The COVID-19 pandemic is affecting daily life in an unprecedented way. We are living in extraordinary times where personal data, especially sensitive health data, might be compromised in the name of collective health and protection measures. While it is of the utmost priority for businesses and employers to take measures to fight the pandemic, they must not forego the protection of the personal data of their employees in the process.
According to an announcement made by the Turkish Data Protection Authority (the “DPA”) on issues to consider during the COVID-19 pandemic, regular implementation of the Law No. 6698 on the Protection of Personal Data (the “Law”) shall continue to be applicable. Data must continue to be processed under the conditions mentioned in the Law and must be processed in compliance with principles such as accuracy, fairness and proportionality. Additionally, when the reasons to process such data are no longer valid, personal data should be deleted, destroyed or anonymized. The Law provides certain timelines for related parties and the recent announcement confirms that parties must abide by these timelines. However, considering the unusual times we are experiencing, the DPA might elect to evaluate the timelines on a case by case basis.
Under Turkish law, data privacy is a constitutional right. The Law is the main piece of specific legislation regulating data privacy matters. Under the Law, personal data relating to health is categorized as sensitive data. (For more information on sensitive data under Turkish Law please see our March 2, 2020, article.) In the absence of a data subject’s explicit consent, health data may only be processed by persons under a duty of confidentiality or by authorized institutions and organizations for the purposes of:
- protection of public health;
- protective medicine;
- medical diagnosis, treatment and nursing services; or
- planning and management and financing of health-care services.
In light of the above, for an employer to be able to process health data during the pandemic, the employee must either give explicit consent or the data must be processed by a health worker such as a workplace doctor. For instance, without explicit consent, an employer should not ask an employee if they have any of the common COVID-19 symptoms or check the employee’s temperature. The Ministry of Industry and Technology recently published a guideline for production plants and facilities which stipulates that an employee’s temperature must be checked prior to entering a production plant or facility. Although the guideline does not seem to dwell upon data privacy issues, business owners must be aware of their obligations under applicable data privacy legislation.
Employee travel data is also frequently being processed due to the COVID-19 outbreak. To the extent that travel data qualifies as personal data, there must be an explicit consent by the employee to its processing. However, it is possible to argue that travel data is “regular”, as opposed to “sensitive”, personal data and therefore, in the absence of explicit consent, employers may rely on one of the exceptions set out in the Law. For instance, an employer may argue that processing is required to comply with legal duties or that there is a legitimate interest in processing the data (e.g., ensuring health and safety at the workplace). According to the DPA, there must be a clear and strong need to request such information from an employee and the data collected must be proportionate to the assessment of risk arising from the absence of such data. In this case, certain factors such as the travel of staff, the presence of people with chronic illnesses in the workplace or the possibility of other people being more severely affected by the virus should be considered along with instructions from the public health authorities.
Healthcare facilities and other authorized institutions and organizations may process data without explicit consent during the COVID-19 pandemic to protect public health, to make diagnoses, to treat patients and to plan the financing of, and manage health care services. In addition, pursuant to the DPA’s announcement, public institutions and organizations may need more personal data to be collected and shared to protect public health. Therefore, healthcare institutions and organizations may send informational messages through phone calls, SMS messages and e-mail to inform the public.
The Law does not apply to the processing of data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations legally authorized to maintain and provide for national defense, national security, public security, public order or economic security. Therefore, during the pandemic, relevant public authorities may process personal data for the foregoing purposes and the employers, without being subject to statutory requirements, must, if requested, share such information with the authorities.
According to the DPA, data processing activities carried out for the purpose of preventing the spread of the COVID-19 virus should be related and limited to a specific purpose and the excessive processing of personal data should be avoided. In order to achieve this, the most non-intrusive path possible should be preferred.
A separate piece of legislation, the Regulation on Personal Health Data, provides further guidance for access to and the processing of personal health data. The rules provided therein must also be adhered to in the case of a pandemic:
- Healthcare professionals may access personal data only to the extent it is required to provide healthcare services. If a person has an e-Nabız account (an electronic health-data recording system), healthcare professionals must adhere to the person’s stated data sharing preferences. If the person does not have an e-Nabız account, then a limited number of healthcare professionals (e.g., their primary care physician) may access their data under the limited circumstances provided by the applicable legislation. During the current crisis, it is possible that the Ministry of Health may reevaluate the applicability of e-Nabız communication access rules. Should the Ministry decide to amend the rules, appropriate privacy statements to that effect will need to be provided to inform people that their e-Nabız communication selections are no longer applicable.
- Healthcare providers must de-identify or mask a patient's personal health data on printed material such as examination analyses and results and take other measures that will make it difficult for unauthorized people to determine the data owner.
- De-identified health data may be uploaded to the central health data system maintained by the Ministry of Health. Only a limited number of people within the Ministry are authorized to match de-identified data with the owner of the data and these persons must comply with the applicable data privacy rules and may only use this authority for planning, financing, management and monitoring of healthcare services.
- The data subject has the right to request the deletion or anonymization of their data from the relevant healthcare institution.
Under extraordinary circumstances like the current pandemic, it is essential not to overlook data privacy regulations. Data controllers, including employers, must remember that this an individual’s inalienable, fundamental right and take all necessary precautions to safeguard it.