Slovak country-wide COVID-19 testing from the perspective of personal data protection
The Slovak government on Sunday 18th October 2020 approved plans to use up to 8.000 Slovak armed forces personnel to support mass testing of the population for COVID-19 as it battles a surge of infections. The Slovak government has also ordered around 13 million antigen tests, which produce faster results but are often less accurate than standard PCR tests. Medical personnel will carry out testing.
Plan of country-wide testing comes together with issues regarding data collection of tested people.
The Office for Personal Data Protection (hereinafter referred to as “Office”) published Statement on the planned country-wide testing of the population in COVID-19
The intended country-wide testing will be performed not only by healthcare professionals who, as the only members of the testing teams presented, also have a sufficient legal basis for processing the data of tested persons in the meaning of several special laws, but especially the Act No. 576/2004 Coll. on health care and on services related to health care and Act No. 355/2007 Coll. on protection, encouragement and development of public health. Due to the many scenarios of performing country-wide testing, the Office warns and informs that the organizer of this testing, who will be in the position of the controller (at that time it is not clear, who will be) will have to fulfil all obligations under the GDPR or Act No. 18/2018 Coll. on the protection of personal data.
In particular, it shall be paid attention to the obligation to fulfil the notification obligation in compliance with Article 13 of the GDPR (fulfilment of the information obligation can be performed by the controller, for example in the form of its publication on the relevant websites of interested institutions or also in the form of direct transmission of information in writing, or otherwise so that the person has information before personal data are provided to the controller or its authorized persons), to ensure the absolute highest level of security of the collected data, also with regard to their sensitive nature (natural person's health data is a special category of personal data - sensitive personal data) within the meaning of Article 9 (1).
It is also essential that all those involved in the field testing have precise and specific instructions on how to collect, handle, store and process personal data at all times in order to ensure their security and to prevent their loss or possible misuse, and to be made available to an unauthorized person or persons.
It is, of course, necessary to provide an adequate legal basis for the processing of the requested data (an adequate legal basis is to establish a legal basis for the processing of personal data both under Article 6 (1) of the GDPR and under one of the conditions of Article 9 (2). This determination must be performed by the controller of the country-wide testing, which will be relevant and legally unquestionable with regard to the sensitivity of the data. It is also necessary for the persons concerned to have information on whom they can turn, in the event of exercising their rights under the GDPR and national Act No. 18/2018 Coll.
Office considers country-wide testing to be logistically demanding, but this demanding perceives from the point of view of personal data processing, such as correct provision of the legal basis for personal data processing and ensuring all obligations with regard to data security, which must be guaranteed during processing sensitive personal data in such quantities, in order to avoid processing which shows signs of illegality or other incompatibility with the basic principles of the Article 5.
Article provided by: Miroslav Chlipala (Bukovinsky & Chlipala, Slovakia)
Dr. Tobias Höllwarth (Managing Director INPLP)