A. Vital Interest and massive personal data sharing
With the scary spread of COVID-19, data protection is not typically everyone’s number-one concern, and rightly so. However, this is a good opportunity to discuss the role of data protection in epidemiology and major public health disasters of this kind, and I’m sharing this in the hope that it is interesting, or – if you work with relevant organizations – useful, or both.
The single most important point in GDPR terms is the Article 6(1)(d) which states that processing is lawful if “necessary in order to protect the vital interests of the data subject or of another natural person.” For special categories of data, Article 9(2)(c) similarly provides that processing is lawful where “necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.” For now I won’t dwell on the consent caveat.
Hospitals, researchers, ministries of health, law enforcement and others within countries and across borders are sharing data on an unprecedented scale in order to stave the spread of COVID-19, and best practice indicates the massive unfettered sharing of data is critical. In China, health authorities and a range of other relevant organizations such as airlines, rail operators, and property management companies, have been sharing data to help identify people who have come in contact with infected persons and may be spreading the disease.  Along the way there have reportedly been a number of data breaches, and the Chinese data protection authority issued clarifications in this regard, highlighting the purpose limitation of such data processing, and the importance of protecting privacy to the extent possible while using the data for disease prevention.
B. Publicly sharing Data
Aside from organizations sharing data directly, there have been several initiatives to make data readily available to anyone with an interest. The Lancet has built a centralized repository of information on confirmed COVID-19 patients. The repository is hosted in a Google sheet, open to the public, and contains age, location, gender, symptoms, onset dates, travel history. For example, one database states (the details are slightly modified to make them false and not re-identifiable) that a 32 year-old female from a town in Reggio Emilia, in Italy, tested positive, on her return from China on February 3, 2020, and had eye-irritation and fever. In light of much research on re-identifiability of data, and WP29’s Opinion 216, it seems probable that the true record is pseudonymous, not anonymous. The population of the town is currently around 10,000, so re-identification ought to be fairly straightforward. The data is shared publicly because of the enormous benefits to mankind from accessing this data. However, it is still personal health data, and is governed by the ‘vital interest’ lawful basis. This means, for example, that using the data would only be lawful to someone acting in the vital interests of the data subjects or others; curiosity would not constitute a vital interest, and nor, presumably, would writing data protection insights on COVID-19.
The Lancet database states: “Information is collated from a variety of sources, including official reports from WHO, Ministries of Health, and Chinese local, provincial, and national health authorities. If additional data are available from reliable online reports, they are included. Data are available openly and are updated on a regular basis (around twice a day).”
GDPR seems to have expressly contemplated this kind of processing. In particular, GDPR Recital 46 states that the vital interest lawful basis may apply “for monitoring epidemics and their spread”: “The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.” Note the ‘necessity’ clause. The processing must be essential for the life of people. Therefore, whomsoever uses the data for that purpose is within the lawful basis, but others, such as the present author, are not.
C. Public Interest lawful basis
GDPR in Article 9(2)(g) specifically allows processing of health data where “necessary for reasons of substantial public interest, on the basis of Union or Member State law”. GDPR allows member states and union law to derogate from the prohibition on processing special categories for personal data (Recital 52), not for any public interest, but for substantial public interest, such as: “…the prevention or control of communicable diseases and other serious threats to health.” In other words, prevention of communicable diseases are suitable grounds for member states to derogate from the Article 9 prohibition. In that spirit, the Irish Data Protection Act 2018, section 53 states: “the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including… protecting against serious cross-border threats to health”.
In other words, Article 9(2)(g) will apply in the present instance. The UK’s Data Protection Act 2018 adds a caveat (Schedule 1, Part 1, section 3): the processing must be “necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.” So under the UK’s DPA the substantial public interest basis in such a case may only be claimed by a health professional or another person with statutory confidentiality requirements. Airlines, for example, may not be able to rely on this basis.
D. International transfer
Finally, the data sharing is not just regional or national, but cross-border. This was anticipated by GDPR in Article 49(1)(f), which allows international transfer with no other mechanism (standard contractual clauses, adequacy etc) for protection of vital interests. Article 49(1)(d) provides a ‘public interest’ derogation, and Recital 112 explains that member states’ derogations in the public interest could include transfers made for reasons of “public health, for example in the case of contact tracing for contagious diseases…”. So GDPR has a mechanism to enable not only massive sharing of personal data for fighting COVID-19, but also cross-border sharing.
GDPR sets the stage for major cross-border sharing of personal health data, based on vital interest and public interest. As the COVID-19 drama unfolds, it is evident that some pretty extreme scenarios anticipated in GDPR have now come to pass, and GDPR seems to have struck an effective balance in enabling relevant parties to do their work in fighting the spread of the virus, all whilst placing reasonable checks on the data, and its abuse. Thus anyone not able to rely on those lawful bases, will be in violation of Article 9 if they process personal health data.
Finally, as with the Ebola outbreak, this COVID-19 crisis promises to provide some very important lessons in the role of data, data protection, and data sharing, which will hopefully help ensure optimal responses to such outbreaks in the future.
* * * * *
Reminder: this isn’t legal advice.References:
 David L Heymann ‘Data sharing and outbreaks: best practice exemplified’ 395 Lancet 469-470, February 15, 2020. https://www.thelancet.com/action/showPdf?pii=S0140-6736%2820%2930184-7
 See Ohm’s now old article on the subject: Paul Ohm ‘Broken promises of privacy: responding to the surprising failure of anonymization’ 57 UCLA LRev 1701 (2010); by contrast, a very interesting approach is in Miranda Mourby et al, ‘Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK’ Computer Law and Security Rev 34:2, 2018, pp. 222-233. https://www.sciencedirect.com/science/article/pii/S0267364918300153
MA (Cantab), LLM, MBA (Stanford), FIP, CIPP/E, CIPM