Media Statements

Date:30 March 2020

Fight COVID-19 Pandemic
Guidelines for Employers and Employees

The ongoing outbreak of COVID-19 has created concerns for employers who are asking whether they are permitted to collect health data about their employees to help monitor and prevent the spread of the virus in the workplace and the wider community.  The COVID-19 pandemic also renders many employers and employees working from home and conducting business meetings online, the possible personal data privacy breach of which does require vigilant attention.
 
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG said, “The public health and safety of the community in times of the pandemic remains our primary concern.  We should be mindful of the compelling public interests in the current public health emergency when considering compliance with data protection laws, which should not be seen as hindering the measures taken in fighting or combating the pandemic especially when the collection and use of personal data is in the public interest and/or in the interest of public health.”
 
The Privacy Commissioner also stressed, “While we acknowledge that there is legitimate basis for employers to collect additional data of their employees to help control the spread of the disease, the collection and processing of employees’ personal data should be specifically related to and used for the purposes in relation to public health and should be limited in both duration and scope as required in the particular situation.  Additional data to be collected must still adhere to the usual principles such as minimisation, purpose specification and use limitation.  It must be necessary, appropriate and proportionate to the purpose to be achieved.”
 
During the pandemic, many organisations, public and private, have made work-from-home arrangements to reduce social contacts.  This transition would mean more scope for mistakes including lower-tech ones such as theft or loss of portable devices, more strain on information technology staff, and more opportunity for cyber criminals to take advantage by camouflaging password-stealing messages or malware as health alerts.  The Privacy Commissioner called on the employers and employees to stay vigilant during these times. 
 
Can an employer collect temperature measurements or other health data from his employees?
 
Employers have legal and corporate responsibilities to protect the health of their employees and visitors.  In times of COVID-19, it is generally justifiable for employers to collect temperature measurements or limited medical symptoms of COVID-19 information of employees and visitors solely for the purposes of protecting the health of those individuals.
 
What kind of personal data may employers collect, and how can this be done properly?
 
Employers must follow the general rule that the measures taken to collect data should be necessary, appropriate and proportionate. They should seek to process the relevant data in an anonymised or de-identified way. Least privacy intrusive measures should be preferred.
 
Generally speaking, a self-reporting system is preferred to an across-the-board mandatory system where health data is collected indiscriminately. Employers should spell out to their employees how the data collected will be handled. If the collection of such data is not covered by the existing privacy notices, a fresh Personal Information Collection Statement (PICS) must be provided when or before the data collection to inform employees of the data collected and the purposes (e.g. protection of public health), and the classes of persons (e.g. public health authorities) to whom their data may be transferred. It is also a good and ethical practice to inform the employees in the PICS how long the data will be retained by the employer.
 
How about travel history? Can employers ask for travel data of their employees?
 
The Personal Data (Privacy) Ordinance (PDPO) does not prohibit any organisation from collecting ones’ travel data.  Given the escalating number of confirmed cases of COVID-19 locally and globally, and the legal and corporate responsibilities of employers to provide a safe working environment, it is justifiable for employers to ask for travel data from employees who have returned from overseas, especially from those high-risk areas.  Similar to health data, the collection of travel data should be purpose-specific, and minimal data should be collected.  A self-reporting system is preferred to an across-the-board mandatory system.
 
Can the personal data collected be disclosed to other parties, or used for other purposes?
 
Personal data collected by employers for fighting or combatting COVID-19 must not be used or disclosed for other unrelated purposes, unless express and voluntary consent is obtained from the individuals concerned or exemptions under the PDPO apply.
 
For the purposes of protecting public health, it will not be considered as a contravention of the use principle under the PDPO (i.e. DPP3) for employers to disclose the identity, health and location data of individuals to the Government or health authorities solely for the purposes of tracking down and treating the infected, and tracing their close contacts when pressing needs arise. 
 
If an employee unfortunately contracts COVID-19, the employer may notify other employees, visitors and the property management office etc. without disclosing personally identifiable information of the infected.  For example, it is generally sufficient for the employer just to issue a notice with information that it has staff infected. Under most circumstances, disclosure of the name and other personal particulars of an infected employee in the notice will not be considered as necessary or proportionate.
 
How long can the personal data collected be retained?
 
Employers shall permanently destroy the personal data collected for the purposes of fighting or combatting COVID-19 when the purpose of collection is fulfilled, such as when there is no evidence suggesting that any employees have contracted COVID-19 or have close contacts with the infected after a reasonable period of time. 
 
What kind of data security issues relating to employees’ medical or health data should an employer be mindful of?
 
All practicable steps (e.g. storing the data in a locked cabinet, encrypting the data and only allowing authorised personnel to have access to the data) shall be taken by an employer to protect the personal data collected against unauthorised or accidental access, processing, erasure, loss or use.  Adequate data security safeguards are particularly important for medical or health data because it is considered more sensitive and a breach of health data may cause significant harm to the individuals concerned. 
 
More of employees are working from home during the pandemic.  What kind of security measures should employers have in place for homeworking? 
 
Personal data protection should not hinder the work-from-home arrangements, but employers and employees should exercise extra caution because of the transfer and use of documents and data away from the professionally managed work environment. Such change of circumstances may result in incidents ranging from cyberattacks to loss of portable devices.  Cyber criminals may also take advantage of the decentralised workforce and dress up password-stealing messages and malware as health alerts to infiltrate organisations.  Here are some advisable practicable steps to take to safeguard personal data security during homeworking:
 
Before transferring paper or digital files from work to home:

1. Seek prior instructions or approvals from supervisors;
2. Minimise the transfer of data out from the employers’ premises and information systems;
3. Take all practicable steps to protect personal data from unauthorised or accidental access, processing, erasure, loss or use, with particular regard to:
   • the kind of data and the harm that could result,
   • the physical location where the data is stored,
   • any security measures incorporated into any equipment in which the data is stored,
   • any measures taken for ensuring the integrity, prudence and competence of persons having access to the data, and
   • any measures taken for ensuring the secure transmission of the data;
4. Redact the personal data / confidential information before transferring out from the employers’ premises;
5. The use of portable devices for data storage and transmission shall only be allowed if prior approval from supervisor is obtained and the documents inside are password-protected;
6. Encrypt digital data;
7. Body-weld the documents or devices during transportation in exceptional circumstances; and
8. Keep proper logs to record the movement of data.

Besides, homeworking employees who are using their own devices should always be cautious and vigilant about the security of internet connection to prevent data leakage. Here are some pieces of security advice:

9. Use Multi-Factor Authentication;
10. Never share the work device’s account with others;
11. Ensure Wi-Fi connection is secure;
12. Regularly change Wi-Fi passwords;
13. Install proper anti-virus software and the latest security patches to the devices;
14. Perform regular system updates for the devices;
15. Choose privacy friendly settings, such as not allowing video recording or audio recording when conducting online meetings.  Disable any attention-tracking functions; and
16. Always authenticate participants in online meetings before start.

Last but not least, when employees encounter suspicious websites or emails, they:

17. Should not click the web links and download documents or applications.  Instead, they should verify their authenticity with the relevant organisations or authorities; and 
18. Double check carefully the content of what they are going to send and the recipients’ identity before sending or uploading documents. 

Other advice issued by the Privacy Commissioner
 
The Privacy Commissioner has issued the following statements advising on a range of privacy issues arising from COVID-19:

• Response to media enquiry on privacy issues arising from COVID-19 dated 21 March 2020
  (https://www.pcpd.org.hk/english/media/response/enquiry_20200321.html)
• The use of information on social media for tracking potential carriers of COVID-19 dated 26 Febrary 2020
  (https://www.pcpd.org.hk/english/media/media_statements/press_20200226.html)
• Privacy issues arising from mandatory quarantine measures dated  12 February 2020
  (https://www.pcpd.org.hk/english/media/media_statements/press_20200211.html)

The Global Privacy Assembly (GPA), a global forum for data protection and privacy authorities, has carried the three pieces of advice above on its webpage “Data protection and Coronavirus (COVID-19) resources”, alongside the latest advice and guidance provided by other data protection authorities as GPA members and   
observers on personal data protection and COVID-19:   https://globalprivacyassembly.org/covid19/ .
 
Background Information
 
Compelling public health interests

• The outbreak of COVID-19 was declared a Public Health Emergency of International Concern by the World Health Organisation on 30 January 2020, and characterised as a pandemic on 11 March 2020.  There is now a pressing need for the local and international communities to contain the spread of the virus.  The compelling interests of public health and safety should be the primary concern for all, including data users. 
• Data protection principles should not hinder measures taken to fight or combat COVID-19.  However, organisations should not derogate their responsibilities in handling personal data.  

Exemptions provided in the PDPO in relation to public health emergency

• Section 59(1) of the PDPO provides for situations where the use of personal data relating to the health of the data subjects may be exempted from the application of Data Protection Principle (DPP) 3 (use of data) of Schedule 1 to the PDPO if the application of such rule would cause serious harm to the health of the data subjects or any other individuals. In other words, any breach of the general rule on the use of data without consent may be defended by demonstrating that the use of the data is for protecting the health of individuals and public health at large. In particular, section 59(2) of the PDPO states that in circumstances where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject.

Balancing privacy and public health needs

• Personal data privacy right is not an absolute right. What it practically means is that it may be subject to other competing rights or interests, such as the absolute right to life and the interests of the public, including public health.
• “Right to life” of individuals under (i) Article 2 of Part II of the Hong Kong Bill of Rights Ordinance and (ii) Article 6 of the International Covenant on Civil and Political Rights means that every human being has the inherent right to life. The Human Rights Committee of United Nations also stated in November 2018 that “The right to life is the prerequisite for the enjoyment of all other human rights” and defined the “right to life” as “the supreme right”.  This right is absolute and precedes other countervailing interests, including privacy right. The right to life refers not only to the right of life of the data subject, such as the potential carrier of COVID-19, but also that of others in society.