAA, “research” means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. To the extent that analytics will be performed on PHI, the company will need to evaluate in coordination with its Covered Entity customers whether the results of the analysis will be used to inform the public at large about conclusions related to COVID-19. If yes, the company may first need to seek a waiver of the HIPAA authorization requirement from an institutional review board before conducting the analysis.

In a Notice of Enforcement Discretion, OCR announced on April 2, 2020 that it would waive penalties for a Business Associate’s good faith use of PHI (including performing data analytics on PHI) for public health and health oversight activities during the COVID-19 nationwide public health emergency.  Nevertheless, a Business Associate may be in breach of its contracts with Covered Entity customers if the contracts do not allow the Business Associate to use PHI for public health activities, or to create de-identified data sets.  Even if a company would like to perform analytics on de-identified data that is not subject to HIPAA requirements, the company would need to ensure that it has obtained adequate permissions in its agreements with Covered Entities to create de-identified data from PHI, and use the de-identified data to conduct the analyses.

Companies should consult legal counsel and review their agreements with Covered Entities before using their access to PHI to conduct COVID-19-related analytics.

For information on the HIPAA, California Consumer Privacy Act, and GDPR de-identification standards, please view McDermott’s March 25th webinar on this topic.


We are a Covered Entity health care provider and would like to expand our use of telehealth during the COVID-19 public health emergency. What should we consider from a HIPAA compliance perspective?


On March 17, 2020, OCR announced that it will not penalize Covered Entity health care providers for their non-compliance with HIPAA in connection with the good faith provision of telehealth through non-public facing audio or video communication products during the COVID-19 national emergency.  This means that health care providers during the COVID-19 national emergency may employ audio and video communications products to conduct telehealth services without first entering into business associate agreements with the vendors of such products – even if a business associate agreement would normally be necessary.  Health care providers should always nevertheless evaluate and mitigate potential security risks to their telehealth platforms. For additional details and HIPAA compliance considerations, please see McDermott’s On the Subject: OCR Enforcement Waivers of Certain HIPAA Requirements in Furtherance of Telehealth during COVID-19 Pandemic

 


Personal Information FAQs (For All Businesses)

If we collect personal information, such as travel or geolocation data, likely to be of interest to third parties in their efforts to respond to COVID-19, what do we need to consider before using or sharing this information?


Companies should review their existing privacy policies and notices to determine whether they sufficiently cover the personal information the company intends to collect, and how it intends to use and share that personal information. This may require review of multiple policies (e.g., employee privacy policy, external-facing website privacy policy).

Where the existing privacy policy does not sufficiently describe the personal information that the company intends to collect and how it intends to use and share such information, the company should consider updating its privacy policy prior to collecting the personal information or provide a supplemental privacy policy or notice at the time of collection to cover any new information that the company intends to collect, especially related to COVID-19.

 


What if our privacy policy sufficiently describes the types of personal information we are collecting, but our intended use or sharing of the personal information in response to COVID-19, including with government agencies, will be novel or unexpected to our guests or consumers?


Some companies’ privacy policies may already address the types of personal information that government agencies are interested in collecting to stop the spread of COVID-19. For example, airlines, car rental companies, hotels, travel insurance providers and other companies that offer loyalty programs track the timing and location of purchases. They and some participants in the interest-based advertising industry who receive geolocation data from cookies, pixels or apps may record where an individual has traveled. This information has often been collected from or provided by the guest or consumer to obtain discounts or perks on future services, without contemplation of its possible use for public health purposes.

Companies will need to review their existing privacy policies to ensure that the policies cover the disclosure of the personal information to a governmental agency for the requested purpose.

Privacy policies typically provide that personal information can be shared to protect the health or safety of individuals, or in response to valid legal process or a lawful obligation. Companies will also want to consider whether the personal information collected may be used for a novel or unexpected purpose that is not covered by the privacy policy, and amend their privacy policies accordingly, as noted above. This may also require updated internal instructions to employees, review of escalation procedures and perhaps revised disclosure standards for those assigned to make these types of decisions.

