FAQs

Data Protection

Do companies need to consider privacy and security laws when collecting data from employees as part of an effort to monitor and prevent the spread of COVID-19?

Kenya - Anjarwalla & Khanna

Many of the steps to monitor and prevent the spread of the 2019 novel coronavirus disease (COVID-19) pandemic (COVID-19) will involve the processing of “personal data” (such as a data subject’s name) and “sensitive data” (which would include the health status of a data subject) and therefore companies will need to consider privacy and data protection laws and their implications. 

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe work place;
  2. Companies should wait for directions/supervision of a health care provider in order to process the health status of a data subject pursuant to the Data Protection Act, 2019 (the DPA);
  3. Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality;
  5. Companies should ensure that any sensitive personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

The Information Commissioner (the ICO) in the United Kingdom confirmed that organisations should keep staff informed about cases of COVID-19 in their workplace and reminded organisations to avoid naming individuals. In our view the Courts in Kenya and the Data Commissioner (once appointed pursuant to the DPA) would likely take a similar approach in that the identity of affected employees should not be disclosed.

Malawi - Savjani & Co.

Many of the steps to monitor and prevent the spread of COVID-19 will involve the processing of “personal data” (such as a data subject’s name) therefore companies will need to consider privacy and data protection laws and their implications.

Under the Electronic Transactions and Cyber Security Act 2016 (“ETCSA”), “personal data” means any information relating to an individual who:

  1. may be directly identified; or
  2. if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social, or economic identity;

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe work place;
  2. Ideally Companies should obtain unambiguous consent from the data subject to collect and process  data relating to the health status of a data subject pursuant to the ETCSA;
  3. Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality;
  5. Companies should ensure that any sensitive personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

The Information Commissioner (the ICO) in the United Kingdom confirmed that organisations should keep staff informed about cases of COVID-19 in their workplace and reminded organisations to avoid naming individuals. The Malawi Communications Regulatory Authority (“MACRA”) has not, to our knowledge, taken any position on this. However, in our view, this is a prudent position and MACRA would likely take a similar approach in that the identity of affected employees should not be disclosed, except where the employer is liaising with the health authorities and any disclosure is made in confidence and the employee concerned is made aware of the disclosure.

Mauritius - BLC Robert & Associates

The President may, by Proclamation, declare that a state of public emergency exists.  The Proclamation:

  1. will, when the National Assembly is sitting or where arrangements have been made for it to meet within 7 days of the Proclamation, lapse, unless within 7 days the Assembly by, resolution (i.e. majority of all its members) approves the Proclamation;
  2. will, when the National Assembly is not sitting and no arrangements have been made for it to meet within 7 days, lapse, unless within 21 days the National Assembly meets and approves the Proclamation by resolution (majority of all its members); and
  3. may be revoked at any time by the President or by resolution of the National Assembly.

Where the National Assembly approves the Proclamation by resolution, the resolution remains in force for a period of up to 12 months, as the Assembly may specify in the resolution, and may be extended for a further period of up to 12 months by resolution of the Assembly.

Morocco - BFR & Associés

Many of the steps to monitor and prevent the spread of COVID-19 will involve the processing of “personal data” (such as a data subject’s name) and “sensitive data” (which would include the health status of a data subject) and therefore companies will need to consider privacy and data protection laws and their implications.

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe work place;
  2. Companies should wait for directions/supervision of a health care provider in order to process the health status of a data subject pursuant to Law n°09-08 relating to Data Protection (the DPA);
  3. Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality;
  5. Companies should ensure that any sensitive personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

Nigeria - G.Elias & Co.

Yes. Many of the steps to monitor and prevent the spread of COVID-19 will involve the processing of “personal data” (such as a data subject’s name) and “sensitive data” (which would include the health status of a data subject) and therefore companies will need to consider privacy and data protection laws and their implications.

