The restrictions that have been implemented by most governments to tackle the COVID-19 pandemic have affected various sectors of the economy and changed the way most businesses operate.
Many companies have switched to remote working to minimize personal contact to the extent possible. As a result, the intensity and volume of the data flow inside organizations has risen dramatically, making data protection compliance as compelling as it was at the end of May 2018 when the General Data Protection Regulation (GDPR) became effective.
Let’s have a closer look at how the Ukrainian data protection framework and the country’s regulatory authorities are dealing with some of most crucial issues put on the agenda by COVID-19.
Lawfulness of Processing
Under the general rule, processing of personal data (including health data) requires the consent of individuals whose personal data is processed. In addition, processing of health data, which has a higher level of legal protection by operation of law, requires that the Ukrainian Parliament Commissioner for Human Rights (the “Regulator”) be notified.
Nevertheless, health data may be processed without the consent of an individual if, for example, processing is necessary for the due performance of the controller’s statutory obligations or to protect the vital interests of the individual whose data is processed.
In addition, processing of health data does not require the obtaining of consent if it is required for public health purposes and where the processor has a medical license or is a medical worker or a person employed with a medical institution.
Position of Regulator?
Although most European data protection authorities have issued official positions on whether certain health data (e.g., body temperature, fact of being tested COVID-19 positive, etc.) may be collected/processed without consent based on the public interest or other exemptions, the Regulator, so far, has remained silent.
Given the nature of the COVID-19 crisis, the requirement to notify the Regulator of the processing of health data appears to be quite burdensome and even impractical for some processors. As the result, some of them have approached the Regulator asking whether this requirement may be temporary lifted.
While the Regulator has not yet announced its official position, we expect it to follow a general trend set by most data protection authorities, acknowledging the challenges raised by COVID-19 in terms of managing data protection and information security matters, but eventually reinforcing the view that the relevant laws should still apply.
Further Course of Action
While the Regulator has not yet provided any guidance on how to deal with the data compliance challenges caused by COVID-19, we have a few recommendations on how to deal with some of these challenges.
We recommend checking the subject matter of consents the company has already obtained. This may be especially relevant in relations between employer and employees. Most likely, such consents do not cover health data which the employer may collect and/or process through, for example, the use of thermal cameras. If this is the case, the processing of health data of such employees requires obtaining a separate consent (as the purpose of the initial processing has changed).
The employer may inform employees of the fact that other employees have tested positive for COVID-19, and of their potential exposure. However, the employer should not disclose the identity of infected employees to their colleagues.
While the regulatory framework addressing information security matters remains quite undeveloped, we recommend that companies act responsibly and proactively by applying best practices without external stimulus.
It is easier to develop a solid IT infrastructure and introduce relevant policies within the company in advance, thereby reducing the risks attached to email scams, social engineering, and so on, than to refrain from doing so and await potentially adverse consequences.
While it is hard to predict how long COVID-19 and the relevant restriction measures will last, it is important to see the opportunities attached to such challenging times.
Shifting to remote work may be a good test for companies’ IT systems and personal data compliance policies. This change may either show the areas for improvement or, on the contrary, confirm that the internal business processes are flexible and can be easily adjusted even to the realities of COVID-19.
By Mykola Stetsenko, Partner, and Dmytro Symbiryov, Senior Associate, Avellum