Companies should also consider whether a novel use of personal information or an underlying product or service changes the company’s role under applicable data protection law (e.g., “business”/”service provider” under the California Consumer Privacy Act).

 


If we learn that an employee, guest or customer has tested positive for COVID-19, what information may we disclose?


If a company learns that its employee, guest or customer has tested positive for COVID-19, the information the company may disclose depends on the intended recipient of the disclosure. If the company is making the disclosure at the request of a federal, state or local government agency, the company may provide information responsive to such agency’s requests. See Personal Information FAQ #4 and HIPAA FAQs #2-4.

If the company chooses to inform its employees, guests or customers about another employee, guest or customer who has tested positive, it should only share the minimal amount of personal information necessary to enable individuals to assess their own personal health and potential exposure. The minimal amount of personal information necessary is context-specific and may change depending on the circumstances. The personal information that a company can provide may be different, for instance, if the company employs 10 people as compared to 1,000 people, or if the individual who tests positive is a customer as opposed to an employee. Some information, such as the location where the affected individual may have come into contact with other individuals, will likely be important, shareable information in most cases.

A company should not share the individual’s name, and should seek to avoid sharing other personally identifiable information. Given the unprecedented nature of this situation, there undoubtedly will be novel disclosure questions that arise, in which case companies should be prepared to escalate questions to the proper individuals within the company, and consult experienced privacy counsel where necessary.

Please see our FAQs for US and Multi-National Employers for additional employer-focused resources.

 


If a government agency requests information about our employees, guests or customers, what do we need to consider from a privacy perspective in complying with such a request?


Responding to a request from a governmental agency for personal information about an employee, guest or customer will implicate a number of privacy considerations:

Geography

Because COVID-19 is spreading to countries around the globe, multinational companies need to be cognizant of their privacy obligations under federal, state and international data protection laws, which can vary widely. Information that can—or must—be freely shared in one jurisdiction may be subject to a stricter regulation in another. Absent a legal requirement (as discussed below), companies should be careful about providing personal information about the individuals with whom they interact to governmental entities in response to informal requests, particularly where the mere fact that an individual is a customer of, or otherwise associated with, a company could disclose personal information about the individual. Even where a legal obligation exists, companies need to be thoughtful in their responses to governmental requests to minimize potential harm to employees, guests or customers. Information that may be relevant to fighting the spread of COVID-19—such as precise geolocation data, travel data and information about contacts—may also be of interest to government entities for other purposes. Please see our GDPR FAQs for more information about relevant privacy obligations in the European Economic Area.

Valid Process/Legal Obligation

If applicable law requires companies to provide certain personal information to a governmental entity, many of the questions companies may have about disclosure will be resolved. Even in these instances, however, companies should be mindful while complying with lawful requests to ascertain the appropriate scope of the request; minimize any unnecessary harm to employees, guests or customers; and only provide information that is required. Where the government agency makes only an informal request for information, without providing legal process, companies should consider requesting an explanation of the legal basis for the request, or if necessary, legal process such as an order, subpoena or warrant prior to providing personal information. Factors that may weigh into this calculus include the nature of a company’s business, the jurisdiction of the government requesting the information and public relations considerations (discussed below).

Reputational Issues

If a company chooses initially not to comply with an informal request from the government to provide personal information of its employees, guests or customers, it could face objections or even a public relations backlash if the government then paints it as uncooperative in stopping the spread of COVID-19. However, companies that have built their brands and reputations around protecting privacy may need to insist on their rights to obtain legal process before complying, and weigh the short-term public relations response against the long-term impact on guest or customer trust.

 


If we disclose information to a government agency about our employees, guests or customers in relation to COVID-19, do we need to inform the individuals that we shared this information?


