Data plays a significant role in preventing the spread of COVID-19. Still, data controllers and processors must ensure the protection of the personal data of the data subjects. A balance must be struck between protecting public health and privacy of data subjects. The protection of public health may legitimise certain restrictions of freedoms provided these restrictions are proportionate and limited to the purpose of processing. We set out below a high-level overview of data protection considerations in the context of the COVID-19 outbreak in North Macedonia.
Processing by public authorities
The Macedonian Data Protection Act 2020 (“DPA”) applies to the processing of personal data in the context such as the COVID-19 outbreak. Under the DPA, public authorities can process data without relying on the consent of individuals when processing is necessary for reasons of protection against significant cross-border health threats. Such data may include:
- Name and surname;
- Address of residence;
- Place of work;
- Travel data;
- Personal identification number; and
- Sensitive data such as health condition of individuals.
As an example, every individual who arrives in North Macedonia must sign a self-isolation statement on the form prescribed by the Ministry of Health and agree to self-isolate for fourteen (14) days. The individual must provide in the self-isolation statement the following data: name, surname, personal identification number address of residence and address of stay during the self-isolation.
Public authorities, however, must still comply with DPA’s core principles of processing of data such as (i) purpose limitation; (ii) transparency; (iii) retention limitation (iv) adequate security measures; (v) data minimisation; and (vi) documentation on the decision-making process relating to the processing of the data. They must provide data subjects transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and presented in clear and understandable language.
North Macedonia is the first country in the Western Balkans to launch a contact-tracing app to tackle the spread of COVID-19. The primary function of “StopKorona” is to discover events (contacts with COVID-19 positive persons) for public health authorities to identify the persons that have been in contact with a person infected by COVID-19 and ask him/her to self-quarantine, rapidly test them, as well as to provide advice on next steps, including what to do if developing symptoms.
The app uses Bluetooth to communicate with other app users and exchanges encrypted, anonymised data about the distance of all nearby devices, at a distance relevant to the spreading of the infection, for a period of the past 14 days. If a “StopKorona” user gets infected with COVID-19, he/she may, voluntarily, decide to provide the Ministry of Health his/her app events. The competent authorities will then detect telephone numbers and identify the persons that he/she has been in close contact with to establish who is COVID-19 positive. The app does not require location tracking of individual users and stores data locally on the app users’ devices for a limited period. Collecting an individual’s movements would violate the principle of data minimisation under the DPA and would amount to mass surveillance.
Processing by employers
In an employment context, employers can require employees to provide to complete a declaration/self-assessment as to whether they have travelled to any of the high-risk countries as designated by the World Health Organisation (WHO) or whether they have been in close contact with someone who has been positively tested for COVID-19. The processing of such data can be justified on:
- the employers’ legal obligation to ensure occupational health and safety of the workforce employees; or
- The legitimate interests of employers to ensure business continuity.
Employers also can require employees to disclose if he/she is COVID-19 positive. In such cases, employers should refrain from revealing the identity of that employee to other employees as that would involve disclosing sensitive personal data and would be unlawful under the DPA. However, depending on the circumstances, employers may be required to give notice to the health authorities about such an employee to prevent any further spread within the organisation.
The main focus of the Macedonian Government during the COVID-19 pandemic is on battling the crisis and maintaining the public calm. The rapid spread of the virus requires effective measures which can rapidly change. Measures implemented can have an effect on individuals’ privacy which demands appropriate precautions. Public authorities and employers may have to collect or share personal data as part of the measures against severe threats to public health. However, they must ensure that the processing of any personal data is at all times conducted in accordance with the principles of the DPA.
By Ema Tasevska, Junior Associate