March 13, 2020 / COVID-19 / Protection of Personal Data
Communication INAI/085/20, issued on March 13, 2020, by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI).
For the responsible parties (institutions and providers of public and private health care services):
- The measures taken in response to the COVID-19 that involve personal data processing that includes health data must be necessary and proportional, in accordance with the guidance and/or instructions of the Ministry of Health and competent authorities.
- The institutions and providers of public and private health care services must collect only the minimum personal data necessary to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19 and, if applicable, to provide the relevant medical care, diagnosis, and treatment.
- Personal data collected to prevent or contain the spread of COVID-19 must not be used for other purposes.
For the responsible parties of the private sector:
- The organizations must protect the confidentiality of any private or sensitive personal data related to any COVID-19 case to avoid harm or discrimination to the affected person.
- No communication within the organization about the possible existence of COVID-19 in the workplace must identify any individual employee.
- The processing of personal data in the COVID-19 situation must be informed, and the owner of such data must know at all times the purposes for which their personal data will be collected and processed. Prior to the processing, the data controller must make available the relevant privacy notice for the owner.
- The identity of COVID-19 affected people must not be disclosed. If a transfer of personal data to the health authorities is required, it must be clearly documented, substantiated, and carried out considering security measures that ensure personal data protection.
- The responsible parties must define the retention periods for personal data related to COVID-19 cases, as well as the mechanisms that will be used to safely dispose of them, taking into consideration the sectorial regulation matters.
For the general population:
- It is important to remember that there is a right to the protection of their personal data. Therefore, in case of improper processing, the population may go to INAI to file a complaint.
