As the spectre of coronavirus continues to haunt many countries around the world, data protection issues raised by the virus may not be at the forefront of people’s minds when considering the impact of the COVID-19 crisis. However, as the global pandemic approaches its first anniversary (a milestone unlikely to be celebrated by anyone), it is clear that individuals’ personal data is being used in various ways that were not envisaged only a year ago, which may raise concerns for data subjects and regulators alike.
One example of an unexpected use of personal data has recently arisen in Spain. At the end of December 2020, the Spanish health minister, Salvador Illa, announced in a television interview that, although it will not be compulsory to receive the vaccination in Spain, Spain is planning to establish a register of individuals who refuse to be vaccinated against COVID-19 and share it with other European countries. Notwithstanding the fact that Mr. Illa has stressed that this “will be done with the utmost respect for data protection,” the news of the proposed register may trigger alarm bells amongst privacy activists. Care will need to be taken to ensure that the collection and use of personal data in connection with this and any similar registers that are established complies with the General Data Protection Regulation (EU) 2016/679, (GDPR) and any other applicable data protection requirements.
The Spanish government will need to consider various issues to ensure compliance with applicable data protection legislation. First, any personal data of Spanish citizens used in connection with the proposed register will need to be processed fairly, lawfully and transparently. Mr. Illa has confirmed that Spain plans to share the proposed register with other European nations, but that it will not be made available to employers or be made public. Consideration will need to be given as to whether the sharing of such data with other EU countries is necessary, proportionate and fair.
In particular, the Spanish government will need to ensure that it is able to rely on an appropriate legal basis for processing any personal data collected. As data concerning health is involved, an additional legal basis for processing special category health-related data will also need to be relied upon, and any more stringent requirements required for the protection of such special category data should be complied with also.
Possible legal bases for processing any non-special category data include the fact that, arguably, the processing is necessary for the performance of a task carried out in the public interest. Possible legal bases for processing any special category health-related data include the fact that, arguably, the processing is necessary for reasons of substantial public interest, or for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
Pursuant to the GDPR, it will also be important to ensure that any personal data collected in connection with the proposed register is only used for specified, explicit and legitimate purposes and is not further processed in any way that is incompatible with those purposes. Mr. Illa has reportedly commented that “People who are offered a therapy that they refuse for any reason, it will be noted in the register … that there is no error in the system, not to have given this person the possibility of being vaccinated,” suggesting that the purpose of the register is to ensure that no Spanish citizens are inadvertently omitted from the vaccination program (although the register’s proposed purposes may be wider than that).
Additionally, safeguards will need to be in place to ensure that the information included in the register is not used for any other purposes incompatible with the stated purposes (for example, if the purpose of the register is solely to ensure that no Spanish citizens are inadvertently omitted from Spain’s vaccination program, it is unclear, on the face of it, why details of the register would need to be shared with other EU nations). A key element here will be ensuring that the register cannot be used in a discriminatory manner in respect of individuals who have refused the vaccine. For example, women trying to conceive and expectant and nursing mothers may be justifiably reluctant to be vaccinated at the time that the vaccine is first offered to them, due to any currently unknown risks of the vaccine to unborn children and nursing infants and should not suffer detriment as a result of such refusal.
Further, the register should only include personal data that is adequate, relevant and not excessive for the purposes for which the data is processed―in other words, the data minimization principle must be respected. Although it may be desirable to collect personal data that may be interesting in addition to what is necessary for the purposes of the register, this temptation should be resisted. The register will also need to be accurate and, where necessary, kept up to date.
Another significant issue to be considered is the question of personal data retention. The length of time that is proposed for the register to be maintained and any personal data retention periods will need to be justifiable. As a general rule, any personal data included in the register would only be able to be kept for as long as is necessary for the purposes for which the personal data is processed.
The issue of security of any personal data that is included in the register will also be critical. As noted above, the Spanish government is not planning to share details of the register with employers or to make the register public. However, the register includes personal data that may well be of great interest to certain third parties, so it will be important to ensure that any personal data included in the register is secure. Potentially, individuals whose personal data is included in the proposed register could suffer damage and distress if such data were to be widely disclosed, particularly if the individuals’ reasons for refusing the vaccine were not clear, (e.g., if details of the register were to be obtained by pro-vaccine activists).
Notwithstanding the fact that it is the Spanish government who is planning to establish this register, the issues set out above (together with certain other relevant considerations, such as the requirement to carry out data protection impact assessments and ensuring that data subjects’ data protection rights are respected) will apply to any data controller who is collecting (or planning to collect) data subjects’ personal data for purposes connected with the coronavirus pandemic. Any personal data, especially health-related personal data, collected or used for any purpose in connection with the COVID-19 crisis should be handled fairly, proportionately and transparently and in accordance with all applicable data protection rules. While the UK Information Commissioner (ICO) has made it clear that its regulatory approach during this gravest of public health emergencies will be pragmatic, proportionate and flexible, it has also made clear that it will not hesitate to take action against any data controllers attempting to exploit the situation by misusing personal information or breaching data protection laws to take advantage of the pandemic.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find our more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.