The Coronavirus and Information Sharing: What are “vital interests” under GDPR?

Neon Heart beat pulse in green illustration

During the current coronavirus pandemic, the health and social care sector as well as the emergency services are all providing an amazing service to those who are in need of urgent medical treatment. This will almost always require the sharing of personal data between organisations.

Even during a pandemic, it is important to note that GDPR still applies to ensure individuals’ privacy is protected whilst vital services are provided. On 19th March 2020 the European Data Protection Board has issued a statement on the processing of personal data in the context of the COVID 19 in which it emphasised this point:

“Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way.
It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”

Lawful Processing

The first data protection principle in Article 5 (1) requires Data Controllers to process  personal information “lawfully, fairly and in a transparent manner”. Processing personal data is only lawful if one or more of the six lawful bases listed in Article 6 (1) applies.
If a Data Controller processes personal data about a person’s health (which is a class of Special Category Data) then they must additionally identify one of the ten lawful bases set out in Article 9 (2). These are more detailed than those in Article 6, and are fleshed out further in Schedule 1 of the Data Protection Act 2018. However, there are some overlaps. For example ‘consent’ is a lawful basis in Article 6 (1)(a) and ‘explicit consent’ appears in Article 9(2)(a). Similarly ‘vital interests’ appears in both Articles 6 and 9, however there are differences between the two which we explore below.

Article 6 (1) (d) provides that the processing of personal data is lawful if the processing is necessary to protect the vital interests of the data subject or of another natural person. This raises three points for discussion.

  1. What are vital interests?
  1. When will processing be ‘necessary’?
  1. When can it be used to protect the vital interests of ‘another natural person’?

Vital Interests

GDPR Recital 46, specifically refers to processing for the monitoring of epidemics and it seems this lawful basis is intended to be used in situations such as the current pandemic. But what about other interests? Are they vital?

During a recent GDPR workshop one delegate asked whether a person’s financial interests could be classed as a ‘vital interest’ (after all, we all need money to live). The answer is no because the word ‘vital’ is interpreted very narrowly. Recital 46 refers to processing that is “necessary to protect an interest which is essential for the life of the data subject or that of another natural person”. The ICO’s interpretation of this is that this generally only applies where it is necessary to protect someone’s life.

Our Example. Sam becomes acutely ill at work and his employer phones the ambulance service. The employer gives the paramedics Sam’s name and address. The employer can rely on the vital interest’s lawful basis to share this information. If the paramedics need access to Sam’s health records, then the GP will be able to share them for the same reason but will additionally require an Article 9 lawful basis (see below).

However, in our view vital interests can also include situations where there is a risk of significant harm to life. Therefore if an elderly person is forced to self-isolate and depends upon a group of volunteers collecting their essential prescription medicines, then sharing that person’s name and address is arguably necessary to protect their vital interests.

Necessary 

The processing must be “necessary” in order to protect a person’s vital interests. The key question is whether a Data Controller can reasonably protect a person’s vital interests without the processing (sharing their personal data). If they can then the processing will not be necessary. If they cannot then it will be lawful. In the above example, if the employers refused to give the paramedics Sam’s name and address then this could potentially threaten their ability to offer him life-saving treatment. Therefore the sharing of Sam’s personal data is necessary to protect Sam’s vital interests. 

Protecting the Vital Interests of Other Persons

Those familiar with the Data Protection Act 1998 will know that the lawful basis in Article 6 (1)(d) is very similar to the one listed in paragraph 4 of Schedule 2 of the 1998 Act. Unlike the old DPA, the  GDPR extends this lawful basis to processing that is necessary to protect the vital interests of “another natural person. However, Recital 46 cautions that “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis”.

Back to our example. When the paramedics take Sam away in the ambulance, they ask for the names of any employees she may have come into contact with because they are concerned for their health. Can the employer rely on Article 6 (1) (d) to share their names? The answer is no if the employer can find an alternative lawful basis such as consent. 

Consequently, as the ICO notes, the processing of one individual’s personal data to protect the vital interests of another is likely to happen only rarely. The ICO gives an example of the processing of a parent’s personal data to protect the vital interests of their child.

What about processing of personal data to save the lives of many others, for instance in a pandemic situation? Recital 46 suggest that this lawful basis may be used to process personal data for this purpose. But it also states that this basis should only be used where processing cannot be based on another legal basis. This could include “legal obligation” or “official authority”.

Special Category Data

A Data Controller sharing health information (or any other Special Category Data) also needs to identify a lawful basis under Article 9 of GDPR. This allows processing if is “is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.”

This basis is more rigorous than its counterpart in Article 6. It permits the processing of Special Category Data if the processing is necessary to protect the vital interest of the data subject or of another natural person but only “where the data subject is physically or legal incapable of giving consent. This clearly allows medical practitioners to share health data in emergency medical situations where a patient is unable to consent to it.
If a patient is fit and able (physically and mentally) of giving consent, then a Data Controller cannot rely on Article 9 (2)(c).

