What is computer security? And the protection of personal data? These are terms that are very current, there is not a day that some news related to information security does not reach our ears.
But what happens when this status quo changes?
An unexpected meteorological phenomenon, a generalized cut of any of the basic supplies or a dangerous contagious disease… are enough ingredients to detonate any Rule of Law, hiding under the carpet the rights and freedoms of citizens… and that is when Fear enters through the door, Reason goes out the window.
To avoid this situation and make society fall prey to madness, companies are beginning to prepare for a possible influenza A epidemic by developing prevention, control and business continuity plans. The government itself is encouraging companies to establish their own contingency plans, so that the country does not collapse due to the pandemic as happened a few months ago in Mexico.
Prevention, information and coordination are the 3 pillars of the contingency plans that are being proposed, and they will mostly involve the processing of personal data on the health of employees and their families.
Among the companies that intend to implement a contingency plan against Influenza A, one of the following situations could occur:
a) In the best of cases, we will find companies that have the express consent of their employees for the processing of their data (including health), but they will rarely have the consent of their family members or other people around them, since that there is no direct contact with those affected.
To solve this problem, either the employee is asked to obtain the consent of the affected person in favor of the company, or the data is treated anonymously, without identifying the person infected by the virus, making simple reference to their relationship of coexistence or similar.
b) On the contrary, companies that have not adapted to data protection, could even require their employees to refrain from going to work in the event that any of the people in their most intimate environment is infected by the dreaded virus, after accreditation of the disease to avoid the usual national picaresque, which implies a processing of personal data of third parties and, in addition, especially protected, without the express consent of the affected (very serious infringement by 44.4.c) of the LOPD).
This information would be revealed to the closest colleagues of the affected person, who could be invited to telework from their homes (in many cases, having to take confidential information from the office, without the corresponding security measures). In this case, we are facing a transfer of personal data related to health without the consent of the affected party and before a violation of the RLOPD security measures, very serious and serious infractions, respectively.
In addition, some companies could send this information to their parent companies in third countries, which would not necessarily offer a level of security equivalent to Spanish (such as the USA), and without the proper authorization of the Director of the AEPD, incurring a very infringement. serious of the LOPD.
And all this without having a single signed paper in which those affected expressly and unequivocally consent to the treatment and / or transfer of their personal data related to health… that, assuming that those affected would like to consent, since there is no way to oblige to the employee, and even less to their family and / or friends, to reveal this information (and above all to non-health personnel).
In any case, it is clear that a massive contagion within the company has a difficult cost to assume, but it is surely more painful (economically speaking) to respond to a possible strict application of the regulations by the Spanish Agency for Data Protection. As much as the situation is extraordinary, administrative law works under the premise: "If you fail to comply, we will sanction you… and we do not understand more excuses than the law allows."
For this reason, although operationally it is much more complex, it will always be advisable to include in the Contingency Plan a protocol for requesting the express consent of employees, not to record personal data of third parties, and to provide alternative measures in case they refuse to provide this information, at least until the Government approves a rule with the rank of Law that allows the processing of this data without the need for the consent of those affected.
In any case, taking into account the use that is being given to the LOPD by employed workers, be careful and ensure that your employees do not get together with bad influences.
