By Steven Orpwood, Business Analyst and DPO

March 2020

 

One of the early approaches to dealing with the recent global spread of COVID-19 was contact tracing. This relies on finding all those who have been in contact with an infected individual being traced and tested. Whilst the manual activity of following the trail of the carrier over a period of days, and reconstructing the interactions is undoubtedly a key component, the advent of mobile phones and CCTV have made this process easier. In fact, in South Korea, they monitored carriers using mobiles and CCTV and published their position to the general public.

 

If this happened in the EU, would it be allowable; surely not, since the GDPR does not allow personal data to be used in this way, and what’s more we are including health information, which is special category data and has a higher level of protection. Well maybe it is possible, since Articles 6 and 9 of the GDPR allow the use of personal and special category data to protect the “vital interests” of individuals, and in the interest of “public health”.

 

Now I am not suggesting we go so far as to publish the details, but in tracking these individuals we are overriding a data subject’s personal data rights to protect the wider population, and whilst the individual may feel aggrieved, we should accept that this is a valid exception and is a good measure, helping to protect us all.

 

To find out more about Aim's GDPR services, click here.