Example, a volunteer group has compiled a database of the names and addresses of residents who need their prescriptions collecting. They share these names and addresses with volunteers. The group has asked volunteers to log details of any residents who have COVID 19 symptoms in order that they can take steps to protect the lives of the volunteers. The group can only process this information if the person with symptoms explicitly consents to their information being shared (and they understand exactly why their information is being shared). If they are physically able to consent (or refuse to give consent) then the group cannot rely on the vital interests condition.  

Although the temptation may be to assume that sharing health data is permissible in the circumstances, the vital interests’ condition in Article 9 (2) (c) has its limits.
Volunteer groups may need to take steps to obtain consent from data subjects and be prepared to explain exactly why they want this information. Article 9 does provide further lawful conditions which may be relevant (Articles 9 (2) (h) and (I)). We will consider the use of these in a future blog post.

Many established charities and recently formed volunteer groups are also now providing essential support services for those members of the community who are at risk, or vulnerable or in need. In order to do this these services may need to share personal data about such people, and often about their health. Whilst this is laudable, they too must be mindful of the GDPR implications. Our recent blog post about Covid 19 volunteer groups goes into more detail.

This and other GDPR developments will be covered in our new online GDPR update workshop. Our  next online   GDPR Practitioner Certificate  course is  fully booked. We have  1 place left   on the course starting on 11th  June. 

online-gdpr-banner

Information Governance Experts Join the Act Now Team

Steven CockcroftCraig Geddesbarry moult

(From Left to Right: Steven Cockcroft, Craig Geddes, Barry Moult.)

Act Now Training is pleased to announce that three new highly regarded information governance experts have joined its team of consultants.

Cyber security is one of the Information Commissioner’s regulatory priorities for the coming year. This is not surprising when you consider the recent Notices of Intent (to fine) issued by the ICO. We are developing a range of cyber security courses for the coming year. First off we have launched an Introduction to Cyber Security workshop led by our new consultant Steven Cockcroft.

Steven holds accredited trainer status from the British Computer Society, PECB and APMG. He is also accredited under the GCHQ Certified Trainer scheme, delivering training in the areas of Cyber Security, Information Security, Data Protection, Business Continuity Management, Audit, Risk Management and Business Continuity Management. Steven has assisted over 30 organisations to become certified to international best practice information security frameworks including the UK Government Cyber Essentials Scheme, ISO 27001 and ISO 22301.

Act Now has been running a full programme of information governance workshops in Scotland for many years. We have boosted our team of Scottish consultants by engaging Craig Geddes who is a qualified archivist and records manager, with 28 years of experience working across the range of information governance activities. He has worked for several Scottish local authorities as Archivist, Records Manager, and Senior Information and Improvement Officer. Craig has developed and delivered training on records management, freedom of information and data protection for a number of years, and is an engaging and entertaining speaker. Craig will help deliver our current Scottish courses, both in house and external, and develop new ones such as the recently launched Public Records (Scotland) Act Now workshop.

Act Now’s portfolio of clients includes many health organisations. With a view to delivering more health focused information governance courses, Barry Moult has joined our team. Barry is a well know IG expert with many years of experience working with and advising NHS organisations. He founded and has chaired the Eastern Region IG Forum since 2003. Until August 2018, Barry was the Chair of the NHS National Strategical Information Governance Network (SIGN) group and continues to sit on the NHS GDPR working group. Prior to that, he was Head of IG and Health Records at two large NHS Acute Trusts and was recently on a secondment to a local STP looking at information sharing and GDPR for Health and Social Care.

Barry will be delivering our health focused workshops on GDPR and the role of SIROs. Barry has also developed a new workshop for Caldicott Guardians to help them understand and apply the Caldicott Principles and the common law duty of confidentiality in a Health and Social Care setting. He will also look at the legislative requirements (e.g. GDPR) how they apply to patients’ records and what to consider when making moral and ethical decisions. There will also be discussion around how the Caldicott Guardian interacts with the Information Governance Lead, the Data Protection Officer and the Senior Information Risk Owner (SIRO).

The latest recruits boost the number of Act Now consultants to thirteen. Ibrahim Hasan, solicitor and director of Act Now Training,  said:

“I am pleased that Steven, Craig and Barry have joined our wonderful team of consultants who all have a reputation for explaining difficult subjects in a simple jargon-free way. Their knowledge of information rights coupled with real world experience will help us expand our services and deliver even more courses to our rapidly expanding client base.”

Act Now Training is now one of the largest information governance training and consultancy companies in the UK with over 17 years of experience in the sector.  Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Blog Footer Blue and White 2

%d bloggers like this: