1. Legal Basis
Under Articles 138 and 136 of the General Health Law, the employer is obliged to notify health authorities of suspected and confirmed cases of COVID-19. As a result, the processing of personal sensitive data as health data in the workplace may be necessary.
Personal data should be processed for specified and explicit purposes. This means that in order to comply with the obligation relating to health and safety at the workplace, minimum data must be collected. In addition, data subjects should receive transparent information on the processing activities that are being carried out and their main features. This information should be easily accessible and provided in clear and plain language through a privacy notice.
2. Data Protection Impact Assessment (DPIA)
All data controllers have an obligation to adopt measures to guarantee the proper processing of personal data, giving priority to the interests of the data subjects and the reasonable expectation of privacy. Among such measures, the implementation of a procedure to deal with the risk to the protection of personal data by the implementation of new products, services, technologies and business models, as well to mitigate them, is included. This is globally known as a Data Protection Impact Assessment, even though the FDPL does not identify it with such name, the same rules apply.
A DPIA will help organizations understand the risks associated with particular data processing activities and the measures taken to mitigate such risks. In the face of the present crisis, we recommend to implement a DPIA within the organization in order to identify the changes that may be required in data protection compliance documentation, for example Privacy Notices that must be changed, records of the collection of sensitive personal data, identification of the cycle such information takes within the organization including who has access to such information and for which purposes, among others.
To carry out a DPIA is mandatory under the FDPL. Further, the existence of a DPIA should likely evidence compliance with the FDPL in case the organization is subject to a review by the INA at some point down the road.
In general, the processing of sensitive personal data, such as health data, is subject to express written consent from the data subjects. Consent may be obtained through their signature, electronic signature, or any authentication mechanism established for such a purpose. However, as an exception, in the context of an emergency such as this, where there is potential harm to the data subjects in their persona or property, obtaining consent is not required.
Further, the Mexican Data Protection Agency (INAI) recently confirmed that the processing of sensitive personal data in this situation could be considered an exception to obtaining the express written consent of the data subject provided that they are indispensable for medical care, prevention, diagnosis, the provision of health care, medical treatment or the management of health services. However, the INAI has also established that it will analyse the application of the exception on a case-by-case basis.
It is important that communication within the company about the possible presence of COVID-19 in the workplace do not identify any individual employee. Such duty of confidentiality has been confirmed in the latest recommendations issued by the INAI.
This means that, to the extent possible, if an employer has been informed that an employee, contractor or any third party that comes in contact with the organization is infected with COVID-19 or has shown symptoms, information that may lead to the identification of such individual should not be disclosed in order to prevent discrimination or any other serious risk to the person. Employers may disclose disassociated data, such as the number of cases that has been identified in the workplace, but should not communicate more information than necessary. The communication should not name the affected individual.
Nonetheless, the duty to notify health authorities on the suspected and confirmed cases of COVID-19 is not subject to the confidentiality principle; therefore, employers may share the information with the authorities in compliance with the General Health Law. However, companies must undertake strict and appropriate physical and technical administrative security measures designed to protect personal data from damage, loss alteration, destruction or unauthorized use, access or processing.
5. Security Measures
As remote working increases, so does risk to privacy and cybersecurity. With additional vulnerabilities, malware attacks and phishing attempts, companies need to ensure that their employees and infrastructure are protected. In view of this situation, the INAI has issued recommendations and measures to protect the information and personal data that will be processed in this temporary work scheme. Such recommendations include, among others:
- Promote awareness within the company
- Have and implement security policies
- The use of organization’s trusted cloud services, services, apps and networks, including the use of work emails instead of personal accounts.
There are some other recommendations that are more personal, like avoiding including personal data or confidential information in the subject line of the email and verifying the recipient’s address where personal and/or sensitive data is being sent.
Further information on all of the security recommendation may be found here.