Specific Data Protection Authority’s Guidelines for COVID-19

May 11, 2020

Data protection

Argentine law considers health-related information to be sensitive data, so special care should be taken when monitoring employees’ health and the likelihood of them contracting Covid-19. The Agency of Access to Public Information, Argentina’s data protection authority, issued the following recommendations based on Argentine Data Protection Law No. 25,326 (“DPL”), when processing personal data related with Covid-19:

· Health data falls under the category of sensitive data deserving a more rigorous protection;

· The communication of the name of a patient testing positive to Covid-19 requires the patient’s prior consent;

· Health institutions and doctors can process and share between themselves personal data of their patients if they keep said data confidential;

· The obligation of professional secrecy remains even after the relationship with the patient is over;

· To use the patient’s health information with purposes different from the ones for which it was collected, the patient’s prior consent is necessary;

· The National Health Ministry as well as the Provincial Health Ministries are authorized to request, collect, transfer to each other or process in any other way health information without the consent of the patients, in accordance with the explicit and implicit powers that they have been given by law.

These recommendations, however, are not directed to the special case of employers, who in certain specific circumstances may be exempted from, for example, collecting the consent of the employee who is Covid-19 positive, in order for the employer to adopt the necessary measures to prevent new infections, fulfilling in consequence the duty to prevent damages from the pandemic.

In this regard, the Executive Committee of the Global Privacy Assembly, where the Argentina Data Protection Director is a member of its Executive Committee, also issued a statement in which it primarily referred that the Committee is “(…) confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”

Moreover, and following in the same line as the recommendations of the Agency of Access to Public Information, Administrative Decision No. 431/2020 of the President’s Chief of Staff Office states that “the capacity of the State to have relevant information for the purposes of public health care, in a timely manner and within the regulatory framework in force, stands as an essential and indispensable asset for decision-making.” Consequently, each of the entities that form the National Public Sector is authorized to transfer, assign, exchange or in any way make available the data and information that, because of their powers, missions and functions, are in their files or databases. This must be done in accordance with the technical and organizational measures that are necessary to guarantee security, confidentiality and processing in order to protect public health. All of the above is based on the provisions of the DPL, which establishes that personal data may be transferred without the consent of the data subject when it is collected within the scope of the powers of the State when exercising its functions, and allows the possibility of carrying out mass transfers of personal data between State agencies directly, to the extent that it is done in compliance with their respective powers.

In this context, the employer should evaluate if the company has adequate security levels to be able to process sensitive information and thus guarantee its integrity and if these levels of security are ensured outside the office. It should also analyze whether there are any privacy restrictions to inform within the Company, the Company group, or with the medical, health and/or security authorities those employees who have tested positive for Covid-19 or who present possible symptoms.

Finally, it is of the utmost importance to check if the company has the right to ask employees where they are planning to travel or where they have recently been, or even if the company has the right to request its employees to fill out medical forms, have their temperature measured or make them undergo medical examinations; as the employee might have the right to keep all that information private. So, it may be necessary to verify if the need to collect new consent forms from employees to allow the company to process data related to the pandemic.

Working from home

On the other hand, the Covid-19 pandemic has forced many companies to implement mass work-from-home measures. Working from home poses certain challenges that may be new to many companies.

The first, and perhaps the biggest challenge, is to ensure that all work is done on devices that have adequate security measures. The information security risk can be exacerbated when employees use personal devices to perform work-related tasks.

Along these lines, the Specialized Cybercrime Prosecutor’s Unit (“SCPU”) published a series of recommendations to operate safely on the internet, social networks and with online messaging services. Regarding teleworking, the SCPU stresses the need to have secure connections and equipment, and to protect networks with strong passwords (combining letters, numbers and special characters). Teleworking should always be carried out using original software and up-to-date anti-virus software. Similarly, SCPU points out that, in cases of sensitive information being transferred, the information must be encrypted. On the other hand, advice is given to avoid personal data theft and online fraud, such as ignoring messages coming from unofficial channels or messages that indicate that accounts have been blocked, thus the need to have access credentials.