If a US company discloses personal information to a federal, state or local government agency, the company only has a legal obligation to inform the affected individuals that their information was shared with the governmental agency in a limited number of circumstances. One potential circumstance is if a company subject to the California Consumer Privacy Act (CCPA) receives a data subject request from a California resident. Provided that no exceptions under the CCPA apply, the company would be required to provide the California resident with information about the categories of personal information that the company shared, and the types of third parties with whom it shared the personal information in the last 12 months, including governmental agencies. Notably, HIPAA-Covered Entities and Business Associates are exempt from CCPA with respect to their handling of health information.

Even though a US company may only have a legal obligation to inform individuals that it shared their personal information under a limited number of circumstances, the company should consider whether it would voluntarily disclose to individuals that their personal information was shared.

Similar to other disclosure questions related to COVID-19, companies should weigh public relations considerations, the nature of the company’s business and the types of information that they share in making a determination as to whether to inform affected individuals.

 


Cybersecurity Considerations and FAQs (For All Businesses)

What are the cybersecurity issues or risks in increasing remote work?


As companies begin encouraging more of their employees to work remotely, their businesses may experience bandwidth issues, increased exfiltration of data to employees’ personal devices, and greater security exposure due to larger numbers of remote workers, including new or inexperienced ones.

Companies may need to test (including load testing) their remote connectivity capacity—whether VPN, virtual desktop infrastructure (VDI) interfaces, or other remote facilities—to ensure that they can support the expected increase of remote logins, especially if offices are partially or completely closed.

This will differ depending on the remote access solution a company uses. For example, some companies may only need to verify the bandwidth and processing power connected to the VPN concentrator.

Other companies with VDI solutions may need to check server capacity and concurrent license requirements to accommodate an increased remote workforce. Additionally, prompt, continuous and up-to-date security patches on remote access components and devices is critical.

Companies should pay special attention to workers with no or limited history of remote work. These workers may not adequately understand the security necessary to safely work remotely, and may benefit from additional training on these topics. They may also need to be issued multi-factor devices, or have the appropriate software or certificates installed on their work or personal devices.

Although the majority of employees will heed the public concern and work from home, companies may consider cautioning its employees about the risks of connecting to unsecure networks in public locations (i.e., public libraries, cafes or even airports, for those determined to travel). Security awareness messages emphasizing current remote work security protocol should also be reiterated to the workforce generally.

Companies should be clear about the requirements and expectations of their remote access policy and acceptable use policy, including potential disciplinary actions to be taken if either policy is violated. Companies should clearly indicate whether company data is allowed on personal devices. Companies may consider attaching these policies to emails as a reminder, including when announcing office closures. Companies may also consider emphasizing the appropriate security hygiene employees should follow when working remotely, such as avoiding co-mingling company data with personal emails or avoiding “split tunneling,” which is when the device communicates with a secure network, like the company’s VPN, and an insecure network at the same time.

 


What additional cybersecurity concerns or risks should companies be aware of in these circumstances?


As the workforce shifts to more remote work, security monitoring solutions (SIEM) and other risk avoidance solutions may experience a higher number of false positives as workers who typically access the network from the office start to access it from home. Companies may need additional security operations personnel to handle alerts and filter the false positives from actual positives. Additionally, attackers may use the disruption in normal work patterns to hide intrusion activities, so additional caution is needed.

Companies can take precautions to ensure they are prepared to respond to a data security crisis with a potential skeleton crew. Now is a crucial time to take a fresh look at the company’s incident response plan, disaster recovery plan and other security monitoring plans to ensure the company is adept at responding to a data security incident while managing business interruption affecting personnel.

Regardless of the strength of these existing policies, companies may consider updating them for pandemic preparedness. The company may also want to consider holding a tabletop exercise to practice for a potential data security incident to simulate its response capabilities when multiple members of the incident response team or others are out of the office and working remotely. At a minimum, a training refresher in the form of a meeting with security personnel inside the company emphasizing current policies and plans for response should be considered. Also consider whether existing cyber insurance coverage is adequate to cover the risks that may be possible during the pandemic.

Companies should also ensure that they comply with relevant security rules and frameworks (such as the HIPAA or GLBA security rules, PCI DSS standards, and internal policy requirements, as applicable) regarding the transmission and storage of sensitive information concerning COVID-19 (such as PHI, consumer data or other company classified data).

