Six months into this pandemic, most people accept that some degree of compromise on their privacy is necessary in the interests of the nation’s health. However, such interventions must be proportionate, with mitigation programmes being as minimally privacy-invasive as is possible, and any privacy concerns should be comprehensively addressed.
Whilst the approach is slightly different across the UK regions (the strategy in Wales and Northern Ireland is: “test, trace and protect” and in Scotland: “test, trace, isolate and support”), we all have an interest in the success of these programmes. Accordingly, it is necessary to maintain a high level of public trust in the systems which make up the programmes, including their privacy safeguards.
This article considers how universities can implement mitigation programmes within the requirements of data protection law; minimising risk whilst still providing an enjoyable student experience.
Application of data protection laws
Before introducing any new test and/or trace system, a data protection impact assessment (DPIA) must be undertaken. The DPIA must consider what personal data will be collected and how, and the lawful basis for doing so. The purposes of the processing must be made clear to guard against the risk of subsequent unlawful use. For example, it would be appropriate to record whether a test result is positive, but not to collect other underlying health information.
The DPIA will also need to address:
- how the personal data will be collected and processed
- how the data protection requirements for ‘accuracy’ will be upheld
- who it will be shared with
- how and where it will be stored (if processing takes place outside the UK or Europe, additional safeguards must be implemented)
- data retention arrangements, including how and when the personal data will be deleted.
Finally, there must be an assessment of the risks to individuals and the measures to address the risks. These include safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with data protection laws (such as user access restrictions, encryption, automatic data deletion following the retention period elapsing, limited circulation of the data and confidentiality measures being implemented and enforced).
At the time of writing, community testing is not mandatory nor, given the current testing capacity, is it likely to become so.
Even with a successful “moonshot”, any interference with individual freedoms is likely to weigh against the introduction of mandatory testing.
However, some institutions may wish to embark upon a testing programme as part of their mitigation measures and compliance with data protection laws is absolutely fundamental to such a programme.
The first step is to do a DPIA to determine the appropriate lawful basis and the proportionality of the processing operations to achieve the identified purposes (ie virus mitigation). A genuinely voluntary programme, where staff and students give informed and specific consent to the testing, with appropriate data minimisation and purpose limitation measures (eg test results shared only with the individual – the individual being responsible for notifying the NHS track and trace programme – and used by the university for analysis and targeting of other mitigation measures) would be legitimate and manageable within the GDPR consent regime. Provided, always, that the additional data protection principles are met.
Compliance with data protection laws is absolutely fundamental to a testing programme
Track and Trace
In September, the NHS Covid-19 app was launched to support the government’s track and trace programme. Designated sectors are legally required to display a QR code, which enables NHS Test and Trace to send notifications to app users and to collect details and maintain records of staff, customers and visitors on their premises to support NHS Test and Trace. The NHS app will give users the option to check into venues by scanning the QR code.
Universities are not expected to display QR codes for their normal daily operations. However, they must be displayed by certain businesses on campus (eg bars and catering outlets) and for certain publicly accessible settings, such as libraries. They should also be considered when hosting an event with external guests (such as a student art show), or if premises are let out to external providers. NHS QR check-ins would be for people visiting rather than students and staff in these contexts.
The government has introduced specific rules for university and college halls of residence and houses in multiple occupation (HMOs) for students aged 18 and over. Students living in halls of residence or HMOs who develop coronavirus symptoms are required to self-isolate and if one resident of an HMO has coronavirus symptoms, all residents must isolate for 14 days. Universities and colleges are obliged to facilitate this.
The guidance anticipates that the university will liaise with PHE’s local health protection team, which will carry out a risk assessment and identify who is required to take part in whole household isolation based on how closely they have been living together.
The university must ensure that staff and students are aware of the measures and guidance in place and take action to promote the importance of compliance. However, the steps it takes to enforce self-isolation must be carefully considered.
Students and staff could be tracked on university premises using swipe cards, however, a DPIA must be carried out, and privacy notices updated before using such data to track individuals to monitor compliance with isolation requirements. This is because the swipe cards were not issued for this purpose and use of the data for a new purpose needs to be communicated to the individuals. The university will need to demonstrate that such use of swipe card data is necessary and proportionate to the purpose of minimising the spread of the virus.
Universities must ensure that: they follow health and safety and public health legislation and government guidance to ensure appropriate Covid-secure measures are in place; staff and students are aware of the measures and guidance; and they take action to promote the importance of complying with these.
In most circumstances, face coverings are not mandatory on university campuses outside of specific areas, but we are now seeing a shift towards them being recommended in more places and scenarios. Face coverings should be encouraged as an additional risk mitigation measure where social distancing is difficult to maintain, such as in corridors and communal areas.
However, enforcing a blanket face mask policy will be difficult. Universities may use internal disciplinary procedures for students but this could lead to student dissatisfaction and complaints. Enforcement for staff may reference staff contracts and amendments to codes of conduct, but specific employment law considerations should be taken into account here.
Many students and staff face additional mental health challenges due to the disruption to study and working practices and uncertainty caused by the coronavirus (Covid-19) outbreak. Continuing support may be needed as campuses start to reopen, and the protective measures to keep people as safe as possible whilst away from home take on even greater importance.
In taking steps to ensure appropriate Covid-secure measures are in place, universities must balance their obligations to support the government programmes with their duty of care to staff and students, and always act in a way that complies with the requirements of data protection laws.
Penny Bygrave is a senior associate at leading education law firm VWV. Penny can be contacted on 07909 681 572 or at firstname.lastname@example.org. To be kept up to date on legal, regulatory and governance issues, please register for VWV’s dedicated HE portal OnStream.