Data Protection - Implications Arising From COVID-19

Author:Mr Dino Wilkinson and Ben Gibson
Profession:Clyde & Co

The global outbreak of novel coronavirus (COVID-19) has prompted a variety of legal concerns. As companies seek to adopt a range of mitigation strategies, many organisations are increasingly submitting and receiving requests for health information on individuals. This article considers the data protection issues arising from such requests.


In light of the prevalence of COVID-19, organisations that provide on-site services are likely to face increasing questions from other parties about the health of employees assigned to customer-facing positions. For example, a service provider deploying a team of people into a client's office for several weeks may need to satisfy the client that no members of the deployed team have tested positive for the virus or recently travelled to a particular destination. They may be required to give evidence or details to verify such statements.

While it seems prudent for businesses to gather information to ascertain whether visitors or contractors pose a heightened health risk, the accumulation of personal data - particularly as it relates to health and medical issues - poses a number of potential legal challenges.

Potential issues

In countries where data protection laws exist, the collecting organisation will need to consider the legal impact of obtaining and holding such information.

In Europe, for example, medical personal data would be considered a "special category" of data under the EU General Data Protection Regulation (GDPR). There is a requirement to process any such data on the basis of specified lawful grounds and to provide information on the data collection activity to the individual. Any organisations intending to gather, and potentially disclose, personal data would therefore need to assess the lawful basis for such collection.

While the use of personal information for emergency treatment is likely to be acceptable on grounds that it is necessary to protect a person's life (under the 'vital interests' ground for processing in the GDPR), the sharing of health information or other personal data for risk assessment purposes should be considered more carefully. Appropriate processes must be followed to ensure compliance with laws relating to the collection, storage, use and further disclosure of the data.

In legal regimes without formal data protection laws, there will still...

To continue reading