It’s a critical question for owners, operators and crews working worldwide. Must personal information about a crew member’s COVID status be disclosed to local authorities in third countries?
COVID status information is data concerning health. When handling such data, shipping companies must comply with the UK/EU GDPR. Two key points should be noted: (1) Shipping companies must determine and document a lawful basis to collect the data. (2) Shipping companies must apply appropriate safeguards when transferring data concerning health to public authorities in third countries. Taking a deeper dive:
(1) Lawful basis:
Data concerning health is a special category of personal data. To process such data, a shipping company must have a lawful basis under Art 6 GDPR and also meet one of the additional conditions for processing the data under Art 9 GDPR.
The GDPR is highly prescriptive in terms of what lawful reasons can be used when processing personal data. The most appropriate lawful basis for processing data concerning health would be a legal obligation if the public authority was in the EU/EEA/UK. However, when a public authority is in a third country, shipping companies will look to other legal grounds such a legitimate interest in complying with the rules in a third country. This is because under the GDPR a legal obligation can only be based on the laws of the EU/Member States or the UK.
Consent is another lawful basis listed under Art. 6. However, it would not apply in the crew employment context as it may not be deemed freely given as required by the GDPR, unless crew members are given a genuine choice without any negative consequences for their employment.
As for the conditions for processing data concerning health under Art. 9, there may be several options.
First, shipping operators could rely on their legal obligations as employers regarding health and safety (Art. 9.2(b)) to collect COVID-related information from its crew members. However, this condition would not apply if the data is required to be collected under the laws of a third country.
Second, a requirement to provide crew’s COVID-related personal data could be justified if it is processed in the wider “public interest”, for example, for the control of disease or other health threats (Art. 9.2(g)). This allows the sharing of a data with third country public authorities.
Shipowners and operators must still follow the principle of proportionality and data minimisation when sharing COVID-status information about crew with third country authorities. This means they should consider anonymising, pseudonymising or aggregating data, if permissible, before sharing it.
(2) Transferring data
Shipowners and operators must put in place appropriate safeguards for transfers of personal data to third countries, such as the Standard Contractual Clauses (SCCs). If the public authorities are not willing to sign the SCCs, it may be possible to apply derogations provided under the EU/UK GDPR, such as transfers necessary for important reasons of public interest under Art. 49.