Information Privacy and COVID-19March 27, 2020
In the wake of the COVID-19 outbreak, the business community is faced with unprecedented threats to their cyber-infrastructure and data. Sensitive data, in particular, will be vulnerable to security breaches as a result of reduced humanpower under emergency legislation. Moreover, criminal hackers will be looking to capitalize on such vulnerabilities at a time like this.
COVID-19 has re-ignited an uncomfortable debate: how to strike an appropriate balance between personal privacy on the one hand and national security and public health under a state of emergency on the other. This article does not seek to contribute to that debate. Rather, our aim is to explain to data controllers their statutory obligations under existing Bahamian privacy legislation in light of the new emergency legislation that was brought into force in The Bahamas to manage the threat posed by COVID-19.
What legislation now covers information privacy?
The following legislation generally governs information privacy and confidentiality in The Bahamas:
- Data Protection (Protection of Personal Privacy) Act (Ch. 324A) [“DPA”]
- Computer Misuse Act (Ch. 107A) [“CMA”]
- Banks and Trusts Companies Regulation Act (Ch. 316) [“BCTRA”]
In addition, we now have the following Emergency legislation (promulgated under Article 29 of the Constitution pursuant to a Proclamation of a State of Emergency):
- Emergency Powers (COVID 19) Regulations 2020 (Ch. 34)[“EPR”]
- Emergency Powers (COVID 19) (No.2) Order 2020 [“EPCO”]
Notably, EPR states that the regulations and orders will have effect notwithstanding any other law that may be inconsistent with them. This will last until the Regulations expire on 31 March 2020 but it is now clear that they will be extended to at least the 30th April.
Is DPA applicable under the new emergency legislation?
Yes. Section 5 of the DPA states that where personal data which, in the opinion of the Minister or the Minister for National Security are, or at any time were, kept for the purpose of safeguarding the security of The Bahamas; or, where personal data which consists of information that the person keeping the data is required by law to make available to the public then, the normal protections of the DPA will not apply. It is highly arguable, for example, that gathering information required for the purposes of contact tracing (e.g. from employers, security firms, airlines etc.) would not have the privacy protection that might ordinarily apply.
Furthermore, any restrictions on or exceptions to the disclosure of personal data under DPA will not apply if the disclosure is:
- In the Minister or Minister of National Security’s opinion, for the purpose of safeguarding the security of The Bahamas;
- Required in the interests of protecting the international relations of The Bahamas;
- Required urgently to prevent injury or other damage to the health of a person;
- Required by or under any enactment or by a rule of law or order of a court;
- Required for the purposes of obtaining legal advice; or,
- Made at the request or with the consent of the data subject or a person acting on his behalf.
EPR, for example, under its screening requirements, calls for the mandatory disclosure of personal health information and travel history as well as the provision of biological samples to health officers (sensitive data under DPA) if requested by a health official in order to assess a person’s health. Failure to do so can result in a fine or imprisonment.
With regard to health services, mental health services and telemedicine, medical practitioners and specialists have a statutory not to engage in any behaviour that is contrary to medical ethics and such behaviour includes willful or reckless betrayal of professional confidence. Medical data would be classified as sensitive data under DPA and patients should be afforded confidentiality subject to compliance with the emergency legislation and keeping the best interest of the patient’s (and public’s) health as the paramount consideration. The safeguarding of data and core cyber-infrastructure will be key here. Globally, it appears as though the standard for the public release of COVID-19 patient information is limited to age, sex, symptoms at time of presentation to health services and recent travel history.
Lastly, as schools have been closed pursuant to the emergency legislation, EPCO permits electronic or virtual instruction to be utilised. School administrators and teachers need to ensure that virtual lessons take place over secure videoconferencing platforms with encrypted video and communication to alleviate the threat of security breaches. If the participants of such videoconferences are minors, consent should be sought by the child’s/children’s parent(s) or guardian(s) – especially where webcams are being used.
What if the data is stored in the cloud?
