The COVID-19 health emergency involves some issues related to the protection that the employer must offer in case of employees’ personal health data collection. The assessment and collection of information relating to the symptoms of COVID-19 (as well as that relating to recent movements of people) must be carried out by healthcare professionals and the civil defense system, which are the entities tasked with ensuring compliance with recently adopted public health rules.
For this reason, the Italian DPA clarified, on March 2end 2020, that “the employers must refrain from collecting, in advance and in a systematic and generalized manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of flu in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment”.
On the other hand, the Government and the representatives of Trade Unions signed a Protocol on 14 March 2020 providing measures to contain and mitigate the COVID-19. The Protocol contains several provisions which among the other things, allows the employer to process the collection of employees’ personal data in order to protect public health.
In this sense, according to art. 2 of the aforesaid Protocol, the employer could restrict the access to personnel whose body temperature is above 37.5°C.
In order to verify this parameter, the provision allows to measure employees’ temperature at the entrance of the workplace, as long as the rules about personal data protection are complied with.
The employer should collect, in real time, the temperature and all data relating to employees’ health, according to art. 9 of the GDPR.
The GDPR foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it’s necessary for reasons of substantial public interest in the area of public health (Art. 9.2.i), on the basis of Union or national law, or where there is the need to protect the vital interests of the data subject (Art.9.2.c).
For this reasons, in order to provide some operational tips, we suggest to:
- measure the temperature but don’t register the collected data. It’s useful to identify the person and record the temperature only when it’s necessary to document the reasons that didn’t allow the employee’s access to the workplace;
- provide policy on the processing of personal data. As regards the contents of the privacy policy, with reference to the purpose of the processing, the prevention of contagion from COVID-19 may be indicated and with reference to the legal basis, the implementation of the anti-infection security protocols pursuant to Art. 1, no. 7, letter d) Prime Minister’s Decree dated 11 March 2020; furthermore, with reference to the data retention period, it can be indicated until to the end of the state of emergency;
- define the appropriate security and organizational measures to protect the data. Controllers and processors shall give the necessary instructions to person acting under their authority who has access to personal data. Moreover, please note that the data may be processed exclusively for purposes of prevention from infection by COVID-19 and must not be disclosed or communicated to third parties, except in the cases provided for by specific provisions (such as the request by the Health Authority aimed at the reconstruction of the chain of any „close contacts” of a worker found positive to COVID-19); we recommend, in any case, to review the company’s policy on data protection;
- ensure arrangements to guarantee the confidentiality and dignity of the worker. These guarantees must also be ensured in the event that the employee informs the HR manager that he or she has had, outside the company context, contact with people who have tested positive for COVID-19 and in the event of removal of the worker who develops symptoms of respiratory infection during his or her work activity.
In the event that the employer intends to request the worker to issue a self-certification attesting that, in the previous 14 days, the worker has not had any contact with people tested positive for COVID-19 or does not come from areas considered at risk, it must be considered that the acquisition of such information constitutes personal data processing, with consequent application of the protection measures indicated above. In any case, it should be considered that the employer is required to inform their staff in advance – also by means of information signs – of the prohibition of access to those who, in the previous 14 days, have got contact with individuals who have tested positive for COVID-19 or who come from risk areas, as indicated by the WHO.