Processing health data
Some of the measures and steps that are required to be taken in light of the COVID-19 pandemic will inevitably involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).
For health bodies
Data protection law does not stand in the way of the provision of healthcare and the management of public health issues.
For health bodies, including public health, there are specific conditions in the data protection law that makes such processing, which includes disclosures, lawful. (See paragraphs 2 and 3 of Schedule 2 to the Implementing Regulations)
The processing of that personal data is still subject to appropriate safeguards, and must comply with the data protection principles, unless there is good reason not to.
Accuracy, accessibility and security of personal data remains imperative.
The data protection law will not be infringed if:
- the Public Health Directorate seeks relevant information from employers about staff;
- details of positive tests are communicated to a patient’s GP, particularly if this will assist in identifying any key front line staff who may have come into contact with that patient and, therefore, present a further contamination risk.
For non-health bodies
Employers and other organisations do have a general obligation to protect the health of their staff/volunteers etc.
Most people are now required to self-isolate for three weeks from this evening (26 March 2020)
If you do have staff working, it may be reasonable for you to ask staff if they have returned to the Island recently or whether they, or others close to them, have experienced coronavirus symptoms.
You do not necessarily need to know where they have been, or record what symptoms they have - in most cases a Yes/No answer may be sufficient.
But, if you do ask for specific health information you must:
- Not ask staff for more health information than is necessary and proportional to the specific working circumstances;
- Make sure that the personal data you hold is accurate;
- Have appropriate measures in place to protect any health information you collected from unauthorised access or loss, etc, whether this is held in paper format or electronically;
- Not keep that health information for any longer than is necessary; and
- Explain to staff what health information you need from them and why, and how long it will be kept.
If a member of staff becomes ill with coronavirus symptoms, you might need to tell their colleagues. However, that doesn’t mean that you need to give out their name or post their name on a notice board.
You should also review the guidance issued by the Public Health Directorate and Isle of Man Government as some might apply directly to employers.
If the Public Health Directorate seeks information from you about the health of your staff in connection with the coronavirus outbreak, there is nothing in the data protection law that prevents or prohibits you from providing relevant, accurate, information to that body.