The rapid spread of the coronavirus is causing alarm around the world. This almost unprecedented global event is leading to various unforeseen consequences, including the collection, use and sharing of personal data of affected individuals – and, in some cases, persons connected to them – in ways not envisaged only a few weeks ago. The processing of personal data of this nature can potentially have serious, albeit sometimes unintended, consequences.
Organizations that are subject to the General Data Protection Regulation (GDPR), which are collecting and/or using data in connection with the coronavirus outbreak should bear in mind a number of data protection issues. If organizations are collecting and using data about identifiable individuals, such data processing will be subject to the GDPR. If, as is likely, some of such information is health related, it will be deemed to fall within the ‘special categories of personal data’, to which more stringent requirements apply.
Among other things, organizations should consider what data they are collecting, who such data relates to, what they are using it for and who they are sharing it with. They should consider whether their existing privacy notices adequately cover the collection and use of such data in a transparent and justifiable way; what legal basis they have for processing such personal data and whether any use and sharing of such data is proportionate and carried out in accordance with appropriate data-sharing agreements.
Organizations should also consider the security of any such personal data and ensure that appropriate technical and organizational measures are in place to adequately protect it. Depending on measures taken by organizations to combat coronavirus, unusual security issues could become relevant to all of the organization’s data. For example, if an organization’s employees are all required to work remotely, consideration should be given to whether this may increase security vulnerabilities within an organization’s IT systems.