We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
07 May 2020
In light of the COVID-19 crisis, the government has implemented several measures to ensure that any case (or suspected case) of infection is quickly identified and monitored. This requires the processing of personal data, including both identifying data (eg, name, ID number, phone number and address) and general health data (eg, health status, temperature and symptoms). Although several entities have collected and processed this data based on genuine public health reasons since the early stages of the outbreak, such activity lacked sufficient legal grounds in light of the obligation to notify the Office for Personal Data Protection (OPDP).
Under the Personal Data Protection Act (Law 8/2005), the general rule is that the OPDP must be notified of any personal data processing within eight days of its commencement, without prejudice to cases where prior authorisation must be sought.
In order to remedy this situation, the OPDP issued Dispatch 02/GPDP/2020, in which it published Authorisations 01/2020, 02/2020 and 03/2020. These authorisations exempt entities which process personal data from the requirement to notify the OPDP of such processing. Subsequently, on 15 April 2020 the OPDP issued a note to the media clarifying the exceptions to the notification rule.
Authorisation 01/2020 concerns the processing of personal data of people entering and leaving establishments for the purpose of implementing measures to prevent and control communicable diseases and comply with the decrees and instructions issued by the competent authorities (eg, the Macau health services) under the Law on Communicable Disease Prevention, Control and Treatment (Law 2/2004). This authorisation limits the data which may be processed under the exception to:
Authorisation 01/2020 further stipulates:
The authorisation specifically rules out the possibility of data interconnection and exempts the relevant entities from notifying the OPDP if there is no transfer of data (specified in the authorisation) abroad. However, data processing which involves transferring data abroad may still take place by means of a simplified notification form. Such form is valid for three years, after which the relevant entity must renew it.
Authorisation 01/2020 also clarifies that it will enter into force the day after its publication (ie, 16 April 2020) but has retroactive effect to 1 January 2020, which regularises the lack of notification from all entities concerned.
Authorisation 02/2020 concerns the processing of identifying biometric data for attendance purposes. Similarly to Authorisation 01/2020, it also restricts the data which may be processed (eg, name, internal ID document number, photographs, date and time of entry and departure, duties, position, professional status and workplace, with reference to fingerprints or palm prints and, in the case of medical, social service or scientific research institutions, facial geometry and sounds) and determines that the data subject's consent must be obtained on collection of their biometric data.
Authorisation 02/2020 also generally rules out the possibility of data interconnection (without prejudice to the processing of registered attendance data for administrative management purposes, the provision of remuneration or benefits or security purposes). In addition, it sets out:
Authorisation 03/2020 concerns the processing of identifying biometric data for security purposes and essentially follows Authorisation 02/2020. However, obtaining the data subject's consent is no longer an express obligation when taking samples of the biometric data referred to in the authorisation, but rather a recommendation. Further, as regards the biometric data of persons who cannot pass an identification procedure and intend to enter internal areas with restricted access or use facilities and equipment for a restricted use, the authorisation provides that the data must be deleted as soon as possible (ie, within 24 hours or up to one year if the data processor is a medical, social service or scientific research institution).
The authorisations provide welcome clarity on the obligation to notify the OPDP in specific cases in which public health demands would recommend a simplified procedure. Further, Authorisation 01/2020 provides a remedy to the lack of notification following the unauthorised processing of personal data for public health reasons.
The template used in the present COVID-19 crisis will be useful in future public health crises which require immediate and continuous data collection and analysis. However, the authorisations will eventually have to be amended, especially the wording excluding the possibility of data interconnection, which lacks clarity. Further, the cases of data processing provided for in Authorisations 02/2020 and 03/2020 do not foresee the possibility of transferring data, which indicates that such a situation does not require notification. Arguably, the OPDP should extend the simplified notification procedure set out in Authorisation 01/2020 to such cases.
For further information on this topic please contact Pedro Cortés or José Filipe Salreta at Rato, Ling, Lei & Cortés Advogados by telephone (+853 2856 2322) or email (email@example.com or firstname.lastname@example.org). The Rato, Ling, Lei & Cortés Advogados website can be accessed at www.lektou.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.