The cybersecurity rules that were applicable prior to the COVID-19 are still in effect now. Cybersecurity laws, regulations and procedures have not been lessened as a result of this, and there is no indication that enforcement, at least in the United States, will be lax or suspended at this time. The appropriate response to the COVID-19 from a cybersecurity perspective is to continue to enforce basic good cyber hygiene.

Please see our FAQs for US and Multi-National Employers for additional employer-focused resources.

 


GDPR FAQs (For Businesses Subject to the EU General Data Protection Regulation)

Are there GDPR considerations when dealing with the COVID-19 crisis?


Yes. Any information about an individual resident in the EEA who has or is suspected to be infected with COVID-19 will be considered to be a “special category of personal data” (or “sensitive personal data”) under the GDPR and is subject to additional controls.

The practical impact for a company is that its GDPR data privacy notices, whether they are published on its website or provided internally to employees, should be checked to see that they cover this sort of personal data, and the way in which the company needs to use that information.

This is particularly the case where the company needs to provide COVID-19 information to additional third parties or government agencies.

Secondly, if a company or a subsidiary to it is subject to the GDPR, then it should be keeping “records of processing” of personal data (Art. 30).

These records of processing may need to be expanded to deal with any additional processing that is necessitated by dealing with COVID-19 information.

Thirdly, companies may start to receive data subject requests (DSRs) from employees, customers or contacts about COVID-19 concerns. For example, a passenger on a plane could ask the airline if any of the other passengers on that plane are infected, or are suspected to be infected, with COVID-19. Companies should check that they have a process in place to deal with these sorts of DSR requests.

Remember that the GDPR covers individuals whether or not they are named, and so if a company could identify the suspected individual with information in its possession or other publicly available information, the GDPR can apply.

 


Are there special rules in the GDPR about how to handle information about COVID-19?


Yes. The COVID-19 status of individuals would qualify as part of the “special categories of personal data,” as noted above. The GDPR requires that this category of personal data may only be processed if:

  1. The data subject has given consent;
  2. The processing is necessary for the functions of an employer;
  3. The processing is necessary to protect the vital interests of the data subject and where they are physically or legally incapable of giving consent;
  4. The processing relates to personal data manifestly made public by the data subject;
  5. The processing is necessary for reasons of substantial public interest;
  6. The processing is necessary for the purposes of preventative or occupational medicine, the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services; or
  7. The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health.

A number of European countries have now issued emergency laws that will allow companies to use this last basis of public health to process sensitive personal data.

  • France: Les Agences régionales de santé (ARS) has issued an information notice.
  • Germany: The Infection Protection Act (IfSG) and the Hygiene Regulations of the German Federal States regulate the processing of healthcare information in these circumstances.
  • Italy: The Italian Civil Protection Department has adopted a Civil Protection Ordinance.

It is important that you have a valid basis for processing sensitive personal data.

 


Are there any special rules to consider when transferring sensitive personal data to a controller outside of the EEA?


Yes.

If using the standard contractual clauses, companies should check whether there are further restrictions in the clauses that relate to sensitive personal data.

For example, the standard contractual clauses contain a provision that requires that any onward transfer of the sensitive personal data is not permitted without the consent of the individual.

Care should be taken when transferring sensitive personal data received from Europe to any third parties that the terms and conditions of any standard contractual clauses are complied with.

For this reason, using the Privacy Shield self-certification or Binding Corporate Rules, if applicable, are often superior mechanisms to legitimize the international transfer of personal data.


This material is for general information purposes only and should not be construed as legal advice or any other advice on any specific facts or circumstances. No one should act or refrain from acting based upon any information herein without seeking professional legal advice. McDermott Will & Emery* (McDermott) makes no warranties, representations, or claims of any kind concerning the content herein. McDermott and the contributing presenters or authors expressly disclaim all liability to any person in respect of the consequences of anything done or not done in reliance upon the use of contents included herein. *For a complete list of McDermott entities visit mwe.com/legalnotices.