Processing health data

Some of the measures and steps that are required to be taken in light of the COVID-19 pandemic will inevitably involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).

For health bodies

Data protection law does not stand in the way of the provision of healthcare and the management of public health issues.

For health bodies, including public health, there are specific conditions in the data protection law that makes such processing, which includes disclosures, lawful. (See paragraphs 2 and 3 of Schedule 2 to the Implementing Regulations)

The processing of that personal data is still subject to appropriate safeguards, and must comply with the data protection principles, unless there is good reason not to.

Accuracy, accessibility and security of personal data remains imperative.

The data protection law will not be infringed if:

For non-health bodies

Employers and other organisations do have a general obligation to protect the health of their staff/volunteers etc.

Most people are now required to self-isolate for three weeks from this evening (26 March 2020)

If you do have staff working, it may be reasonable for you to ask staff if they have returned to the Island recently or whether they, or others close to them, have experienced coronavirus symptoms.

You do not necessarily need to know where they have been, or record what symptoms they have - in most cases a Yes/No answer may be sufficient.

But, if you do ask for specific health information you must:

If a member of staff becomes ill with coronavirus symptoms, you might need to tell their colleagues. However, that doesn’t mean that you need to give out their name or post their name on a notice board. 

You should also review the guidance issued by the Public Health Directorate and Isle of Man Government as some might apply directly to employers.

If the Public Health Directorate seeks information from you about the health of your staff in connection with the coronavirus outbreak, there is nothing in the data protection law that prevents or prohibits you from providing relevant, accurate, information to that body.