The coronavirus crisis continues to lead to the use of individuals’ personal data in new and sometimes unexpected ways. In this briefing, we consider some possible data protection issues that could arise in connection with proposals by the Spanish government to establish a register of citizens who refuse the COVID-19 vaccination and share this with other European countries.
All data controllers collecting (or planning to collect) data subjects’ personal information for purposes connected with the COVID-19 pandemic will need to consider various questions to ensure that such personal data is processed fairly, proportionately and transparently and in compliance with applicable data protection rules.
These include, among other things, the principles of fair, lawful and transparent processing, ensuring appropriate legal bases for processing, purpose limitation, data minimisation, accuracy, storage limitation and integrity and confidentiality.
Any personal data, especially special category health-related data, that is processed in connection with the pandemic should be handled carefully. As the UK Information Commissioner has made clear, action will be taken against any data controllers misusing personal information to exploit the situation or take advantage of this serious public health emergency.
As the spectre of coronavirus continues to haunt many countries around the world, data protection issues raised by the virus may not be at the forefront of people’s minds when considering the impact of the COVID-19 crisis. However, as the global pandemic approaches its first anniversary (a milestone unlikely to be celebrated by anyone), it is clear that individuals’ personal data is being used in various ways that were not envisaged only a year ago, which may raise concerns for data subjects and regulators alike.