Covid and Data Protection
Introduction
It was great to see so many people on the Weekly Zoom on Wednesday.
I wanted to give my take on some of the data protection points.
These views are entirely my own. I stress that all of this is to give what I hope is a useful steer. Those who wish to rely on this should seek legal advice as I cannot accept liability other than to clients who have engaged me to provide advice.
As a general comment, I think anything that you are doing to genuinely protect people’s health is likely to be lawful if you are complying with the notice requirements and have given consideration to the risks.
Even if there are any inadvertent breaches, it is likely that these will be dealt with an a proportionate manner. The Information Commissioner’s Office (‘ICO’) has published its regulatory approach during the Covid which recognises the challenges organisations are facing. The ICO states it is ‘committed to a an empathetic and pragmatic approach’ as a result. So I wouldn’t worry to much about anything you do which is intended to protect people’s health.
However, if you are sharing information about Covid status for any other purpose, that is clearly risky. ICO’s regulatory approach above states:
“We will take firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information.”
And
“We will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.”
Data Protection Law in a Nutshell
Personal data is information about a person from which they can be identified.
To process any personal data, you need to be able to meet at least one condition from Article 6 of GDPR.
To process special category personal data (which includes data concerning health), you also need to be able to meet at least one condition from Article 9 of GDPR (and in some cases you also need an appropriate policy document in place).
Here is a summary of the conditions that are most likely to apply to the issues we discussed:
| Article 6 | |
| (c) Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject; | Providers have legal duties in respect of infection control and health and safety of staff, and safety of visitors to their premises. They also have a duty of candour to residents (if they have capacity or otherwise to people lawfully acting on their behalf) to be open and transparent in relation to care and treatment provided to service users in carrying on a regulated activity.
|
| Article 9 | |
| (b) Employment, social security and social protection law.
|
This includes ensuring the health, safety and welfare of employees.
You would need an appropriate policy document in place. A template with guidance is available here.
|
| (h) Health or Social Care | Applies if the processing is necessary for the purposes of the provision of health or social care.
You must be able to justify why processing of the specific data is ‘necessary’. It must be a reasonable and proportionate way of achieving the purpose of providing health or social care. This condition applies where there is a duty of confidentiality owed to the individual concerned, as is of course the case in respect of care homes and their residents. You don’t need to have an appropriate policy document in place. |
| (i) Public interest in the area of public health
|
This includes responding to new threats to public health such as epidemics.
You don’t need to have an appropriate policy document in place. |
As to particular issues:
Testing temperatures of visitors as a precondition for visiting.
Whether or not a high temperature is a good indicator of Covid, the current guidance is that people who have high temperatures should self-isolate for seven days. Accordingly, I think it perfectly reasonable to assure yourselves that visitors do not have high temperatures. Indeed, I think providers are at risk if they don’t do so. Whilst you could simply ask visitors to test before they come, staff performing a test is more reliable for a number of reasons (less likelihood for error due to staff familiarly with taking temperatures and better equipment, the test being done immediately before admission and no opportunity for visitors to give the wrong information whether unintentionally or not). The visitor would of course need to consent to the test, but the lawful basis for processing the data would be 6(c) together with (most obviously) 9(h) and also possibly 9(b) and 9(j). You would need to document how the data is being used and for what purpose in your privacy notice. If you relied on 9(b) you would also need a policy document.
The ICO has useful guidance on testing staff most of which is applicable to testing visitors too. The ICO recommends completing a Data Protection Impact Assessment and provides a link to a simple template available here.
Visitor Agreements
‘Contract’ is a lawful basis for processing data. In this case, you would not replying on that basis because the agreement is probably not an enforceable contract. However, that does not mean that such agreements are not useful in mitigating the risk of transmission. The agreement will set out the expectations of visitors very clearly in respect of disclosing information about any Covid symptoms, possible exposure to others with Covid, agreement to temperature testing and infection control measures on the premises.
If you think that having an agreement (or asking a visitor to sign a policy) will mean that it’s more likely that visiotrs will read the document carefully and will attach greater weight to their obligation to comply with the requirements, it seems like a good idea. Some people may object in which case you would definitely need to check that they have read and understood the policy and seek their verbal agreement to comply with the requirements.
It’s really a matter for your judgment – providers on the front line are better placed to judge what will work best. If you consider that it won’t make a difference whether people sign the document or not in terms of compliance, it may be preferable to go through the policy with each person before they are admitted. Whichever option you choose, you should send the agreement / policy in advance of the visit so that visitors have a chance to read it before they arrive, not least to ensure that they don’t arrive at the home when they have a high risk of transmission.
Whichever option you choose, you would again be relying on the lawful bases set out above.
