The escalation of COVID-19 cases and the distancing measures recommended by the World Health Organization - WHO, converge to raise questions about the conflict between public interest and private interest in the privacy of individuals. On the one hand, privacy is a fundamental right. On the other, the need to monitor the evolution of the pandemic requires monitoring and disclosure of personal information.
Since February 6, 2020, Federal Law no. 13,979 (specifically disciplines public health measures during the outbreak of COVID-19, with application of the WHO International Health Regulations) provides for the mandatory sharing, between the public authorities and private entities, of those data essential for the identification of people suspected of being infected with the coronavirus, with the exclusive purpose of preventing its spread (art. 6, paragraph one). The sharing may occur among agencies and entities of the federal, state, district and municipal public administration and even private companies and entities and may cover all types of collection and exchange of personal data, such as: name, health status, place where you are in real time, for example.
The law expressly mentions purpose limitation for data collection and use, which is positive. But how to define the protection of the individual and interpret what is or is not illegal to do with the data? It is up to each entity and then it will be evaluated by the judiciary.
Specifically regarding companies and private entities, we have a situation of greater insecurity regarding the obligation to report suspected contagion. The actions to combat the pandemic involve detection of the disease, segregation and isolation of customers and employees who may be ill. With this, they will collect and share information internally and to health authorities, but will be potentially putting the privacy of affected individuals at risk and violating other laws in force, such as the Civil Code, the Code of Consumer Protection and the Consolidation of Labor Laws
As a rule, our suggestion for companies at this time is, using the LGPD baseline as a guide to best practice, to observe the law specific to their industry or applicable to their relationship with the individuals whose pandemic countermeasures they may affect. We believe that, under the circumstances, it is reasonable for a company to deny physical access to its premises by consumers or employees who show symptoms consistent with COVID-19, using non-intrusive methods (e.g., laser thermometers or simple observation of the person). It also seems appropriate to require test results from employees on leave of absence due to suspected respiratory illness to return to their post, taking care to ensure that the handling of this personal data is done in a transparent manner and limited to the specific purpose of preventing contamination in the workplace, keeping the information restricted to those who need access to it and disposing of it as quickly as possible. Notification to health authorities should be restricted to health services and other entities required to do so, complying with the protocols provided for in public health legislation and by their specific means, but the company that holds information on a suspected case among its partners, consumers or employees can and should make internal communications, suppressing data that could identify the affected person.
Double care should be taken by companies that partner with public entities to develop mass solutions related to communication and monitoring of citizens, using measures such as anonymization and pseudonymization to de-identify personal data, among others that may be identified as useful to reduce the impact and mitigate potential damage to affected persons.
For example, in China and South Korea, telephone operators are sharing individualized customer data with public security services and health authorities, thus enabling the State to know the exact location of citizens and the people with whom they have had physical contact, among other information that, although invasive, can assist in the prediction and containment of contagion. To a lesser extent, some agreements between mobile phone operators and big data companies are also already seen in Brazil to help municipalities discover and avoid crowds of people through geolocation, with companies having to work hard to minimize risks for themselves and for the affected people.
Several authorities and data protection forums around the world, including the European Data Protection Board, have recognized that in times of pandemics, data protection rules are not obstacles to emergency action, but are extremely important for effective responses without permanent sacrifice of the rights and guarantees of the citizen.
In a scenario in which the LGPD was in force, uncertainties would be smaller, since the concern with pure and simple privacy would give way to the protection of personal data (they are different concepts and the protection of personal data is more specific and offers punctual guidelines as to each one of the data).
The LGPD establishes specific hypotheses in which the collection and use of personal data will be legal and legitimate and establishes objective guidelines for dealing with activities that impact privacy. Thus, while specific obligations and burdens may increase, companies and the government now have tools to calculate and address the risks of their activity. The LGPD classifies health data as sensitive data (subject to greater protection), while determining the express possibility of collecting, using and sharing this data in cases such as the protection of life or the actions of health authorities for the protection of health. These rules become clear with the interpretation and creation of technical and normative regulations by the ANPD, which, provided for in the text of the LGPD, could already have been constituted by the Federal Government and be in operation since last year.
Other data protection authorities around the world with their guidelines on governance and best practices in handling health data help government and businesses navigate the complex landscape of partnerships required to implement monitoring and reporting activities for new cases of COVID-19 effectively.
Dr. Karin Klempp Franco
Luiz Fernando Plastino Andrade (CIPP/E)
Mahyra Milani
