Data Privacy in today’s context

The Covid-19 pandemic has unearthed several privacy issues which enterprises are grappling with. The following are a few indicative guidelines:

1. Can Healthcare institutions and providers send communication to individuals?
2. Data protection and electronic communication laws globally and across the Middle East do not prohibit government agencies, healthcare institutions, providers from sending non-promotional public health announcements to individuals if exercised in public interest which is a legal basis for doing so. These may be via phone, text, or email. They do not constitute direct marketing unless there is any promotion or marketing for products and services. Data subjects can always use their “Right to Object” if called for.
3. Informing staff about Covid cases: Can an employer inform employees that a particular member of their team has contracted Covid-19?
4. Organizations have an obligation to ensure the wellbeing, health and safety of employees. As an employer, provide the information necessary towards this obligation to staff – no more and no less. The privacy principles of ‘necessity, proportionality and data minimization are key. Keep sensitivities, discretion, and a sense of proportion in mind. Prevent rumours from spreading and avoid any unclear communication that may lead to them. Clear the air. Avoid at any cost any communication that can lead to a sense of panic. Suspected or confirmed cases should not be named in person – unless it is an immediate direct contact who is at risk. Employer must notify employees and staff on PI/SPI handling under COVID response measures.

3. As an employer, am I allowed to perform medical check-ups on employees or require employees to get checked?
4. Employers should only access and process employees’ personal health data if there is a legal or contingent reason to do so.

4. As part of our Covid-19 prevention efforts, can I request my commercial partners to share personal data on their employees’ health?
5. Asking to receive personal data on contractors and vendor employees may pose additional privacy risks to any enterprise. An organization engaging in such collection and processing activities must have a legitimate purpose explicitly stated and supported by adequate security and privacy controls in place to protect the storage, processing and exchange of sensitive data with third parties. As part of their contractual agreement, cross-border data transfer measures should be documented and agreed upon.

5. Can I share our employees’ health information to authorities for public health purposes?
6. An employer is unlikely to share an individual's health information with health authorities. If the need to do so arises, there is a legitimate and legal basis that enables data privacy regulations to accommodate PI/SPI processing.
7. Employers can carry out processing without any commercial intent for reasons of health, safety, welfare and social care of the staff. Appropriate safeguards including anonymization and aggregation must be used to protect and maximize data privacy.