20 Apr COVID-19, PRIVACY AND DATA PROTECTION
Among the many societal shifts that have been triggered by the ongoing Covid-19 pandemic is an even greater public reliance on data and technology. Whether it is experts using patient data to identify trends and control the spread of the virus, businesses using technology to enable their employees to work from home, or individuals using it to stay connected with their loved ones, Covid-19 seems to have resulted in a shift in how many people view technology and privacy – in ways that are likely to have lasting impacts long after the virus is gone. In this Article, we will explore some of the privacy and data protection issues arising out of Covid-19.
PRIVACY AND PATIENT CONFIDENTIALITY
Covid-19 is a virus spread by human contact. Many people have therefore argued that patients diagnosed with Covid-19, and even those who are in self isolation or quarantine, should be publicly identified so that the public could know whether or not they might have come into contact with them. In fact, just a few weeks ago a list of persons purportedly under quarantine, together with their personal contact information, was widely circulated on social media.
From a general legal perspective, the publication of patient names and personal information contradicts the common law principles of confidentiality, and doctor-patient confidentiality in particular. It also distorts the ethical and moral aspects of the medical profession, as confidentiality is essential to the nature of the relationship between a doctor and a patient. Further, it impinges on the patients’ constitutional right to respect for their private life.
That said, there are instances when even these principles must give way, such as where disclosure is required in order to protect the vital interests of the public. Even then, disclosure should be controlled and limited only to what is reasonably necessary in order to strike the appropriate balance between protecting the vital interests of the public and safeguarding the confidentiality of the patient. The measures adopted by the government have sought to achieve this balance in the context of the rapidly evolving nature of the pandemic.
The Trinidad and Tobago Data Protection Act is only partially proclaimed and many of its operative provisions are not yet in force. However, the Act generally reflects the importance of balancing the public’s right to know against the individual’s right to privacy and confidentiality.
The psychological and other effects that may be experienced by persons whose names and contact information are ‘leaked’ to the public should not be underestimated. It can have a serious negative impact on their reputations, businesses and potentially even their personal safety. It is therefore imperative that all government bodies utilise adequate organisational and technical security measures in order to secure and protect personal patient data and strike an appropriate balance.
While the government has, to date, sought to stringently uphold the principle of patient confidentiality, it has also enabled the reasonable and proportionate disclosure of patient information.
For example, on 2nd April 2020, the government officially released a heat map of identified cases of Covid-19 in Trinidad and Tobago, as well as lines of contact as traced per the patients’ routes.
More recently, under the newly issued Regulation 8 of the Public Health [2019 Novel Coronavirus (2019-nCoV)] (No. 8) Regulations, 2020, private medical laboratories have been expressly mandated to immediately report and forward the results of any positive Covid-19 test to the Chief Medical Officer and relevant Regional Health Authority. Failure to disclose a positive result amounts to a criminal offence sanctioned by a penalty of fifty thousand dollars and imprisonment for six months
Governments in other jurisdictions have started to use mobile telephone ‘apps’ to monitor things like movement, travel history, temperature etc. In Trinidad and Tobago, we have not yet reached that stage. However the pandemic, and the government’s response to it, is constantly evolving and the balance between the rights of the public and those of the individuals will need to be constantly recalibrated.
While non-essential employees have been ordered to “stay at home”, many essential employees are still required to report to work. Can such employees be asked to disclose personal medical and other information to their employers?
The employee’s right to privacy must be balanced against the employer’s duty to ensure that its workplaces are safe and that its workforce as a whole is not exposed to unnecessary risks. As such, employers can reasonably require disclosure of certain information from employees, including, whether:
- The employee has or recently had any symptoms of Covid-19
- The employee was in contact with any person who either had symptoms of Covid-19 or was subsequently diagnosed as being Covid-19 positive
- The employee travelled recently or was in contact with any persons who travelled
- Any household members have or had symptoms of Covid-19
- Any household members were in contact with persons who recently travelled.
WORKING FROM HOME AND DATA SECURITY
In the wake of the ‘stay at home’ regulations issued by the government, many non-essential employees have now been asked to work from home (‘WFH’). Many employers would have implemented this change out of necessity and without having robust WFH policies in place. However, given the likelihood that such arrangements will need to remain in place for an as yet undetermined period, it is important for all employers to think through the practical and data security considerations associated with WFH. At minimum, it is advisable that employers ensure that their employees:
- Do not connect devices to any networks that are (i) public, (ii) untrusted, or which (iii) do not have robust password protection. Ideally, a Virtual Private Network (‘VPN’) should be utilised on all devices to add a further layer of security on all network traffic given that the company’s business, including that of its clients may contain confidential information.
- Turn off Bluetooth on all devices being used for work purposes, to reduce the avenues for unauthorised access. In fact, devices should be turned off or be disconnected from the internet when not in use.
- Continue to observe confidentiality in all aspects of the company’s work.
- Remain alert to any phishing attempts, as rogue actors may consider employees to be less focused or expecting of such threats given the current climate worldwide.
- Where particularly sensitive information must be transmitted, ensure that the relevant document is password protected and that the password is communicated by a separate medium, such as a phone call, or WhatsApp message.
- Be wary of using free applications for video conferencing purposes. Covid-19 has resulted in an exponential increase in the use of such applications, many of which have come under fire for data protection and privacy deficiencies. One popular application has been accused of being intentionally designed to bypass browser security settings and remotely activate the user’s web camera without their knowledge or consent, thereby exposing users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. Employers should ensure that any applications used for video conferencing have a robust approach to security and privacy in communication technology, even if it means paying for the service.
- Continue to keep track of their activities/deliverables in accordance with the company’s policy of record and timekeeping. Where there is no such policy, employers may wish to think about developing practices, such as a daily or weekly check in with employees.
Disclaimer: This document provides general guidance only and nothing in this document constitutes legal advice. Should you require specific assistance, please contact your attorney-at-law.