For its part, the Agency of Access to Public Information shared some recommendations for video calls, suggesting the read of the privacy policies and terms of use of the applications or platforms; pointing out that the data subject´s consent must be expressly required prior the use of the video call service and that, if the video call were to be recorded by the application, the prior and express consent of the data subject is required to do so. Likewise, the Agency suggests to pay special attention to “free” platforms since they could use the users’ personal data for other purposes. Finally, the Agency suggests the use of platforms that require a password to the rooms, in addition to the identification (ID) of the call that only the people invited to participate have.

On the other end, it is important for companies to have appropriate privacy, acceptable use of information resources, and “bring your own device” internal policies. These policies address not only how work tools should be used, but also regulate the employee's expectation of privacy when performing their tasks. This last point is especially important when normal office tasks are performed at home, together with the employer’s right to monitor the employee's activities.

In this context, employers should make sure to have a Security Policy in place and that it has been implemented and observed to verify, for example, that employees who use personal devices do so in secure environments (updated software, presence of firewalls, antivirus, among others). In addition, the company should have in place a Privacy Policy and an Acceptable Use of Information Resources Policy (both labor and personal wise) in Spanish and expressly accepted by its employees.

Geolocation apps

The use of apps to collect information on people’s mobility has become very important in the fight against the spread of the Covid-19 virus. In this regard, for example, the Ministry of Health launched an app named “cuidar” which collects, among others, geolocation information from its users to recommend steps to follow according to the symptoms that were entered into it, and to make comparisons or predictions based on the Ministry of Health’s sanitary recommendations. In this way, in order to be able to carry out public prevention and mitigation policies related to Covid-19, the Ministry of Health can use the information in the app to map risk areas, as well as areas where social distance cannot be attained that could increase the spread of the virus. The characteristics of the database corresponding to the “cuidar” app are detailed in Provision 3/2020 of the Under-secretariat for Open Government and Digital Country, reporting to the Chief of Ministers. The aim of the provision is to comply with the obligation to publish in the Official Gazette the creation of databases belonging to public bodies.

In this context, the Agency of Access to Public Information published on its website a series of recommendations for the use of these applications, recalling that, in accordance with the applicable law for the protection of personal data in Argentina, the monitoring of the location of individuals is not prohibited, provided that such monitoring is carried out respecting the human right to privacy.

To this end, the Agency lists fundamental principles on data protection applicable to geolocation tools, whether they are used by the public or private sector, or both in collaboration:

- All information regarding a person’s location and/or movements constitutes personal data protected by law, and therefore its processing must have a valid legal basis (article 5, DPL).

- Location data is defined as “information collected by a network or service about where the user’s phone or other device is or was located.” Similarly, the Agency understands that location data can be inferred by GPS, cell towers, Wi-Fi, Bluetooth or combination of signals.

- This data may be held by telecommunication service providers, internet service providers, or value-added services (i.e. the same app).

- Geolocation data may be processed by State agencies without the consent of the data subject to the extent that they do so within their specific powers – which must be understood in a strict and restrictive sense. Otherwise, State agencies must resort to the consent of the data subject in order to process with a valid legal basis. The same principle applies to transfers of data between State agencies.

- The dissociation of location data excludes the application of the DPL as it does not qualify as personal data.

- The data subject must have the possibility to revoke their consent to monitoring at any time.

- Those responsible for processing personal data related to location or monitoring the location of a person must do so in compliance with the data quality principle (article 4, DPL).

- The data controller must inform the data subject how and why the data is being monitored, where the information is stored, with whom it is shared, the consequences of the processing and the possibility for the data subject to exercise their rights of access, rectification or deletion.

Finally, the Agency also recommends carrying out a privacy impact assessment prior to the implementation of this type of tools to control and mitigate its risks, as well as to assess its feasibility.

This section tries to identify some of the novel questions that Covid-19 raises regarding privacy and the protection of personal data, without intending to exhaust this matter which would require a case-by-case analysis.