Every day sees the number of people infected with Coronavirus (COVID-19) increase, and it seems more likely than ever that in the UK, the NHS will shortly be placed under even more pressure than it is already. Whilst the data protection elements may seem trivial in the wider context, it is interesting to understand how the epidemic opens new legal pathways to processing data that would not exist under usual circumstances.
We have seen this situation before, in the case of the Grenfell Tower fire in June 2017. Dr Helgi Johannsson, a consultant anaesthetist at Imperial College Healthcare NHS Trust, set up a major incident instant messaging group to help coordinate the hospital’s response after learning a key lesson from the terrorist attack on Westminster just a few months earlier.
He commented: “From the Westminster attack we learnt it was important not to overload the emergency care coordinators with offers of help, so with Grenfell we used instant messaging to help coordinate which staff should come in, who was needed where and plan the service for later on that day, which vastly improved the care we were able to provide.”
Shortly after this, the NHS issued guidance: ‘instant messaging services a vital part of the NHS toolkit during a crisis’. The relevant Articles within the GDPR which can support this type of processing are 6(i) (d) which states that processing is lawful if “necessary in order to protect the vital interests of the data subject or of another natural person.” For special categories of data (including health data), Article 9(ii) (c) makes similar provision that processing is lawful where “necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.”
Hospitals, researchers, government departments, universities, law enforcement and other relevant parties across multiple nations are sharing data on a massive scale to attempt to understand and contain the spread of COVID-19, and it seems that unrestricted sharing is critical to understanding the problem. Aside from the direct data sharing that is taking place, there are several projects that make data directly available to the public via the internet.
This tracker from Johns Hopkins University provides real-time information and tracks cases of this novel Coronavirus (2019-nCoV) in China, as well as around the world, including numbers of deaths, recovered patients, and countries affected.
The World Health Organisation has a Coronavirus dashboard but includes only its own information. In contrast, the Hopkins team gathers data from WHO and four additional sources including CDC, European Centre for Disease Prevention and Control, China’s National Health Commission, and ncov.dxy.cn, an independent data source maintained by Chinese physicians.
The data is being shared publicly because of the benefit that is derived from making it available. It remains personal health data and is governed by the ‘vital interest’ lawful basis. This means that using the data is only lawful to someone acting in the vital interests of the data subjects or others. It appears that the GDPR took into consideration this sort of scenario with Recital 46 stating that the vital interest basis may apply “for monitoring epidemics and their spread”. The UK ICO’s guidance states that “Recital 46 does suggest that vital interests might apply where you are processing on humanitarian grounds such as monitoring epidemics, or where there is a natural or man-made disaster causing a humanitarian emergency.”
The GDPR allows processing of health data where “necessary for reasons of substantial public interest, on the basis of Union or Member State law” in Article 9(ii) (g) and permits member states to derogate from the prohibition on processing special categories of personal data (Recital 52 for substantial public interest, such as: “…the prevention or control of communicable diseases and other serious threats to health.”
The Irish Data Protection Act 2018, section 53 states that “the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including… protecting against serious cross-border threats to health”. The UK’s Data Protection Act 2018 is not so broad, adding (Schedule 1, Part 1, section 3) that the processing must be “necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.” This means that under UK data protection law the substantial public interest basis in the case of COVID-19 can only be claimed by a health professional or someone with statutory confidentiality requirements and suggests that other industries (e.g. travel) could not rely on this basis.
As we have seen from the John Hopkins tracker, current data sharing is cross border, on an international scale. The GDPR permits this in Article 49(i) (f), which allows international transfer with no other mechanism for the protection of vital interests. Recital 112 allows transfers made for reasons of “public health, for example in the case of contact tracing for contagious diseases…” and Article 49(i) (d) also provides a ‘public interest’ derogation. This means that the GDPR has made provision to allow mass processing of personal data for tackling the spread of COVID-19 across multiple borders.
The COVID-19 outbreak provokes some interesting conundrums in terms of the role of data in the context of public health, data protection, and data sharing, which will hopefully lead to established and trusted mechanisms for time-critical data sharing in the future.
Written & Published By: Claire Robinson DPO, IPP/E, CIPM, ISO 27001 certified Consultant.
1st March 2020