Data Collection Policies for Purposes related to COVID-19
Following the resumption of classes in kindergartens, primary and secondary schools this week, the Office of the Privacy Commissioner for Personal Data of Hong Kong has on the 23rd September 2020 issued a guidance note to schools regarding the proper management of collection of personal data of teachers, staff and students in light of the implementation of epidemic prevention measures in schools, a copy of which can be found at https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_covid19.pdf.
Whilst the guidelines are written with schools in mind, we consider it may be a helpful reference for companies when coming up with their own policies when collecting any data from employees for purposes related to COVID-19.
Collection of Temperature measures, travel histories and other health data
Due to public health concerns, it is a generally acceptable and reasonable practice for schools to collect temperature measurements, travel histories and other health data of teachers, staff and students to eliminate the risk of transmission in schools.
When doing so, schools should only collect necessary and appropriate data that is proportionate to the collection purposes. According to the Data Protection Principle 1, on or before the collection of personal data, schools shall take practicable steps to provide data subjects with a Personal Information Collection Statement (PICS), stating the kinds of data to be collected, the purpose of the collection, and to whom the data may be transferred. Schools should also inform data subjects of the retention period of the data in the PICS.
Schools are recommended to adopt a self-reporting system and collect data via questionnaires instead of open-ended question formats to avoid collection of irrelevant and unnecessary personal data.
Unless a data subject has contracted COVID-19 symptoms or there are other justifiable reasons (e.g. subject has just returned to Hong Kong from abroad or is in close contact with infected persons), schools should delete the personal data within a reasonable period to reduce the risk of data leakage. As to what constitutes a reasonable period, the Commissioner did not provide a definite meaning. However, schools are advised to take into account various factors, such as the common incubation period for COVID-19 as advised by public health authorities.
Use and Disclosure of Personal Data
Personal data collected from data subjects should only be used for the original purposes that the subjects were informed of. Under DPP 3, a voluntary and explicit consent must be obtained from the data subjects before the data can be used and/or disclosed to a third party for a different purpose.
Extra attention must be taken when the data subject is a minor (e.g. students below the age of 18). For data collection involving minors, a person who has parental responsibility for the minor or the guardian of the minor may provide such consent on behalf of the minor.
Certain situations of use and disclosure of personal data may be exempted from seeking consent from data subjects. These situations may include:-
- Disclosure of identity, health, and location data of students to public health authorities for tracing and treating infected persons and safeguarding public health; or
- the use and disclosure are required by law (e.g. obligation to disclose under Cap. 599D Prevention and Control of Disease (Disclosure of Information) Regulation)
Schools are generally allowed to notify teachers, staff, parents, and students if there is a confirmed case in school. However, under most circumstances, disclosure of the name and other personal particulars of an infected person in the notification will be considered as unnecessary or disproportionate. When notifying the teachers, staff, parents and students of the confirmed case, schools should retain the anonymity of the infected person, and should only disclose the infected person’s recent whereabouts and group activities participated.
Data Security consideration
Ensuring safe protection of personal subject is of paramount importance, especially in the case for schools, as it may collect a significant volume of sensitive personal data of minors, which should be treated with extra attention. A failure to do so may cause significant psychological and actual harm to the relevant persons involved.
Under DPP 4, schools should adopt all practicable steps to protect the personal data collected against unauthorized or accidental, processing, erasure, loss or use. Examples may include restricting access of the personal data on a need-to-know basis, storing physical copies in locked cabinets, set encryption and password for electronically saved data etc.
In the event of a data leakage, the school should immediately notify relevant data subjects involved, relevant staff and authorities, such as the Commissioner and in some more serious case of leakage, the Police.
Right to request access and correction of personal data
A data subject has the right to access his/her personal data and to make amendments whenever necessary. Under DPP 1(3)(b)(ii), schools should inform data subjects of their rights on or before collecting their personal data, and provide the contact information to the staff in charge of personal data collection for data subjects to exercise their rights.