Global menu

Our global pages

Close

Coronavirus – Data Protection Implications for Organisations - Ireland

  • Ireland

    12-03-2020

    Introduction

    Many organisations are facing data protection compliance issues in connection with their containment, management and mitigation of risk in respect of COVID-19.

    Organisations are assessing their obligations both as an employer and its obligations in respect of visitors to and from its premises on the range of options available to them regarding strategies going forward. In general, all organisations that are the subject of data protection legislation face similar compliance issues. However, the degree of restrictions may differ from country to country, depending on local circumstances, legislation and guidance from either local government/health services.

    In Ireland, the main data protection issue facing organisations is compliance with the GDPR and Data Protection Acts 1988 – 2018. This legislation governs the processing of personal data (including special category data) that may be processed by organisations in determining what steps it must take to contain, manage and mitigate the risk of COVID-19. Any information processed relating to an individual must be processed in compliance with this legislation and this message has been further reinforced by guidance issued by the Irish Data Protection Commission (DPC).

    While data protection obligations should not stand in the way of an organisation implementing processes and procedures to contain, manage and mitigate risks identified by COVID-19, these processes and procedures must comply with such legislation. Any such action should be necessary and proportionate (having regard to the guidance and directions issued by the government and health services). In addition to the above, as the situation is constantly evolving, it will be important to continually monitor guidance issued by the government and health services as this will likely have an impact on the analysis of any action taken (and whether something that may have previously not been considered proportionate may become proportionate over time, depending on the circumstances).

    Legal Basis – Processing of Health Data

    Organisations need to ensure that any processing of health data is done on a valid legal basis under Article 9 of the GDPR.

    i. Consent

    An important factor in this regard is that if an organisation is to consider relying on consent as a legal basis to process health data it should consider the fact that, in an employment context, consent is often deemed to be invalid due to the imbalance of power between the employer making the request and the employee, who may feel compelled to provide the information (i.e. therefore the consent from an employee is generally not considered freely given in an employment scenario and, as such, the consent definition specified in the GDPR is not satisfied).

    In addition, organisations should be wary that data subjects (whether employees or visitors) are entitled to withhold or retract their consent at a point in the future. In the event of such a refusal or retraction, the organisation is not necessarily permitted to switch to another lawful basis for processing.

    ii. Public interest in the area of public health

    The DPC has recently indicated that in circumstances where an organisation is acting on the guidance of public health authorities, or other relevant authority, then it is likely that that Article 9(2)(i) of the GDPR and Section 53 of the Data Protection Act 2018 may permit the processing of such personal data, including health data, once suitable safeguards are implemented by that organisation. These safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate employee training to protect the data protection rights of individuals.

    iii. Legal Obligation

    It is acknowledged that employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. The DPC has indicated that there would no issue with an organisation requesting employees to inform them if they have visited an affected area or experiencing symptoms on the basis that an employer has a legal obligation to protect the health of their employee and maintain a safe place of work.

    On that basis, organisations should always consider whether the relevant information being sought from employees and visitors is adequate, relevant and limited to what is necessary for the purpose. This can be assessed by way of a privacy impact assessment (this is required where the processing of personal data (including special category data, such as health data) is likely to result in a high risk to individuals).

    iv. Vital Interests

    It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary. A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent. This will typically apply only in emergency situations, where no other legal basis can be identified.

    General Data Protection Principles

    i. Transparency

    Organisations will be required to ensure that any action taken which will involve the processing of personal data will need to be transparent (i.e. individuals will need to be informed in accordance with Article 13 and 14 GDPR). This will require organisations to inform each individual with certain information, including to the purpose of collecting this information, the legal basis and how long it proposes to retain such information.

    ii. Data minimisation and accountability

    Organisations will also be obliged to comply with data minimisation and accountability principles. In accordance with DPC guidance only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.

    iii. Records of processing

    Records of processing activities should be updated to reflect any new personal data processing activities undertaken as a consequence of COVID-19 and technical and organisational measures should be implemented to ensure the security of the personal data is appropriate to the level of risk.

    iv. Purpose limitation

    Organisations should not process health data that they already hold for a new purpose without considering data the protection implications of doing this. Data protection legislation provides that personal data should not be further processed in a manner that is incompatible with the purposes for which it was originally processed.

    Conclusion

    Organisations should keep updated in respect of any further guidance issued by government, health authorities and the DPC on COVID-19 and adapt their plans accordingly. The situation is constantly evolving and it will therefore be important for organisations to monitor such guidance as this will likely have an impact on the analysis of any action taken from a data protection perspective.

    For further information or to discuss the impact of this decision in more detail please contact

    Marie McGinley, Partner and Head of IP, Technology & DP - mariemcginley@eversheds-sutherland.ie

    Fiona Lipsett, IP, Technology & DP Solicitor - fionalipsett@eversheds-sutherland.ie

    For support on legal issues facing your business in light of the outbreak of Covid-19, please visit our Coronavirus hub to get our latest information and guidance.

    Disclaimer

    This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

    < Go back

    Print Friendly and PDF
    Register to receive regular updates via email.