In the light of COVID-19, the following should be taken into consideration:

  1. companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe workplace;
  2. companies should only process data relating to the health status of a data subject within the ambits of lawfulness established under the Nigeria Data Protection Regulation, 2019 (the NDPR) which includes processing for the protection of the vital interests of the data subject or any other natural person and the protection of public interest or in the exercise of an official public mandate vested in the company;
  3. companies should request employees and/or visitors to inform them if they have visited an affected area, if they are experiencing symptoms, or have tested positive in order to allow the employer to take any necessary steps in the workplace that are required;
    d)   companies should not name or disclose the identity of an affected individual in order to maintain confidentiality; and
  4. companies should ensure that any sensitive personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

The National Information Technology Development Agency, the data protection authority in Nigeria, has not issued a statement specifically targeted at the workplace. However, it has reiterated that it is working to ensure that the various data collection and processing activities by public health officials and relevant stakeholders to curb the spread of cases of COVID-19 comply with the provisions of the NDPR. 

In a notice to all Data Protection Compliance Organisations (DPCO) in Nigeria, NITDA has advised DPCOs to suspend visits to client sites and NITDA offices as part of the precautionary measures in tackling COVID-19.

Consequently, NITDA has extended the deadline for the submission of Data Protection Audit Report by data controllers to 15 May 2020.

Rwanda - K. Solutions & Partners

Many of the steps to monitor and prevent the spread of the 2019 novel coronavirus disease (COVID-19) pandemic (COVID-19) will involve the processing of “personal data” (such as a data subject’s name) and “sensitive data” (which would include the health status of a data subject) and therefore companies will need to consider privacy and data protection laws and their implications.

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation to protect their employees under labour laws (duty of care) and maintain a safe work place;
  2. Companies should wait for directions/supervision of a health care provider in order to process the health status of an employee;
  3. Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. The companies should request employees and/or visitors their consent to process their personal data for the purpose of monitoring and preventing the spread of COVID-19;
  5. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality;
  6. Companies should ensure that any sensitive personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

Tanzania - A&K Tanzania

Many of the steps to monitor and prevent the spread of COVID 19 will involve the processing of personal data (such as a data subject’s name and health status) and therefore companies will need to consider issues of privacy and data protection.

While Tanzania does not have a comprehensive data privacy law or provisions on the protection of health-related data in its employment laws, the Constitution of Tanzania provides the basic and fundamental right of every person to privacy. 

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe work place;
  2. Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  3. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality, unless the disclosure is required by law; and
  4. Companies should ensure that any personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

The Information Commissioner in the United Kingdom confirmed that organisations should keep staff informed about cases of COVID-19 in their workplace and reminded organisations to avoid naming individuals. In our view, the courts in Tanzania would likely take a similar approach in that the identity of affected employees should not be disclosed unless it is required by law.

We would like to note that even though the right to privacy is protected under the Constitution, there are limitations to this right. Article 30(1) of the Constitution provides that such rights shall not be exercised by a person in a manner that causes interference with or curtailment of the rights and freedoms of other persons or of the public interest.

Uganda - MMAKS Advocates

Many of the steps to monitor and prevent the spread of the 2019 novel coronavirus disease (COVID-19) pandemic (COVID-19) will involve the processing of “personal data” (such as a data subject’s name) and “special personal data” (which would include the health status of a data subject) and therefore companies will need to consider privacy and data protection laws and their implications.

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe work place;
  2. Companies should wait for directions/supervision of a health care provider in order to process the health status of a data subject pursuant to the Data Protection and Privacy Act, 2019 (the DPPA);
  3. Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality;
  5. Companies should ensure that any special personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

The Information Commissioner (the ICO) in the United Kingdom confirmed that organisations should keep staff informed about cases of COVID-19 in their workplace and reminded organisations to avoid naming individuals. In our view, the Courts in Uganda and the National Personal Data Protection Director (once appointed pursuant to the DPPA) would likely take a similar approach in that the identity of affected employees should not be disclosed.

Zambia - Musa Dudhia & Co.

Many of the steps to monitor and prevent the spread of the 2019 novel coronavirus disease (COVID-19) pandemic (COVID-19) will involve the processing of “personal information” which includes personal identification details and the health status of a data subject. Therefore, companies will need to consider privacy and data protection laws and their implications.

In light of COVID-19, the following should be taken into consideration:

  1. Companies have a legal obligation (duty of care) to protect their employees and maintain a safe work place under occupational health and safety laws;
  2. Companies should obtain the express written permission of their employees for the collection, collation, processing or disclosure of their employees’ personal information, if obtained through electronic transactions, pursuant to the Electronic Communications and Transactions Act, No 21 of 2009;
  3. in an effort to prevent the spread of COVID-19, Companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. Companies should not name or disclose the identity of an affected individual in order to maintain confidentiality; and
  5. Companies should ensure that any personal information that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible. For personal information obtained through electronic transactions, this can be retained as long as the personal information is in use and for a period of at least one year thereafter.

The Information Commissioner (the ICO) in the United Kingdom confirmed that organisations should keep staff informed about cases of COVID-19 in their workplace and reminded organisations to avoid naming individuals. In our view, the Courts in Zambia would likely take a similar approach in that the identity of affected employees should not be disclosed. This is fortified by the fact that the Ministry of Health has refrained from disclosing the identities of affected individuals in the country.

UAE - Anjarwalla Collins & Haidermota

Many of the steps to monitor and prevent the spread of COVID-19 will involve the processing of “personal data” (such as a data subject’s name) and “sensitive data” (which would include the health status of a data subject) and therefore companies will need to consider privacy and data protection laws and their implications.

It is vital to note that although the UAE does not currently have a federal data protection law in place, there are certain provisions in a number of laws that offer privacy protection including the prohibition of disclosing data in an unauthorised manner.

The financial free zones in the UAE including the Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Markets (“ADGM”) have well established legislation relating to data protection. Therefore, employers in the DIFC and ADGM have a higher degree of responsibility towards processing sensitive personal data (such as medical information) relating to their employees.

DIFC Law No. 1 of 2007 provides that the data subjects must give their consent to the processing of their data. The data controller must establish the purpose of utilising such data to be in the vital interests of the data subject and/or other persons (such as fellow employees in the organisation). An employee who suffers damage as a result of misuse of his sensitive data by the employer, is permitted to apply to the Courts for compensation from the data controller (in this case, the employer) for that damage.

In light of COVID-19, the following should be taken into consideration:

  1. companies have a legal obligation to protect their employees under occupational health and safety laws (duty of care) and maintain a safe work place;
  2. companies should wait for directions/supervision of a health care provider in order to process the health status of a data subject;
  3. companies should request employees and/or visitors to inform them if they have visited an affected area or if they are experiencing symptoms in order to allow the employer to take any necessary steps in the workplace that are required;
  4. companies should not name or disclose the identity of an affected individual in order to maintain confidentiality; and
  5. companies should ensure that any sensitive personal data that is processed is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed and that the data is retained for the shortest time possible.

Are there any local employment or privacy laws relating to employer disclosure (internal or external), on handling or storage of the affected employee’s medical data?

Kenya - Anjarwalla & Khanna

Yes, the Constitution of Kenya, 2010 and the Data Protection Act, 2019 contain provisions relating to employer disclosure (internal or external) on handling or storage of the affected employee’s medical data.

Malawi - Savjani & Co.

Yes, the Constitution of Malawi provides that every person has the right to personal privacy. The Electronic Transactions and Cyber Security 2016 regulates the collection, recording, organization, storage, adaptation and transmission of personal data, and may be relied upon to regulate employer disclosure (internal or external), handling or storage of the affected employee’s medical data.

Mauritius - BLC Robert & Associates

Yes, the Data Protection Act 2017 contains provisions relating to employer disclosure (internal or external) on handling or storage of the affected employee’s medical information.

