Recent efforts for the testing and tracing of COVID-19 have raised growing concerns over data protection and personal privacy in the wake of the global pandemic. The aim of these measures is to help us navigate the difficult so that we can return to normal life as soon as possible, but at what cost? With reference to several media statements and responses issued by the Privacy Commissioner for Personal Data, Hong Kong (the “Privacy Commissioner”) since the outbreak of the COVID-19 pandemic, this article attempts to summarise what the Personal Data (Privacy) Ordinance (the “PDPO”) expects when it comes to balancing privacy right and public health and safety.
PDPO at a glance
The PDPO is applicable to both the private and the public sectors. The general position is that all data users shall comply with the six Data Protection Principles (“DPP”) when handling personal data:
1. Collection Purpose & Means
2. Accuracy & Retention
6. Data Access & Correction
Privacy vs. health and life
While data privacy is an important right, the interests protected under the PDPO have to be balanced against other important rights or public interest. The PDPO provides a number of exemptions from some compliance requirements under particular circumstances. When it comes to compelling public health concern, the following are applicable:
- Section 59 of the PDPO provides that situations involving health concern relating to the interests of the public may be exempt from the restrictions on the use of data; and
- “Right to life” of individuals, as set out in (i) Article 2 of Part II of the Hong Kong Bill of Rights Ordinance and (ii) Article 6 of the International Covenant on Civil and Political Rights (ICCPR), means that every human being has the inherent right to life. This right is absolute and precedes other countervailing interests, including privacy right.
Privacy issues considered
1. Mandatory quarantine measures
Location data of persons under quarantine would be collected by the Government so as to monitor whether they are complying with the quarantine conditions. Prior to the collection of such data and in accordance with DPP1, the purpose and manner of collection will be explained to the persons under quarantine and their consents will be obtained for access to their relevant personal data and certain information to be transmitted from their mobile devices (e.g. data involved in the use of video calls).
The Privacy Commissioner also brought to the public’s attention on section 59(1) of the PDPO, which provides an exemption for DPP3, i.e. use of data, and states that in circumstances where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, the data user may disclose personal data relating to the physical or mental health of the data subject to a third party without the consent of the data subject.
2. Universal community testing programme
Personal data (including names, Hong Kong Identity Card numbers / birth registration numbers and local mobile phone numbers) will be collected under the programme. The use of such personal data is subject to the consent of the participants and is consistent with the principles of purpose specification and use limitation. Personal data will be handled on a “need-to-know” basis and erased one month after completion of the programme.
3. The use of information on social media for tracking potential carriers of COVID-19
Though the general rule is that personal data obtained from the social media is also regulated by the PDPO, it is subject to competing rights or interests such as the right to life. In accordance with section 59(2) of the PDPO, where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject. Therefore, if persons are suspected of having close contacts with infected persons, it would be in the public interest to closely monitor their whereabouts, including the venues and the persons that they have visited and contacted, with the aim to control further spread of COVID-19 in the community.
There are sufficient legal and justifiable bases on which the Government may collect and use information obtainable offline or online with the aid of devices, applications, software or super computers with a view to tracking potential COVID-19 carriers or patients in the interests of both the individuals concerned and the public.
4. Temperature collection at work
Employers have legal and corporate responsibility to protect the health of its employees and visitors that it is generally justifiable for employers to collect temperature measurements or limited medical symptoms of COVID-19 information of employees and visitors solely for the purposes of protecting the health of those individuals. Employers should spell out to their employees how the data collected will be handled. A self-reporting system is preferred to an across-the-board mandatory system where health data is collected indiscriminately.
It is reasonable and justifiable for employers to collect temperature measurements or medical condition of employees and visitors. Employers can require employees to complete declaration on personal health data as long as the notification requirement under the PDPO (by providing a Personal Information Collection Statement (PICS) to inform employees of the data collected and the purposes, and the classes of persons to whom their data may be transferred) is complied with. In accordance with section 59 of the PDPO, employers can disclose the identity, health and location data of individuals to the Government or health authorities solely for the purposes of tracking down and treating the infected and tracing their close contacts when pressing needs arise.
5. Work-from-home arrangements
Personal data protection should not hinder the work-from-home arrangements, but employers and employees should exercise extra caution because of the transfer and use of documents and data away from the professionally managed work environment.
Whilst the employers should put into place information systems to ensure secure transmission of data from work to home, the employees should be vigilant about the security of internet connection to prevent data leakage.
6. Temperature/personal data collection at premises
The Privacy Commissioner has pointed out that collection of personal data and/or temperature data by owners of premises is justifiable. They, however, should endeavour to raise the transparency and interpretability of the use of the personal data obtained. Again, the Privacy Commissioner pointed out that privacy right is not an absolute right and the right to life and public interest precede it. Any personal data collected should be necessary, appropriate and proportionate.
To comply with the DPPs, the owners of premises should ensure visitors are informed of the purpose of data collection and let them to decide whether to allow the collection of their biometric data. If visitors refuse to provide information, the owners of premises may refuse entry to protect the health of its staff and others.
Facing the pandemic, it is important to bear in mind that personal data privacy has not been neglected altogether. However, data protection principles should not hinder measures taken to fight COVID-19. The measures undertaken by the Government in balancing privacy right and public health needs have been endorsed by the Privacy Commissioner. Business owners and individuals should continue to observe the DPPs as far as practicable and display best efforts in complying with the requirements under the PDPO.
This newsletter is for information purpose only. Its content does not constitute legal advice and shall not be treated as such. Stevenson, Wong & Co. will not be liable to you in respect of any special, indirect or consequential loss or damage.