Now would be a good time for data controllers to review their cloud contracts. If your business relies on a cloud service provider to store personal data, you will want pay particular attention to any force majeure clause contained within the cloud contract that will address contract performance obligations in the event of an unforeseen event (in this case – a pandemic). Pandemics should be specifically referred to in force majeure clauses no matter how infrequent they may be as they can affect not only the preservation of confidentiality of information held on the data subject but also business continuity (stemming from country-wide lockdowns). Correspondingly, the data controller should review the contract to ensure adequate safeguards are in place on the cloud service provider’s end to prevent the data from being compromised in accordance with the statutory obligation to provide a comparable level of protection from any third party to whom a data controller discloses information for the purposes of data processing.
If one of my employees becomes infected with COVID-19, can I inform other employees?
In the absence of consent, and in the absence of guidance from the Data Protection Commissioner, this should be permissible so long as you do not identify the individual unless it is absolutely necessary to do so (e.g. where a contagious person needs to be quarantined but that cannot happen unless his or her identity and whereabouts are disclosed to the relevant health authorities).
What are some safety measures my business can use in order to ensure our data remains as safe as possible?
There are several measures the business can take – namely:
- Ensuring the physical security of premises (and data therein)if the business is closed (reason being it is not considered an essential service under EPCO);
- If employees are working remotely – ensuring that any files taken home are not accessed by unauthorised individuals in accordance with confidentiality obligations;
- Reviewing existing contractual relationships with cybersecurity and e-service providers;
- Drawing up an internal data protection policy to rely on in the event of a crisis or emergency (such as a data leak or Act of God) to ensure business continuity;
- Appoint a Data Protection Officer to handle data subject access requests pursuant to DPA and GDPR;
- Ensuring all business communications (e-mails, text messages, communications, etc.) are encrypted or used in a privacy mode to minimise the threat of a data breach;
- Familiarising oneself with important data protection laws that the company should adhere to; and
- Educating oneself on common methods used by hackers who may try to take advantage of vulnerable networks in a time of crisis – which would be a breach of several provisions under CMA.
As an employer, how much data can I collect on my employees concerning COVID-19?
Data controllers, in general, need to have a clear understanding that as it relates to employees and/or clients, physical health and sexual life are considered sensitive personal data. This is important as it has been reported that some employers have been taking temperature checks of their employees and asking them to report to HR when, or if they suspect they are experiencing COVID-19 or flu-like symptoms. Asking employees to report any symptoms prior to coming to work is fine under DPA as this is in accordance with the employer’s obligation to ensure health and safety in the workplace. Taking temperature readings or asking about recent travel history should only be done with the express consent of the employee – if at all – as this could violate the data controller’s obligation not to keep excessive data. In any event, such data should only be disclosed on a need-to-know basis within the organization bearing in mind the core data principles of DPA.
Furthermore, as it has been proven that COVID-19 can potentially be acquired by anyone within close proximity to an infected person, employers should refrain from asking employees questions regarding their sexual history as a means of contact tracing. It is not their place to do so and such data would likely amount to excessive and irrelevant data collection.
In conclusion, despite some privacy laws being ‘relaxed’ under this new emergency legislation, data controllers should still observe their duties and obligations under DPA. There will be many lessons to learn from the handling of the COVID-19 outbreak but we are hopeful that as a result of this crisis, businesses will realise the importance of data security within their organisation and that this crisis will spur new and innovative legislation to cope with similar crises in the future.
For more information contact Sean McWeeney Jr, Associate – email@example.com
 s. 2(1) DPA
 s. 13 DPA (this list is not exhaustive)
 s. 6(1) EPR
 s. 37(2)(e) Medical Act 2014
 s. 2(1) DPA
 s. 8 EPCO
 s. 12(2) DPA
 s. 6 CMA
 s. 4 Health and Safety at Work Act (Ch. 321C)
 s. 6(1)(c)(iii) DPA
Please note that this publication is only a guidance note and as such is for reference purposes only, it does not constitute legal advice and should not be relied upon as such. Specific legal advice about your particular circumstances should always be sought, and our legal team is available to assist you with any questions or issues that you may have.