Data protection and limiting the spread of coronavirus
Data protection legislation does not restrict public health measures or the prevention of infectious diseases, but must still be taken into account in the processing of personal data. Public and private organisations have begun taking measures to limit the spread of coronavirus COVID-19 and mitigate its effects. Some of these measures may involve the processing of personal data.
Finland’s legislation permits the processing of personal data for the purpose of treating and preventing serious infectious diseases. In other words, processing personal data to combat COVID-19 is permitted.
The processing of personal data must always be necessary and proportionate.
The General Data Protection Regulation provides for numerous rights related to data protection, including the right of access to your personal data.
Processing the personal data of employees
If personal data is processed at the workplace in relation to COVID-19, the employer is required to follow the laws applying to such processing.
Health data belongs to the special categories of personal data that require specific protection. Health data refers to information about an individual’s health, diseases, disability or treatment.
- The information that an employee has contracted Coronavirus is health data.
- The information that an employee has returned from a risk zone is not health data.
- The information that an employee is in quarantine (without specifying the reason) is not health data.
All of the above-mentioned information is personal data, however, and data protection legislation thus applies to its processing. In addition to the EU’s General Data Protection Regulation (GDPR), the processing of employees’ personal data is subject to the Act on the Protection of Privacy in Working Life. The Act on the Protection of Privacy in Working Life specifically provides for the processing of health data and stipulates that the personal data of employees may only be processed when necessary. The Contagious Diseases Act and other legislation related to occupational safety may also apply.
Notifying employees of potential infections
An employee’s health data may only be processed by people whose job description includes such processing. The employer must either designate such individuals in advance or specify the tasks that involve processing health data. Individuals who process health data are subject to a confidentiality obligation.
If an employee is diagnosed with COVID-19, the employer may not, as a rule, name the employee in question. The employer can inform other employees of the infection or potential infection in general terms and instruct them to work from home.
Informing third parties about the potential infection of a specific employee
The employer is under an obligation of confidentiality concerning the health data of employees. If necessary, the employer can inform third parties in general terms and according to the organisation’s practices that the employee is prevented from carrying out their duties. If an employee is diagnosed with COVID-19 or placed in quarantine, the employer may not, as a rule, name the employee in question.
Data protection legislation only applies to the processing of personal data from which individuals can be identified. As a rule, an organisation’s other communications are not subject to data protection legislation.
Up-to-date information on limiting the spread of Coronavirus COVID-19
Data Protection Ombudsman Reijo Aarnio, tel. +358 40 520 7068, reijo.aarnio(at)om.fi