15 May 2020
Introduction
On April 15, 2020, the Office for Personal Data Protection (“OPDP”) issued a note to the media, referring to the Dispatch no. 02/GPDP/2020, which published the Authorizations no. 01/2020, no. 02/2020 and no. 03/2020, aimed at exempting the concerned entities who process personal data from notifying the OPDP of its processing. Indeed, under the Law no. 8/2005, dated August 22 (the Personal Data Protection Act or “PDPA”), the general rule is that any processing of personal data must be notified to the OPDP within 8 days of the start of the processing, without prejudice to the cases where prior authorization must be sought.
In light of the current Covid-19 crisis, the Macau Government implemented several measures to ensure that any case (or suspected case) of infection is quickly identified and monitored. This would necessarily entail the processing of personal data, which includes not only identification data (name, ID number, phone number, address, etc.) but also general health data, such as health status, temperature, symptoms, inter alia.
This data was indeed collected and processed by several entities since the early stages of the outbreak, with sound public health reasons, but lacking sufficient legal backing in light of the aforementioned obligation to notify the OPDP. To remedy this situation and to clarify the legal landscape on the exceptions to the notification rule, the OPDP provided the aforementioned Authorizations.
Authorization no. 01/2020 concerns the processing of personal data of people entering and leaving establishments for the purpose of implementing measures for the prevention and control of communicable diseases, and especially to comply with the decrees and instructions issued by the competent authorities (v.g. the Macau Health Services) under Law no. 2/2004, dated March 8 (Law on communicable disease prevention, control and treatment). This Authorization limits the data which may be processed under the exception (i.e. identification data such as name, sex, date of birth or age, means of contact, type and number of identity document; data related to the prevention and control of communicable diseases; entry and exit data; and other data provided by the data subject on his own initiative, such as ancillary data necessary for the implementation of measures for the prevention and control of communicable diseases, provided that they observe the principles, rights and guarantees of Law no. 2/2004).
Authorization no. 01/2020 further stipulates the length of data retention period (as a rule, six months from the day following data collection, or thirty days from the date on which the relevant measures cease to be implemented), the recipients of the data, the applicable security measures and the exercise of rights of access and rectification of data (which should be free, unless otherwise stipulated). The Authorization specifically rules out the possibility of interconnection of data and exempts the relevant entities from notifying the OPDP if there is no transfer of data (specified in the Authorization) abroad – however, the processing of such data which involves transfer of data abroad may still take place by means of a simplified notification form, which has the validity of three years, after which the relevant entity must renew the notification. The Authorization no. 01/2020 also clarifies that it shall enter into force on the day following its publication (i.e. 16 of April) but its effects are retroactive to 1 January 2020, which regularizes the lack of notification from all entities concerned.
Authorization no. 02/2020 concerns the processing of identifying biometric data for attendance purposes, and similarly to Authorization no. 01/2020, also restricts the data which may be processed (specifically, name, internal identification document number, photograph, date and time of entry and departure, duties, position, professional status and workplace, with reference to fingerprints or palm prints and, in the case of medical, social service or scientific research institutions, facial geometry and sound, among others) and determines that the consent of the data subject must be obtained upon collection of biometric data.
Authorization no. 02/2020 also generally rules out the possibility of interconnection of data (without prejudice to the processing of registered attendance data for administrative management purposes, provision of remuneration, benefits and perks, as well as security) and sets out the length of data retention period (thirty days from the date of termination of the relationship between the data subject and the controller, for biometric data, and for up to five years from the date oftermination of the relationship between the data subject and the controller for other data), as well as the authorized recipients of the data.
Finally, Authorization no. 03/2020 concerns the processing of identifying biometric data for security purposes, and essentially follows Authorization no. 02/2020 indicated above. However, the consent of data subjects is no longer a clear obligation when taking samples of biometric data referred to in the Authorization, but simply a recommendation for the data processor. Also, regarding biometric data of persons who are unable to pass an identification procedure, and who have the intention to enter internal areas with restricted access or use facilities and equipment for restricted use, the Authorization provides that the data must be deleted as soon as possible and within 24 hours, or up to one year if the data processor is a medical, social service or scientific research institution.
The Authorizations above are a welcome clarification on the need for notification of the OPDP in specific cases in which public health demands would recommend a simplified procedure and, in the case of Authorization no. 01/2020, a needed remedy for the lack of notification following the unauthorized processing of personal data for public health reasons. Also, the template used for the present Covid-19 crisis will be useful for any other public health crisis requiring more immediate and continuous data collection and analysis. However, it should be noted that the Authorizations will eventually have to be amended, especially the wording excluding the possibility of interconnection of data, which lacks clarity. Furthermore, the processing of data for the cases provided in Authorizations no. 02/2020 and 03/2020 do not preview the possibility of transfer of data, which would indicate that such situation would not entail the need for any notification. In this case, we are of the view that the OPDP should extend the possibility of adding the simplified notification procedure included in Authorization no. 01/2020 for the former cases.
For further information, please contact:
Pedro Cortés, Partner, Rato, Ling, Lei & Cortes – Advogados
cortes@lektou.com
