Coronavirus and social media tracking in Hong Kong | what are the data privacy law implications?

The coronavirus (COVID-19) situation, which the World Health Organization has declared a "Public Health Emergency of International Concern" and has “pandemic potential”, has now impacted nearly all governments, businesses and individuals globally. In the digital world, many individuals communicate their thoughts, actions, health and views through social media. With heighted concerns over health and safety, many governments and businesses have large segments of their workforce working from home. Issues have been raised about the legal implications arising out of use of social media and tracking technologies, especially in the context of the coronavirus crisis.

The Privacy Commissioner for Personal Data, Hong Kong (PCPD) has clarified the privacy law position on this issue recently under a media statement The Use of Information on Social Media for Tracking Potential Carriers of COVID-19 (“PCPD Statement”). Set out below are the key points raised by the PCPD Statement and what the data privacy law implications means for businesses.

PCPD Statement

Personal data obtained from social media subject to use under the HK Privacy Law  

the PCPD has clarified that as a general rule, personal data obtained from the social media in a public domain is regulated by and subject to use in compliance with the Personal Data (Privacy) Ordinance (Cap 486) (PDPO), meaning use must be consistent with or directly related to the original purpose for which the data is collected.  However, the general rule is subject to a limited health exception from certain sections of the PCPO (see below).

Tracking of employees for potential COVID-19 requires consent

If an employer obtains information about an employee in a social media chat group, that information must be used for the purposes of that chat and if used for a different purpose, such as tracking potential virus carriers, prior consent of the parties concerned must be obtained (subject to exceptions).

The intention of Data Protection Principle 3 (DPP 3) under the PDPO is to protect an individual’s personal data from being abused or misused because the data belongs to the individual concerned and the Office of the PCPD considers personal data privacy to be a fundamental human right.

Personal data rights not absolute

• Right to Life: the right to personal data privacy is not an absolute right, meaning that it may be subject to other competing rights or interests, such as the absolute right to life and the interests of the public, including public health. The ‘right to life’ refers not only to the right of life of the data subject, such as the potential carrier of the virus, but also that of others in society. Under United Nations Human Rights covenants, life is a ‘supreme right’ and governments may take appropriate measures to address the general conditions in society that may give rise to direct threats to life (including the prevalence of communicable diseases).
• Public Health: COVID-19 had been added as one of the notifiable infectious diseases under the Prevention and Control of Disease Ordinance (Cap 599), requiring all registered medical practitioners to notify the Centre for Health Protection of the Department of Health of all suspected or confirmed cases of the virus. The Centre for Health Protection is also tasked with conducting surveillance and control of COVID-19. This means that if individuals are suspected of having close contacts with persons infected with COVID-19, it would be in the public interest to closely track and monitor their whereabouts, including the venues and the persons that they have visited and contacted recently, with the aim of controlling the further spread of COVID-19 in the community. This means that tracking and potential monitoring of the potential virus carriers for this purpose would likely be permitted, including using social media means.

Exceptions to DPPs for safeguarding serious harm to health or public interest  

Section 59 of the PDPO provides for the situations where the use of personal data may be exempted from the application of DPP 3 (use of data) if it relates to safeguarding the physical or mental health concerns of the data subject or any other individual in the public interest. This means, any breach of the general rule on the use of data without consent may be excused or saved by the fact that the misuse arises from the need to protect public health.

In particular, section 59(2) of the PDPO states that in circumstances where the application of the restrictions on the use of data would be likely to cause “serious harm” to the physical or mental health of the data subject or any other individual, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject/individual.

Osborne Clarke comment

There may be legitimate circumstances where government and businesses may collect, use and disclose information obtainable via social media with a view to tracking potential COVID-19 carriers or patients, in the health interests of both the individuals concerned and the public. But such collection and use needs to be carefully considered and implemented in a manner that ensures it meets the standards and requirements of local privacy law.

Care needs to the taken if a business seeks to rely on the section 59 (Health) exemption for use of personal data, as the exemption only exempts the application of certain data privacy principles (DDPs) under the PDPO (including DDP3 and DDP6), and not other DDPs under the PDPO. Further, the terms “serious harm” or “public interest” are not explicitly defined in the PDPO and it is not compulsory for data user employers to apply the exception under the PDPO, meaning employers should consider whether an exception applies in the circumstances before disclosing the personal data of its personnel under the pre-text of COVID-19.

Irrespective of relying on any exemption under the PDPO, many businesses may seek to obtain the express consent of employees and contractors to submit health declaration forms in the context of the COVID-19 outbreak, which would permit the tracking, collection and use of personal data of such persons, including using social media for health and safety related purposes. Such health declaration forms should be carefully considered and prepared in order to ensure compliance with the PDPO and its own privacy policy, set out purposes and methods for collecting data as well as the control measures the business will take, and potential sharing of such personal data (such as governmental authorities, health care service providers and insurers).

Businesses would also need to carefully consider how long personal data is retained for, whether under a health declaration form or otherwise. The general rule is that they should take all practicable steps to ensure that personal data is not kept longer than is necessary for the purpose for which the personal data was primarily collected, after which the data should be erased at the earliest practicable opportunity. Businesses should develop a policy and process for such personal data retention and erasure to ensure such personal data is erased after the health threats posed by COVID-19 are reasonably considered to have passed.

While it may be likely that similar data privacy principles apply in different jurisdictions for businesses seeking to use social media to track, collect and use personal data their personnel in connection with COVID-19 matters, multinational organisations should consider the local data privacy laws of each jurisdiction they operate in to assess compliance with local law requirements.

Disclaimer: The information in this alert has been prepared for general information purposes, is not legal advice and is not to be acted or relied on as such.