The Maltese Office of the Information and Data Protection Commissioner (“IDPC”) has issued a statement addressing the processing of personal data in the context of COVID-19.
Following several guidelines issued by data protection authorities across Member States of the EU and a statement issued by the European Data Protection Board, the IDPC issued a statement of its own.
The IDPC acknowledged that several public and private organisations are taking the necessary measures to mitigate the COVID-19 effects and that processing of special categories of personal data, specifically health data, would be required. The IDPC made reference to article 9 of the GDPR and that in special circumstances the processing of special categories of personal data may be legitimate.
The IDPC stated further that any processing is to take place, regardless of the circumstances, in line with the obligations and requirements emanating from the GDPR and in strict compliance with the instructions of public health authorities and national laws. Finally, the IDPC stated that: “It is equally important that appropriate measures are applied to secure processing operations to achieve the right balance between the need for processing health data and the rights of data subjects”.
Update written by Dr Bernice Saliba.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.