Everything is changing on the fly throughout COVID-19, leaving many questions up in the air. So how exactly does contact tracing fit within existing legislation like the GDPR?
For the longest time, it’s been accepted that there are some questions your employer should not be asking of you. Let alone for any business to be gathering information about your current health conditions and associations with other people.
However, with the ongoing COVID-19 pandemic, information about your health, who you have been around and even tangible personal data such as your temperature or places you visit has become a necessity to divulge.
While many have accepted this necessity as a reality of the times in which we find ourselves, this is now taking place against a backdrop of far tighter and more stringent data privacy regulation.
In 2018, businesses everywhere had to thoroughly review and revise their data privacy processes, with the European Union (EU) introducing the General Data Protection Regulation, commonly known now as the GDPR.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a statute that aims to protect the personal information of EU citizens. It’s a legal framework that offers guidelines on how to collect and process an individual’s private information for organizations.
And it’s out to revolutionize the way businesses handle customer data.
Fundamentally, it is a set of rules designed to give EU citizens better control over their personal data. It also promises to streamline the regulatory environment for businesses so that everyone can benefit from the exciting new digital economy.
These reforms are meant to reflect the needs and changing obligations of people and businesses in an increasingly digital world. It governs issues related to privacy, consent, and personal data to bring Europe up to speed with the age of the internet.
The legislation applies to all businesses that target the EU citizens. It also levies hefty penalties against those who infringe the privacy and security requirements. And therein lies the most pressing issue for businesses. The legislation is all-encompassing when it comes to determining if a business is ‘targeting’ EU citizens.
How does contact tracing data fit within the GDPR?
The COVID-19 outbreak has upended almost everything economically, socially, and politically as businesses scramble to gather information to control and prevent disease spread, particularly for contact tracing.
Contact tracing is a method to identify, monitor, and follow up with the people affected with the virus, or the individuals who have been in close proximity with an infected person. However, it echoes the concerns of health information privacy that can expose the personal information of millions of Europeans.
However, that should not be an issue if principles set forth by GDPR are followed properly. It is important for businesses to consider how they can apply these principles as they develop and implement their COVID-19 response measures.
Make sure you incorporate the following tenets into your COVID response and any contact tracing practices to ensure that user data is protected at all times. Ensure you meet GDPR guidelines and safeguard your business against the consequences of risking customer data.
Transparency about purpose
Elaborate on the purpose — is the data only meant to be used for proximity alert, or does it have a broader usage along the way. It should be clearly explained if there are additional purposes as well, if any.
Collect only necessary personal data
Collect as little data as possible, making sure you only extract and store information that is critical to achieving your purposes.
If you decide to use a different approach, make sure you have a good explanation for why you have taken a particular idea and the measures you’ll take to ensure that it will not pose risks to the users.
Give users control over their data
Make sure there is a process in place for customers to view data you have collected about them. It is crucial you are transparent about the data you have stored.
Voluntary, opt-in use
Finally, there should be clear communication about contact tracing data collection. With visitors provided the opportunity to opt-in, or otherwise not attend.
What are the risks of contact tracing for businesses?
While contact tracing is crucial in response to the epidemic, the risks associated with it pose serious business threats.
Contact tracing mandates the collection of an immense volume of confidential information about everyone, from employees to contractors and visitors. Simultaneously, businesses need to ensure their practices are GDPR compliant and protect sensitive information about the employees.
Here are two of the chief potential risks of contract tracing that businesses should consider:
Cybersecurity threats of contact tracing
Companies are responsible for the entire data collection process, from collating to storing to managing employee-related health information. Companies must consider cybersecurity risks.
With the World Health Organization information reporting a fivefold rise in cyber attacks since the COVID-19 outbreak, sensitive data held by organizations is at risk. Therefore, protecting it from these attacks is a serious concern and consideration for businesses managing contact tracing data.
Beyond the risk of cyber attacks, companies also need to be vigilant about their employees’ information privacy. Maintaining compliance when collecting employee health information is an intricate matter. There is a raft of legislation across multiple jurisdictions that organizations must abide by to safeguard sensitive information.
The European Data Protection Board (EDPB) states the specifics of how employers should only collect, access, and process the health data if their legal pact requires it.
Furthermore, contact tracing that contains health-related data must also comply with privacy laws. You must consider the likes of OSHA, HIPPA, and GDPR, which is challenging for businesses as they need to understand these legal frameworks to follow it.
Make contact tracing a reality with Sine
It is crucial to create a secure and safe space for your employees and your visitors. Especially given the COVID-19 outbreak.
Ensuring that employees and visitors health-related information collection process meets the guidelines and follows the legal requirements, and comply with the GDPR, HIPAA, etc. often create a complex risk and compliance landscape for businesses.
Sine’s visitor management system can help you automate contact tracing and implement it securely and safely so you can enhance workplace protection with state-of-the-art COVID-19 related screening features.
Scan QR code, prescreen visitors, contactless tracking, contact tracing check-in. Sine lets you do it all while ensuring your business stays safe and compliant with all the necessary legal framework.
Sine is a GDPR compliant company that protects your employees and visitor’s wellbeing. We achieve this while also equipping you with appropriate screening tools and equipment to meet these the guidelines.