COVID - 19 and the protection of personal data: guide to practical aspects

New BACK

COVID-19 and the protection of personal data: guide to practical aspects

We prepared this document with the main considerations to be taken into account by companies for the handling of personal data related to the 2019 coronavirus pandemic (COVID-19).

Enforceability of the personal data law during the pandemic

The Bureau of Public Information Access (the “Bureau”) published on March 11, 2020 a number of recommendations to be taken into account for the treatment of personal data during the pandemic. Through these recommendations, it is observed that the Bureau adopted a criterion of strict compliance with the regulations, even in the face of this extraordinary situation. The following recommendations are highlighted: (i) health data is a category of sensitive data and therefore deserves more rigorous protection; (ii) disclosure of the name of a patient with coronavirus requires his/her consent; (iii) health establishments and health professionals can process and transfer patient data to each other, as long as they comply with professional secrecy (that is, they do not allow his/her disclosure to third parties); and (iv) the Argentine Ministry of Health and the provincial ministries are empowered to request, collect, transfer to each other or process in any other way health information without the consent of the patients.

 

The following questions arise from these recommendations:

 

(1) In the event of a positive case of coronavirus in the company, can (or should) the employer notify the rest of the employees who have had close contact with this person?

Under a strict interpretation of the regulations and recent recommendations, it can be concluded that in the absence of the prior and informed consent of the employee in question, the company cannot disclose its infected situation to the rest of the employees. Such understanding could be questioned arguing that in these cases the obligation of the company to ensure a healthy and safe work environment and protect the rest of its employees should prevail, excepting the obligation to require consent.

In order to harmonize both positions, it is essential to find alternatives that guarantee public health in an extraordinary situation and that imply an unprecedented health emergency. An option will be, in the face of the employee's refusal to grant consent, notify the infected employee's close work contacts without giving his/her name, in order to comply with the personal data regulations and also the obligation to guarantee security in the work environment. In the same sense, since the company is obliged to report the existence of the positive case to the health authority (see point (3) below), this contact could be used so that in its case the authority itself participates in communicating the need for the required isolations in the work environment.

 

(2) If the infected employee is willing to give consent, what requirements apply to comply with the regulations?

In times of quarantine and/or social distancing rules, obtaining personally signed documents may represent an insurmountable obstacle. Argentine regulations allow obtaining consent by electronic means to the extent that an effective identity validation mechanism is implemented. Consent sent from the employee's corporate email (which requires personal password access) may reasonably be considered a valid identification mechanism.

It is important to remember that consent shall be "informed" for it to be valid. In this sense, the company shall previously inform the infected employee about (a) the use it will give to his/her personal data (in this case, his/her situation as a patient with COVID-19), (b) who may be the recipients of that data, (c) if it will be stored in the company's database, indicating its location, (d) the consequences of refusing to provide consent, and (e) the rights it possesses as the owner of the data (access, deletion, rectification and update).

 

(3) In the event that the employee's consent to disclose his/her infected situation is obtained, can the parent company and/or other companies of the business group be informed of this?

Argentine regulations prohibit, in principle, the international transfer of personal data to countries that do not provide adequate protection in this area.

According to the criteria of the enforcement authority, the only countries and/or territories that currently have this level of protection are members of the European Union, the United Kingdom of Great Britain and Northern Ireland, Switzerland, Guernsey, Jersey, Isle of Man, Faroe Islands, Canada, Andorra, New Zealand, Uruguay and Israel. Therefore, in the event that the subsidiaries or parent company are not located in the aforementioned countries, it shall only be possible to report the case of infection to them if the employee expressly consented to his/her personal data being transferred to that country or if an international transfer agreement is implemented between the Argentine company and its subsidiary according to the model proposed by the enforcement authority.

 

(3) Can the employee revoke his consent once granted?

Yes, Argentine regulations allow revocation of consent, without retroactive effect. In this sense, if the employee communicates to the company his/her decision to revoke the consent given for the disclosure of his/her situation as an infected patient, the company must cease said disclosure but in no case shall the prior disclosure until the revocation of consent be considered illegitimate.

 

(3) Should the situation be reported to any State agency?

Yes, regardless of whether the employee gave consent or not. Recent regulations issued by the Ministry of Labor oblige companies to report positive cases to the Ministry of Health.


Considerations under the GDPR

Although the GDPR (European Union regulation that regulates the protection of personal data) contains extraterritoriality regulations that a priori allow its application anywhere in the world, its application to Argentine companies is not automatic nor does it occur in all cases. For this rule to apply to the processing of personal data carried out by an Argentine company, each individual treatment activity must be analyzed and said treatment (a) must be inextricably linked to an activity carried out by an establishment of the Argentine company in the European Union; or (b) must be carried out on people who are in the European Union and be linked to the offer of goods and services to said people or the monitoring of their behavior.

In the context of the current pandemic, the European Data Protection Committee issued on March 20, 2020 a statement establishing, among other issues, that in the workplace, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject to, such as obligations related to health and safety at the workplace or for the public interest, such as the control of diseases and other threats to health. In this area, the consent of the employee would not be necessary.

 

The committee also answered the following questions:

(1) Can an employer require its employees to provide specific health information in the context of COVID-19?

The principles of proportionality and minimization of data should be considered in this regard, emphasizing that the employer should only require health information to the extent that national legislation allows.

 

(2) Is an employer allowed to perform medical checks on employees?

The answer is based on national laws related to employment or health and safety. Employers should only access and process health data if their own legal obligations require it.

 

(3) Can an employer disclose that an employee is infected with COVID-19 to colleagues or outsiders? 

Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to disclose the names of employees who contracted the virus (for example, in a preventive context) and national law allows, the employees concerned must be informed in advance and their dignity and integrity will be protected.

 

(4) What information processed in the context of COVID-19 can be obtained by employers?

Employers may obtain personal information to fulfill their obligations and organize work in accordance with national law.

The committee has announced on its website that it will issue comprehensive directives on the treatment of personal data against the pandemic as soon as possible.


For further information, please contact Adrián Furman or Francisco Zappa.