Personal data processing during a pandemic – the Office for Personal Data Protection’s perspective
During a declared state of emergency, there is always the danger that public authorities may excessively infringe on citizens’ rights and freedoms – and this also applies to the protection of their personal data. The Office for Personal Data Protection (OPDP) has therefore been monitoring the current situation and continues to comment on individual problematic aspects.
Informing the citizens
Shortly after the state of emergency had been declared, the Office for Personal Data Protection commented on the processing of data on a person’s state of health, which also includes information about any infectious diseases. Such data is mainly processed by the public health protection authorities, i.e. regional hygienic stations and ministries authorised to take appropriate measures to limit the further spreading of infectious diseases. Such measures may also include informing the population, e.g. by issuing warnings or calls via text messages. According to the vice-president of the office, the legal basis for such data processing is the urgent public interest of health protection, and personal data may be processed and transferred for these purposes within the limits of applicable legislation and extraordinary governmental measures.
Smart Quarantine
The office also opined on the ‘Smart Quarantine’ programme, ordering mobile operators and banks to process data on the movement and behaviour of persons infected with the coronavirus. The basis for personal data processing is the extraordinary measure of the Ministry of Health and the procedures stipulated in the Public Health Protection Act. The processing must only cover the necessary operations, which must be carried out within the defined purpose, i.e. to determine an infection’s possible source and prevent its further spreading. Data gathered must only be kept for the shortest time necessary; according to the office, for non-anonymised data, this means a maximum of six hours. After that, the data must be deleted or fully anonymised, to prevent its abuse. The office has also called upon the data controllers (namely the Ministry of Health and the emergency committee) to properly inform the public to dispel any fears of possible breaches of privacy.
Rules and recommendations for working from home
The office has also summarised basic rules and recommendations as regards personal data protection when working from home. It has warned against fraudulent emails containing attachments or links that may appear to be important information about the new coronavirus. The office has also pointed out that personal data should not be transferred through public Wi-Fi networks, and that transfers using mobile data or VPN are safer. To employees, the office recommends using passwords responsibly, including hard disk encryption; employers, on the other hand, should develop specific procedures to address any security incidents in a quick and efficient manner. Even during a pandemic, employers still have the duty to report any breaches of personal data protection to the office within 72 hours.