Following inquiries received by this authority in relation to the processing of personal data related to measures to deal with COVID-19, this Authority considers it appropriate to point out the following:
Articles 6.1.e) and 9.2.i) of Regulation (EU) 2016/679 of the Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data which repealed Directive 95/46/EC (GDPR) enable the processing of personal data, including special categories of data such as health data, by health authorities "when processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to ensure high levels of quality and safety of care and of medicinal products or health products, on the basis of the law of the Union or of the Member States which lays down appropriate and specific measures to protect the rights and freedoms of the persons concerned, in particular professional secrecy."
In turn, the seventeenth additional provision of Organic Law 3/2018, of 5 December, on data protection and guarantee of digital rights provides that: "These are covered by letters g), h), i) and j) of Article 9.2 of Regulation (EU) 2016/679 the processing of health-related data and genetic data governing the following laws and their implementing provisions: (..) a) Law 14/1986, of 25 April, on general health; (...) g) Law 33/2011, of 4 October, on general public health."
Law 18/2009, of 22 October, on public health, creates the Public Health Surveillance Network which is made up of the set of epidemiological surveillance units of the health department and among its functions is the function of providing "rapid response to public health emergencies and support for the management of the alert system."
With regard to the possibility of citizens communicating information to the public health authorities and for them to collect and process it, Article 9 of Law 33/2011, of 4 October, on general public health says:
- “1. People who know facts, data or circumstances that may constitute a serious risk or danger to the health of the population must inform the health authorities, who must ensure due protection of personal data.
- The provisions of the previous section are understood without prejudice to the communication and information obligations that the laws imposes on health professionals."
According to Article 33 of the same law, this duty of communication also affects employers who, in accordance with the legislation on occupational risk prevention, are aware of any such data.
In this sense, Article 33.2.h) provides, among other issues, that the health authority, in coordination with the labour authority, must "establish coordination mechanisms in the event of pandemics or other health crises, especially in order to carry out preventive and vaccination actions."
On the other hand, Article 58 of Law 18/09 states that "if the owners of facilities, establishments, services or industries detect the existence of health risks arising from the respective activity or products, they must immediately inform the corresponding health authority..."
In particular, it should be borne in mind that "All public administrations and bodies responsible for public health, as well as all health centres, services and establishments and health professionals, must participate, within the scope of their respective functions, in the Public Health Training and Research System and in the Public Health Information System. To this end, they must communicate relevant data to these systems through their responsible bodies" (Article 10.3 of Law 18/09).
On the other hand, in accordance with Organic Law 3/1986 on special measures in matters of public health, the competent authorities in matters of public health may "adopt measures of recognition, treatment, hospitalization or control when there are rational indications that allow for supposing the existence of danger for the health of the population due to the specific health situation of a person or group of people or by the health conditions in which an activity is developed" (Article 2), and in order to control communicable diseases "take appropriate measures to control patients, people who are or have been in contact with them and the immediate environment, as well as those measures deemed necessary in the event of a risk of a communicable nature," (Article 3).
In this sense, in accordance with Article 55.1.j) of Law 18/09, the health authority, through the competent bodies, and in order to protect the health of the population and prevent disease may "adopt measures of medical examination, treatment, hospitalization or control if there are rational indications of the existence of a danger to human health due to a specific circumstance of a person or group of persons or by the conditions in which an activity is performed. Measures may also be taken to control people who are or have been in contact with patients or carriers. These measures must be adopted within the framework of Organic Law 3/1986, of 14 April, on special measures in matters of public health, and State Law 29/1998, of 13 July, regulating contentious administrative jurisdiction, and the legal provisions that modify or repeal it," in accordance with the provisions of the personal data protection regulations and with the procedures that these regulations and other applicable regulations have established, and having the mandatory authorizations.
Carrying out these actions may involve not only the collection of information, including health data, by the public health authorities but also the disclosure of health data relating to people infected or suspected of being infected when necessary to implement the said control measures.
In this sense, it is advisable to take into account the action procedure established by the Catalan Public Health Agency: