Data protection during the time of coronavirus disease27 March 2020
Over the past few days, the coronavirus outbreak has been labelled a pandemic by the World Health Organisation. In this respect, the COVID-19 outbreak has been a major topic of interest worldwide and is a constant source of concern for all businesses. Many companies have implemented preventive solutions aimed at limiting the degree of contamination of staff and workplaces and at ensuring business continuity. In some situations, these measures may involve the collection, analysis and disclosure of information and personal data about employees and persons they come in contact with, in order to comply with occupational health and safety regulations.
However, when it comes to the protection of personal data of individuals, such measures raise a number of challenges that will be addressed in the following lines.
Prevention through collection? Please proceed with caution
As part of their efforts to monitor and prevent the spread of COVID-19, businesses may be tempted to collect personal data about their employees to a larger and more invasive degree. It is, however, important not to forget that the requirements imposed by the data protection legislation are still applicable during this crisis situation to any processing activity, even to those aimed at limiting the effects of the pandemic.
The new information requested by employers from their employees is likely to include data about the places where the employees have travelled to in the past months, any possible symptoms the employees may have, any potential past contact with a person at risk of COVID-19 infection or if they have tested positive or negative. Generally, these should fall under the notion of “personal data concerning health” as such information refers to the physical health of a natural person. In other words, these types of information are also likely to be qualified as a special category of data under Article 9 of the GDPR.
Therefore, the first step of compliance is for the companies to ensure they observe all the GDPR principles relating to the processing of personal data, as laid down within art. 5 of the regulation. To put it bluntly: the Holy Bible of the GDPR is not to be messed with!
What’s the business with these principles?
Despite the global crisis situation, you should not fail to give proper attention to data protection principles. In other words, you should always ensure that the envisaged processing is lawful, fair and legitimate.
What is to be done? You should identify a legal basis for the processing.
Where can we find this information? The legal basis has to be one of the ones listed under art. 6 of the GDPR or, in case the data processing envisages special categories of personal data like health-related data, the data controller has to identify also one of the additional guarantees under art. 9 of GDPR.
With respect to the lawfulness and fairness of the data processing, the Chair of the European Data Protection Board has provided on March 16th, 2020 a statement on the processing of personal information in the context of the COVID-19 outbreak. In short, the European Data Protection Board has stated that organizations will be able to process personal data of their employees in the context of COVID-19 outbreak, under the condition that they can rely on a legal ground for processing, such as the necessity to protect the vital interests of the employees or of another natural persons or reasons of public interest in the public health. This means that consent of the data subject should not be necessary in this situation.
Another big step in compliance is to process only the information that is strictly necessary to the purpose. If it does not (or does, but only remotely) help you in your efforts to fight the spread, most probably the authority will not be fond of this bad behaviour.
Let us provide a little bit of international context
In this context, some European Union data protection authorities (including the Romanian data protection authority) issued specific guidelines on the application of the GDPR related to the organizations’ efforts to mitigate the risks of spreading COVID-19.
For example, data protection authorities in France, Ireland, Belgium and Luxembourg consider that it is not allowed to request information from employees by filling-in questionnaires on travel history to the affected areas, nor to request medical information (e.g., fever).
The Data Protection Commission (the authority of Ireland) stated stat employers also have a legal obligation to protect their employees’ health and maintain a safe place of work. This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. However, any data that is processed must be treated in a confidential manner (i.e., don’t let the name of the possibly infected co-worker be today’s hot news ).
Considering the above and the current circumstances, the Data Protection Commission considers that employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms. If businesses want to implement more stringent requirements, such as a detailed questionnaire, they would have to have a strong justification based on necessity and proportionality and on an assessment of risk. Also, the French and Belgian DPAs expressly prohibit employers from applying drastic measures such as mandatory temperature measuring.
On the other hand, the Information Commissioner’s Office (UK authority), considers that it’s reasonable for employers to ask people to give information on whether or not they have visited a particular country, or are experiencing COVID-19 symptoms. Also, the Hungarian and Irish authorities do not oppose the application of questionnaires to employees and visitors. However, as anticipated, these should be necessary and proportional (in the case of Hungary, such questionnaires cannot collect data on medical history).
If it’s our business, what can we do?
Even in the context of the recently declared state of emergency in Romania, you should not forget to pay attention to the details.
One of the most important steps in ensuring compliance is to keep an updated privacy notice, whereby the new processing activities intended to be used in the fight to prevent the spread of the virus are carefully reflected. As anticipated above, the legal grounds for processing under art. 6 of the GDPR and the guaranteed under art. 9 of the GDPR should also be mentioned.
