What should employers consider when handling COVID-19 related personal data? The main message from authorities is that data protection rules (such as the GDPR) do not hinder measures taken to combat COVID-19. We have gathered the key information on a colorful COVID-19 & Privacy infographic. You can download the infographic here.
Data protection authority guidance
During the pandemic, national authorities are advising citizens and companies. This blog is aimed at Finnish employers and refers to Finnish legislation concerning the processing of health data and employee data. If you are located outside Finland in another EU country, the European Data Protection Board is still relevant. Please also check your local data protection authority guidance. We have included some links below.
Keep checking the guidance regularly – it may be updated as the situation unfolds.
- Finland: The Finnish data protection ombudsman's office has published a helpful press release that gives specific guidance on the processing of COVID-19 related employee data. They have also published Frequently Asked Questions in Finnish.
- Denmark: Hvordan er det med GDPR og coronavirus?
- The Netherlands: Mijn zieke werknemer
- Sweden: Coronaviruset och personuppgifter
The European Data Protection Board has also released a concise and informative COVID-19 statement, which includes information on the lawfulness of processing, the use of mobile location data, and employment issues.The Finnish of the data protection ombudsman's has a compact explanation of the processing of special categories of personal data on their website.
Necessity & proportionality
The question of whether personal data processing is necessary and proportional to what it tries to achieve is always relevant, but especially now. The European Data Protection Supervisor has published a Tool Kit for weighing the necessity and proportionality of processing.
Security is one of the privacy cornerstones, but sudden changes in working practices may weaken it. Cybercriminals are taking advantage of the COVID-19 situation. Social engineering and phishing attacks are a concern, and they can be highly imaginative such as this Corona-themed one, disguised as World Health Organisation guidance.
Many of us are remote working, and for some, the applications and processes are new. Employers should check that the security of the processes and applications is at a good level concerning the personal data handled in them. Employees may also need extra training and guidance regarding personal data handling in this difficult circumstance.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.