Data protection exemptions due to COVID-19

Introduction
Authorisation 01/2020
Authorisation 02/2020
Authorisation 03/2020
Comment

Introduction

In light of the COVID-19 crisis, the government has implemented several measures to ensure that any case (or suspected case) of infection is quickly identified and monitored. This requires the processing of personal data, including both identifying data (eg, name, ID number, phone number and address) and general health data (eg, health status, temperature and symptoms). Although several entities have collected and processed this data since the early stages of the outbreak based on genuine public health reasons, such activity lacked sufficient legal grounds in light of the obligation to notify the Office for Personal Data Protection (OPDP).

Under the Personal Data Protection Act (Law 8/2005), the general rule is that the OPDP must be notified of any personal data processing within eight days of its commencement, without prejudice to cases where prior authorisation must be sought.

In order to remedy this situation, the OPDP issued Dispatch 02/GPDP/2020, in which it published Authorisations 01/2020, 02/2020 and 03/2020. These authorisations exempt entities which process personal data from the requirement to notify the OPDP of such processing. Subsequently, on 15 April 2020 the OPDP issued a note to the media clarifying the exceptions to the notification rule.

Authorisation 01/2020

Authorisation 01/2020 concerns the processing of personal data of people entering and leaving establishments for the purpose of implementing measures to prevent and control communicable diseases and comply with the decrees and instructions issued by the competent authorities (eg, the Macau health services) under the Law on Communicable Disease Prevention, Control and Treatment (Law 2/2004). This authorisation limits the data which may be processed under the exception to:

identifying data, such as a person's name, sex, date of birth or age and contact details and the type and number of their ID document;
data relating to the prevention and control of communicable diseases;
entry and exit data; and
other data provided by the data subject on their own initiative, such as ancillary data necessary to implement measures to prevent and control communicable diseases, provided that the processor observes the principles, rights and guarantees of Law 2/2004.

Authorisation 01/2020 further stipulates:

the length of the data retention period (as a rule, six months from the day following the data collection or 30 days from the date on which the relevant measures cease to apply);
the recipients of the data;
the applicable security measures; and
parties' rights to access and rectify data (which should be free, unless otherwise stipulated).

The authorisation specifically rules out the possibility of data interconnection and exempts the relevant entities from notifying the OPDP if there is no transfer of data (specified in the authorisation) abroad. However, data processing which involves transferring data abroad may still take place by means of a simplified notification form. Such form is valid for three years, after which the relevant entity must renew it.

Authorisation 01/2020 also clarifies that it will enter into force the day after its publication (ie, 16 April 2020) but has retroactive effect to 1 January 2020, which regularises the lack of notification from all entities concerned.

Authorisation 02/2020

Authorisation 02/2020 concerns the processing of identifying biometric data for attendance purposes. Similarly to Authorisation 01/2020, it also restricts the data which may be processed (eg, name, internal ID document number, photographs, date and time of entry and departure, duties, position, professional status and workplace, with reference to fingerprints or palm prints and, in the case of medical, social service or scientific research institutions, facial geometry and sounds) and determines that the data subject's consent must be obtained on collection of their biometric data.

Authorisation 02/2020 also generally rules out the possibility of data interconnection (without prejudice to the processing of registered attendance data for administrative management purposes, the provision of remuneration or benefits or security purposes). In addition, it sets out:

the length of the data retention period (30 days from the date of termination of the relationship between the data subject and the controller for biometric data and up to five years from the date of termination of the relationship between the data subject and the controller for other data); and
the authorised recipients of the data.

Authorisation 03/2020

Authorisation 03/2020 concerns the processing of identifying biometric data for security purposes and essentially follows Authorisation 02/2020. However, obtaining the data subject's consent is no longer an express obligation when taking samples of the biometric data referred to in the authorisation, but rather a recommendation. Further, as regards the biometric data of persons who cannot pass an identification procedure and intend to enter internal areas with restricted access or use facilities and equipment for a restricted use, the authorisation provides that the data must be deleted as soon as possible (ie, within 24 hours or up to one year if the data processor is a medical, social service or scientific research institution).

Comment

The authorisations provide welcome clarity on the obligation to notify the OPDP in specific cases in which public health demands would recommend a simplified procedure. Further, Authorisation 01/2020 provides a remedy to the lack of notification following the unauthorised processing of personal data for public health reasons.

The template used in the present COVID-19 crisis will be useful in future public health crises which require immediate and continuous data collection and analysis. However, the authorisations will eventually have to be amended, especially the wording excluding the possibility of data interconnection, which lacks clarity. Further, the cases of data processing provided for in Authorisations 02/2020 and 03/2020 do not foresee the possibility of transferring data, which indicates that such a situation does not require notification. Arguably, the OPDP should extend the simplified notification procedure set out in Authorisation 01/2020 to such cases.

For further information on this topic please contact Pedro Cortés or José Filipe Salreta at Rato, Ling, Lei & Cortés Advogados by telephone (+853 2856 2322) or email ([email protected] or [email protected]). The Rato, Ling, Lei & Cortés Advogados website can be accessed at www.lektou.com.

Register now for your free, tailored, daily legal newsfeed service.

Data protection exemptions due to COVID-19

Filed under

Popular articles from this firm

Corporate Governance of Macau Financial Institutions: Administrative and Supervisory Bodies *

Sports betting in Macau – opportunity to change the games *

Navigating Regulatory Waters: The Implications of RFID Gaming Chips in Macau Casinos *

Overview of newly approved Macau Financial System Act *

Overview of Macau's insolvency regime *

Related practical resources PRO

Related research hubs