When selecting a legal ground under art. 6 of the GDPR, you may come to the conclusion that you have a legal obligation to process certain data or to make certain reports to competent authorities. It may also be that the processing of data is necessary to protect the vital interest of the employee in discussion or of another natural person or even for the company’s legitimate interest. In the latter case, it is important not to forget to run a necessity and proportionality test. The fundamental rights and freedoms of employees could be at stake and you should ultimately consider the need to implement strict safeguards to mitigate a disproportionate impact.
When selecting a guarantee under art. 9 of the GDPR, as the Romanian data protection authority reminded in their recently published guidance, that the processing may be necessary to comply with your obligations under health and safety regulations or the collection may be necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats.
Make sure your employees know what to do
Furthermore, it is not only a complete privacy notice that matters, but also a really good awareness program. Employees should always be informed about what they need to do in order to limit the spread. They should at least be informed of the following aspects:
» measures that must be taken by an employee in case he/she has a suspicion of contagion (e.g., immediately go home and alert the competent authorities);
» hygiene-related recommendations for the employees (e.g. to wash hands on a regular basis, avoid crowded places, avoid unnecessary meetings or travels, the list of restricted travel areas etc.);
» specific symptomatology of COVID-19 and the measures that must be taken into account by the employees in case of any sign of illness (e.g., immediately inform the employer or the authorities);
» measures taken by the employer in order to ensure confidentiality.
Don’t tell everybody the name of the possibly affected co-worker
If an employee decides to open up about a concern he/she may have in relation to a possible infection, it is possibly best to have a dedicated team for this, in order to keep such health-related information on a need-to-know basis. Implementing a secured line for this aim has also been a trendy recommendation amongst privacy professionals.
Furthermore, if you have a confirmed case among your personnel, it is probably best to avoid the public display of the individual’s name, due to the possible consequences of such disclosure. It is indeed true that during the declared state of emergency, the right to private life is restricted, but no law provides for an express derogation in this respect. And most certainly no law allows gateways to bullying and discrimination. Companies must make a serious assessment before giving away a confirmed case’s name among their peers. In all cases, this shouldn’t be done, unless essential.
DIY, but with let the authorities do their job
When identifying a case, companies are encouraged to communicate with the competent authorities, in order to ensure they maintain a healthy and safe environment for the employees. In order to avoid immediate threats, discussions on direct contacts with the infected employee could also be engaged, in order to ensure isolation at home of potential cases. An “act first, ask later” type of approach may come in handy sometimes, but such behaviour cannot and will not justify any processing activity. Also, when allowing the employees to work from home, secured connections should also be a concern. Technical measures should be in place in order to ensure the integrity of the used IT means or at least the employees should be reminded of how they are allowed to use their gear.
Last but not least, if the internal plan is doubled by questions on recent travel history or symptoms, it is advisable to perform a data protection impact assessment if the processing is likely to result in a high risk to the rights and freedoms of employees. If you decide to monitor the health of your employees on a large scale and by using intrusive potentially inefficient means (for example, thermal scans or daily HR talks on symptoms), such monitoring may fail the test and result in fines, if not treated seriously.
Activating action plan
When implementing step plans in the fight against the novel coronavirus, you should have in mind the following mantras:
» Run awareness programs within the company. Teach your employees what a responsible contact means. Let them come to you in need.
» Ensuring the lawfulness and legitimacy of the new processing activities.
» Keeping an updated privacy notice is always a good idea – an informed employee is a protected employee.
» Public health does not justify the irrational collection of large amounts of data of your employees. Don’t store your information for too long either.
» Collected data in the context of the pandemic should be circulated internally only on a need-to-know basis.
» Ensuring secured lines for the employees to safely disclose if they see a threat to their peers’ health is safer and cleaner.
» Don’t name names without firstly assessing if that’s really necessary – don’t expose your employees to the risk of being bullied!
» Instead of asking everybody if they had contact with an employee at risk, it is maybe better to ask the employee at risk of his/her whereabouts.
» Thermal scans will most probably be considered too invasive and not necessary.
» When letting your employees work from home, it is maybe best to remind them of your Acceptable Use Policy.
Last but not least, managing the risks related to the COVID-19 and trying to prevent the spread of COVID-19s do not imply assuming hypothetical risks of non-compliance with GDPR. In this sense, employers should ensure they document any decision-making process regarding measures implemented to manage COVID-19, which involves the processing of personal data. Also, any data processing in the context of preventing the spread of COVID-19 must be carried out in a manner that ensures the security of the data, in particular where health data is concerned.
In the end, don’t forget the data minimisation principle. Only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19. The rest of the activities in the context of the effort related to preventing the spread and the healing of COVID-19 disease, it is the public authorities’ responsibility, So, if it’s the physician or the authority’s duty, then you probably shouldn’t do it yourself.
You can read and download this legal alert in PDF format here.