Communicating Covid Status of Staff or Residents
The ICO has a useful summary in its Covid guidance to healthcare providers.
“As a manager of a care home, can I tell a resident or their family if another resident or member of staff may have contracted coronavirus?
Yes. Data protection doesn’t prevent you exercising your duty to ensure the health and safety of your residents. But you shouldn’t disclose the identity of any individuals unless you really have to. For example, a simple notice that there is a virus case on the premises, with instructions about what isolation precautions should be followed, would usually suffice.”
A joint statement from the Residents and Relatives’ Association, the National Care Forum, Skills for Care, CQC and the Care Provider Alliance (though not the ICO) includes the following:
“Care providers should keep residents and their family members as informed as possible about the situation in relation to the COVID-19 status of the home. This includes whether there are any suspected or confirmed cases amongst residents and staff, what steps are being taking as a result of this, how the care home is working to keep residents and staff safe, and how they will keep residents and family members informed on an ongoing basis.
Whilst data protection rules must continue to be observed and personal details of individual cases may not be shared, providing a general update about the COVID-19 status of the care home, and the steps being taken to deal with any cases and mitigate the risk to others, will help to allay fears. As stated above, this will also help to protect the resident’s and family member’s right to private and family life (protected by Article 8 of the Human Rights Act). As the care home is the resident’s home and its COVID-19 status is a factor which may put the resident at risk, keeping residents and family members informed allows them to weigh up any steps they may need to take to mitigate this risk, and to participate in care decisions.”
One of the case studies of good practice includes the statement:
“We always notify the families of people living in our care homes where COVID-19 is suspected or confirmed.”
Both the ICO guidance and the joint statement accordingly state that you can share information about there being Covid cases in your home as long as it does not disclose information about individuals (unless ‘you really have to’). Neither expressly discusses communicating when you have no cases.
Saying you have no cases discloses health data about each resident which as set out above is special category personal data.
If the information is disclosed to residents, or those lawfully acting on their behalf if they lack capacity, I would argue that disclosure is covered by 6(c) and 9(h) ‘necessary for the provision of health or social care’ given that there is a duty of candour owed to them and CQC, the social care regulator, has expressly required providers to be transparent with stakeholders about Covid.
The issue of disclosing information to families of those with capacity, or to families not acting on their behalf, is more difficult.
I would bear in the mind the following:
- The Joint Statement, though not a statement of the law, sets out the importance of being transparent.
- The ICO’s Covid statement above suggests that it would be sympathetic in the current climate.
- However, using a ‘no Covid’ message for marketing purposes, rather than for reassuring residents and relatives, would constitute ‘breaching data protection laws to take advantage of the current crisis’ which risks ICO enforcement even during the current crisis.
One way of handling this that we discussed on the call is to have a Covid policy that sets out what you would do if you had any cases including that you would be open and transparent about it as recommended by the Joint Statement. Families will then of course be able to work out that there are no cases if you haven’t told them otherwise.
For all the above reasons, I think the risk of enforcement for communicating to families that there are no Covid cases is low, but the disclosure of that information more widely for marketing purposes is much riskier.
Outside or indoor visits?
Providers need to do deicide this on a case by case basis. The obvious overall goal is to minimise the risk of transmission whilst facilitating visits that reduce the adverse affects of isolation on the resident. Drive-through visits where everyone is outdoors, there is no risk of physical contact and distance can be easily regulated, seems a good option in many cases. However, that will not always be possible. Most obviously, those at the end of life may not be able to access outdoor spaces. Where visits are indoors, the current guidance suggests that they should take place in residents’ rooms. You should consider barriers such as full face shields, as well as other PPE. Visitors will also need to wash hands before and after the visit, and assurances about their risk of Covid established through a questionnaire / agreement coupled with testing temperatures as above. See my last blog for more thoughts on the risks and how to manage them.
Questions at daily briefing
The current guidance remains that visits should only be in exceptional cases, and only end of life is given as a concrete example of that. That guidance dates back to 2 April. Facilitating visits outside that guidance carries all the risks set out in my blog last week. The sector is clearly in desperate need of updated guidance. Anyone can submit a question to be asked at the daily government press briefing. The questions are selected by an independent polling company. You can have your question read out rather than recording a video if you prefer. You can ask questions here.
Next session – Wednesday 10 June, 10.30
The dial in details are as before. Please email me if you’d like to join for the first time (email below). Alex Ruck Keene will be joining us to answer questions about Covid and Mental Capacity. Alex is without a doubt one of the star lawyers in this field, but also has a passion in education and best practice. If possible please email me in advance if there are any particular MCA / DoLS questions you have. Please also let me know if there are any other topics you’d like covered.
I hope to see you then!
Jonathan