Morocco - BFR & Associés

Yes, Article 12 of the DPA (whose implementation is guaranteed by the National Commission for the Protection of Personal Data) contains provisions relating to employer disclosure on handling or storage of the affected employee’s medical data.

Nigeria - G.Elias & Co.

Yes, the Constitution of the Federal Republic, 1999 (as amended) and the Nigeria Data Protection Regulations, 2019 contain provisions relating to employer disclosure (internal or external) in their capacity as data controllers on handling or storage of the affected employee’s medical data.

Rwanda - K. Solutions & Partners

Yes. The ICT Security Policy issued by the Ministry of Health with regard to the health sector as well as the Ministerial Instructions N°001/MINICT/2012 of 12/03/2012 which relates to the procurement of ICT goods and services by Rwandan public institutions, contain provisions relating to employer disclosure (internal or external) on handling or storage of the affected employee’s medical data.

Tanzania - A&K Tanzania

Although there are no specific provisions under the Tanzanian employment laws relating to handling and storage of employees’ medical data and there is currently no comprehensive data privacy law in Tanzania. The fundamental right of every person to privacy is enshrined in the Constitution. Accordingly, handling or storage of an affected employee’s medical data should be carried out with due care and employer disclosure (internal or external) of personal data should only be made if required by law.

Please refer to the Employment FAQs for more information on considerations an employer should take into account if an employee is infected.

Uganda - MMAKS Advocates

Yes, the Constitution of Uganda, 1995 and the Data Protection and Privacy Act, 2019 contain provisions relating to employer disclosure (internal or external) on handling or storage of the affected employee’s medical data.

Zambia - Musa Dudhia & Co.

Yes, the Electronic Communications and Transactions Act, No 21 of 2009 contains provisions relating to an employer’s (data controller’s) disclosure to third parties, handling or storage of an affected employee’s (data subject’s) medical data (personal information) which is obtained through electronic means.

UAE - Anjarwalla Collins & Haidermota

As mentioned in our response to Question 1 above, there are no Federal data protection laws currently enforceable in the UAE. There is, however, a general obligation to keep an individual’s data confidential as a breach of privacy of another person is punishable under UAE’s Penal Code. In addition, the Dubai Healthcare Authority has issued guidelines on the storage and transfer of an individual’s medical records. Although the regulations are aimed at healthcare professional bodies, they may extend to employers in light of COVID-19.

Contacts

Arshad Dudhia

Arshad Dudhia

Managing Partner, Musa Dudhia & Co.

Eric Cyaga

Eric Cyaga

Partner, K. Solutions & Partners

Ernest Sembatya

Ernest Sembatya

Partner, MMAKS Advocates

Foued Bourabiat

Foued Bourabiat

Managing Partner, Bourabiat Associés

Francisco Avillez

Francisco Avillez

Managing Partner, ABCC

Fred Onuobia

Fred Onuobia

Managing Partner, G.Elias & Co.

Geofrey Dimoso

Geofrey Dimoso

Partner, A&K Tanzania

Gil Cambule

Gil Cambule

Partner, ABCC

Iqbal Rajahbalee

Iqbal Rajahbalee

Partner, BLC Robert & Associates

Julien Kavuruganda

Julien Kavuruganda

Partner, K. Solutions & Partners

Krishna Savjani

Krishna Savjani

Managing Partner, Savjani & Co.

Mesfin Tafesse

Mesfin Tafesse

Principal Attorney, Mesfin Tafesse & Associates

Romain Frédéric Rabillard

Romain Frédéric Rabillard

Partner, BFR & Associés

Sahondra Rabenarivo

Sahondra Rabenarivo

Managing Partner, Madagascar Law Office

Salimatou Diallo

Salimatou Diallo

Partner, SD Avocats

Shemane Amin

Shemane Amin

Partner, A&K Tanzania

Sonal Sejpal

Sonal Sejpal

Partner, Anjarwalla & Khanna

Wangui Kaniaru

Wangui Kaniaru

Partner, Anjarwalla & Khanna