10th March 2020

As governments, public authorities as well as businesses are doing their utmost to control the spread and mitigating the effects of COVID-19, personal data and special category data are being processed at length.

Although data protection legislation does not in any way obstruct or hinder public health management and healthcare services, special consideration should be taken into account when processing personal data especially data related to health which is known as special category or sensitive data.

The processing of personal data in relation to the COVID-19 outbreak should always be in accordance with the directions and guidelines issued by the public health authorities. Businesses should not wear a medical practitioner’s hat; this applies for both practical and data related measures.

When personal data is being processed due regard should be given to the following obligations emanating from data privacy legislation:


Article 9(2)(i) of the GDPR allows the processing of personal data, including special category data, once suitable safeguards are implemented when acting under the guidance or directions of public health authorities, or other relevant authorities. It is understood that safeguards should include very limited access to the data to those who only need to have such access and strict retention periods. Make sure that those handling such data have been trained and are aware of how to protect such data and the rights of the data subjects.

Article 9(2)(b) GDPR states that “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment…”  The Occupational health and Safety Authority Act (Cap 424) obliges employers to protect their employees and thus it is the employer’s duty to process data to fulfil this obligation. Notwithstanding this, employers are still obliged to treat such data confidentially. Disclosing the presence of a potential presence of COVID-19 at the workplace does not generally necessitate the identification of any employee. 

Data Minimisation

Only the minimum necessary personal data should be processed to attain the objective of fulfilling the necessary procedures to avert or restrict the spread of COVID-19.


Any processing of personal data obliges the controller to be transparent which includes the disclosure of the purpose for processing and for how long it will be retained. This should be made in a “concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.”

Security and Confidentiality

Data processing in relation to the COVID-19 disease outbreak must always be handled in a manner that guarantees the security of the data, especially when health data is being processed. The affected individuals’ identity should not be disclosedto their colleagues or other third parties without a clear justification.


It is important that processing is accompanied by documenting any decision-making process with regard to the processes, involving personal data, put in place to control COVID-19.

Further Information

Further information on COVID-19 in Malta may be found from the Ministry’s of Health website.