18 May Processing personal health data in work settings due to the COVID-19 emergency
By Juan David Gutiérrez y Fery Cure
Due to the sanitary emergency caused by COVID-19, companies and government organizations must follow strict biosecurity protocols issued by the Ministry of Health and Social Protection. These protocols create responsibilities for employers, contractors, employees and contractees, even if the last two types work from home or in a remote setting. The aim of these protocols is to mitigate, control and prevent the spread and to give adequate treatment to the COVID-19 pandemic.
To pursue these objectives, the Ministry adopted the “General biosecurity protocol during the sanitary emergency” through the Resolution 666 of 2020. This protocol applies to all economic and social activities and to the public administration sectors. The latter without prejudice that the Ministry issues special protocols for each sector, such as the “Complementary Protocol for activities of maintenance and repair of computers and media equipment, furniture repair and home, washing and cleaning accessories”, that was adopted through the Resolution 737 of 2020.
COVID-19 has had implications with respect to the necessity and obligation of processing personal health data. Specifically, article 3 of the Resolution 666 of 2020 and sections 4, 5, 6 and 7 of the General Protocol, establish rules relative to the management, monitoring and report of the sensitive personal data of employees, contractees and third parties. For example, companies and government organizations must make sure that they have information about the “health status” of their employees, measure the temperatures of those who want to enter their premises (they cannot allow the entrance of those who have fever of 38 degrees Celsius or above), and must send reports with this data through the CoronaAPP.
In summary, the biosecurity protocols establish new obligations for employers and contractors and those duties include processing personal health data of their employees, contractees and of third parties. All in all, collectors and processors of data must have precaution and process the data in compliance with the law’s parameters of privacy and protection of personal data. Hereafter, we will explain why those rules allow responsible companies and government organizations to process personal health data to comply with the biosecurity protocols, without the need of obtaining previous consent from the data subjects.
¿Why isn’t the data subject’s authorization required for processing their personal health data in the context of the COVID-19 emergency?
In Colombia, by general rule, processing personal data requires a previous, explicit, free and informed authorization from the data subject (Article 9 of Law 1581 of 2012). Furthermore, with regards to sensitive data, meaning, data that affects the intimacy of the data subject, such as data related to the health status (Article 5 of Law 1581 of 2012), its processing is prohibited except for the cases listed under article 6 of Law 1581 of 2012, in compliance with the additional requirements stated in article 18.104.22.168.2.3 of Law 1074 of 2015.
Article 6 of Law 1581 of 2012 authorizes to process sensitive data in specific cases in which the law explicitly states that the previous authorization is not required. Article 10 of Law 1581 of 2012 establishes five situations in which an authorization from the data subject isn’t necessary. For the matter in question, literal (c) of the aforementioned article is pertinent: cases of medical or sanitary urgency. This rule exempts from fulfilling the legal duty of obtaining an explicit and previous authorization from the data subject, regarding the processing of his or her personal health data in the context of the COVID-19 emergency.
The Constitutional Court clarified that the exemption contained under literal (c) of Article 10 considers two different situations. Firstly, when it isn’t possible to obtain the data subject’s authorization. The second, when it is particularly difficult to obtain the authorization, given the circumstances of urgency, risk or danger for other fundamental rights, whether from the data subject or from third parties. Hence, the law waves the companies and government organizations from the obligation of obtaining the previous, explicit, free and informed authorization for processing of personal health data required to address the sanitary emergency.
The aforementioned position concurs with the statements published by the Colombian Personal Data Protection Authority, the Superintendence of Industry and Commerce, in its website and through the External Notice 01 of 2020. Through this External Notice, the Superintendence authorized cell phone operators and private entities to supply personal data to public authorities with the aim of handling, preventing, treating or controlling the spread of COVID-19 and mitigate its effects. In other words, the same goals of the biosecurity protocols.
Therefore, its plausible to conclude that it’s legitimate for companies and government organizations to process personal health data in work settings without the requirement of obtaining an authorization from the data subject, keeping in mind that the aim must always be to comply with the biosecurity protocols, and in general, preventing the spread of COVID-19.
Sensitive personal data processing must comply with the law
Even with the rules that allow to process personal data without requiring the data subject’s authorization, Article 10 of Law 1581 de 2012 points out that those who access the personal data must comply with the other requirements established in the law. The Constitutional Court declared valid this article under the understanding that even in cases that don’t require an authorization, the use of the data must comply with all the principles and limitations established in the law, and can’t be interpreted as an open authorization to accessing personal data without the data subject’s consent. In the case of personal health data, it’s especially relevant to comply with the principles of finality, veracity, access and restricted movement, security and confidentiality, enshrined in article 3 of Law 1581 of 2012.
The Superintendence of Industry and Commerce pointed out that the data must be protected according to these principles and government organizations must adopt measures that guarantee the principles of security, restricted movement and confidentiality of information. Also subsection 4.1. of the General Protocol, established that the report of suspicion or contact with infected persons has to be managed in a confidential manner.
Ten specific recommendations
To conclude, below we offer ten specific recommendations to comply with the personal data processing principles:
- Authorized personnel for processing personal data have to be trained and informed about the duties and limitations that imposes the data protection legislation.
- The processing of the data has to be done in accordance with the aims contained in the protocols.
- Protect the data with technical, administrative and human security measurements, to avoid losing information or unauthorized access.
- Adopt mechanisms to ensure that the channels used to share the information, especially the one that is sensitive, are private and secure.
- Ensure that the personal data contained in the databases is accurate, complete, exact, actual, verifiable and comprehensible.
- Avoid transferring personal health data to persons or entities different from those contained on the regulations and biosecurity protocols.
- Control the number and profile of those within the organization that have authorization to access the data.
- Establish additional protection measurements for all sensitive data, such as personal health data. In a recent study about personal data security published by the Superintendence of Industry and Commerce, it was reported that 79% of private organizations don’t conduct security controls with regard to sensitive information. The Superintendence stressed that the security measures have to be directly proportionate to the volume of the information and nature of the database. Due to the preventive character of the security principle, the collectors and processors must identifytheir vulnerabilities to implement and reinforce their security measures.
- Subscribe confidentiality agreements with those who have access to the data due to their work positions (if the contracts that previously bind them don’t have adequate confidentiality clauses).
- Inform the Superintendence of Industry and Commerce in a timely manner about incidents of security that may arise.