Background

The Peruvian National Authority for the Protection of Persona Data[1] is exercised by The General Directorate for Transparency, Access to Public Information and Protection of Personal Data.[2]

The National Authority for the Protection of Persona Data, which depends hierarchically on the Vice-Ministerial Office of Justice of the Ministry of Justice and Human Rights, has as main function to guarantee the fundamental right to personal data protection.

The Ministry of Health (hereinafter MINSA) through Ministerial Resolution No. 239-2020-MINSA, dated April 28, 2020, approved the technical document “Guidelines for the surveillance of the health of workers at risk of exposure to COVID-19 ” which aims to contribute to the prevention of contagion of this disease in the public and private workplace and includes instruments to collect sensitive data from workers in order to control the risk of contagion of coronavirus in the workplace.

By Supreme Decree No. 080-2020-PCM, dated May 3, 2020, the resumption of economic activities was approved gradually and progressively within the framework of the declaration of National Sanitary Emergency as consequence of COVID-19.

The General Directorate for Transparency, Access to Public Information and Protection of Personal Data (DGTAIPD) issued Advisory Opinion No. 32-2020-JUS/DGTAIPD on May 5, 2020 based on a series of consultations on the processing of workers’ personal data in the context of the COVID-19 pandemic.

Processing of health data during the pandemic in the workplace

Personal data is all information that allows identifying a natural person or makes it identifiable. Likewise, these data, being closely linked to the privacy of the person, may be sensitive data such as: Biometric data, racial and ethnic origin, economic income, opinions or political convictions, religion, union affiliation, all information related to health or sexual orientation.

For the processing of this data, understood as “Any operation or technical procedure, automated or not, that allows the collection, registration, organization, storage, conservation, elaboration, modification, extraction, consultation, use, blocking, deletion, communication by transfer or by dissemination or any other form of processing that facilitates access, correlation or interconnection of personal data[3]” must mediate the consent of its owner. In accordance with the Regulation of the Personal Data Law “the processing of personal data is lawful when the owner of the personal data has given his free, prior, express, informed and unequivocal consent. Formulas of consent in which it is not expressed directly, such as those in which it is necessary to show, or assume the existence of a will that has not been expressed, are not admitted. Even the consent given with other declarations must be expressed expressly and clearly.[4] “However, since the exercise of the fundamental right to protection of personal data is not absolute, the Law on Protection of Personal Data states a series of exceptions[5]:

“(…)

  1. When personal data is necessary for the preparation, celebration and execution of a contractual relationship in which the owner of personal data is a party, or when it is personal data that derives from a scientific or professional relationship of the owner and is necessary for its development or compliance.
  2. When it is personal data related to health and it is necessary, in risky circumstances, for the prevention, diagnosis and medical or surgical processing of the holder, provided that said processing is carried out in health establishments or by professionals in health sciences , observing professional secrecy; or when there are reasons of public interest provided by law or when they must be treated for reasons of public health, both reasons must be classified as such by the Ministry of Health; or to carry out epidemiological or similar studies, as long as appropriate dissociation procedures are applied.
  3. When the processing of personal data is necessary to safeguard the legitimate interests of the holder of personal data by the holder of personal data or by the person in charge of processing personal data.”

Regarding the first exception, the processing of information on health data is sustained in compliance with a legal obligation. The Law on Safety and Health at Work[6], provides the following:

Article 49. Obligations of the employer

The employer, among others, has the following obligations:

  1. a) Guarantee the safety and health of workers in the performance of all aspects related to their work, in the workplace or on the occasion of the same.
  2. b) Develop permanent actions to improve existing levels of protection.
  3. c) Identify any changes that may occur in working conditions and provide for the adoption of measures to prevent occupational risks (…)”.

Regarding the second exception, public health, The Ministerial Resolution No. 239-2020-MINSA issued “The Guidelines for the Health Surveillance of Workers at Risk of Exposure to COVID-19” in which the employer is compelled through the health professional of the occupational health and safety service, to manage temperature control of all workers at admission, in addition to applying serological or molecular tests for COVID-19 to all workers who return or return to work with “very high risk”, “high risk” and “medium risk” of exposure to said disease.

Finally, the third exception refers to the protection of health interests of the holder of the personal data through the person in charge of its processing.

Therefore, although it is true that consent is not required regarding the processing of this data, the employer must respect the principles of purpose[7], proportionality[8], quality [9],and security[10] as stated in the Personal Data Protection Law.

The Takeaways

One of the guiding principles on the processing of personal data is consent. However, there are a number of exceptions necessary to protect other rights and interests of equal or greater relevance.

In this way, the situation of the Covid-19 pandemic is situated as an exception to the processing of sensitive data, as well as the regulatory obligation of occupational health and safety and the protection of the legitimate interest (health protection) of the holder of the personal data.

Finally, it is important to consider that the processing of sensitive data without consent due to the Covid-19 pandemic must follow other precepts established in the regulation, in particular the principles of purpose, proportionality, quality, and security.


[1] Personal Data Protection Law – Law No. 29733
[2] Legislative Decree that creates the National Authority for Transparency, Access to Public Information and strengthens the Regime of Personal Data Protection and the regulation of management of interests – Legislative Decree No. 1353
[3] Article 19 Personal Data Protection Law – Law No. 29733
[4] Article 7 Regulation of the Law No. 29733, Personal Data Protection Law – Supreme Decree No. 003-2013-JUS
[5] Article 14. Personal Data Protection Law – Law No. 29733
[6] The Health and Safety at Work Law – Law No. 29783,
[7] Personal Data Protection Law – Law No. 29733.
Article 6. Purpose principle
Personal data must be collected for a specific, explicit and lawful purpose. The processing of personal data should not extend to any purpose other than that established unequivocally as such at the time of collection, excluding cases of activities of historical, statistical or scientific value when using a decoupling or anonymization procedure.
[8] Personal Data Protection Law – Law No. 29733.
Article 7. Proportionality principle
All processing of personal data must be adequate, relevant and not excessive to the purpose for which they were collected.
[9] Personal Data Protection Law – Law No. 29733.
Article 8. Quality principle
The personal data that is going to be processed must be truthful, exact and, as far as possible, updated, necessary, pertinent and adequate regarding the purpose for which it was collected. They must be kept in such a way that their safety is guaranteed and only for the time necessary to fulfill the purpose of the processing.
[10] Personal Data Protection Law – Law No. 29733.
Article 9. Security principle
The holder of the personal data bank and the person in charge of its processing must adopt the technical, organizational and legal measures necessary to guarantee the security of personal data. Security measures must be appropriate and in accordance with the processing to be carried out and with the category of personal data in question.

Alejandro Castro Angulo
Lawyer – Managing Director