Iceland’s data protection authority offers advice on GDPR compliance during the COVID-19 outbreak.

Key takeaways

  • Information that a person is quarantined is generally not considered to be sensitive personal information, but it is appropriate to pay particular attention to the principles of the Data Protection Act on data minimization and fairness.
  • Maintain only the minimum

General:

This is not the time for strict enforcement of data protection. We are showing agility during this crisis.

Work:
  • Information that someone is infected with coronavirus is health information.
  • Information that someone has been quarantined or returned from a so-called “risk area” is not health information.
  • Employers should not disclose information that individual employees

The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy.

  • Public health messages are not direct marketing.
  • It’s about being proportionate – if some data processing feels excessive, then it probably is.
  • The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account

Coronavirus and GDPR – the Belgian authority weighs in:

  • Public health is paramount and prevention and the right to privacy are not incompatible.
  • Follow the instructions of the competent authorities so that all measures taken are proportionate.
  • Even in the context of taking preventive health measures, the general principle is that any processing of personal

Coronavirus and GDPR , the Spanish AEPD weighs in:

  • Data protection should not be used to hinder or limit the effectiveness of the measures taken by authorities in the fight against the pandemic.
  • Consent may not be required. Appropriate legal bases for the processing of personal data for the control of epidemics and their spread,

Italy, which is currently dealing with the most serious COVID-19 outbreak in Europe, weighs in on health data and GDPR .

Employers should NOT:

  • systematically collect (e.g. through specific requests to employees or unauthorized investigations) information on the presence of any flu symptoms or travel of employees or closest contacts.
This means do not:
      • collect