Topic: Data Protection

The COVID-19 health emergency involves some issues related to the protection that the employer must offer in case of employees’ personal health data collection. The assessment and collection of information relating to the symptoms of COVID-19 (as well as that relating to recent movements of people) must be carried out by healthcare professionals and the civil defense system, which are the entities tasked with ensuring compliance with recently adopted public health rules.

For this reason, the Italian DPA clarified, on March 2end 2020, that “the employers must refrain from collecting, in advance and in a systematic and generalized manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of flu in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment”.

On the other hand, the Government and the representatives of Trade Unions signed a Protocol on 14 March 2020 providing measures to contain and mitigate the COVID-19. The Protocol contains several provisions which among the other things, allows the employer to process the collection of employees’ personal data in order to protect public health.

In this sense, according to art. 2 of the aforesaid Protocol, the employer could restrict the access to personnel whose body temperature is above 37.5°C.

In order to verify this parameter, the provision allows to measure employees’ temperature at the entrance of the workplace, as long as the rules about personal data protection are complied with.

The employer should collect, in real time, the temperature and all data relating to employees’ health, according to art. 9 of the GDPR.

The GDPR  foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it’s necessary for reasons of substantial public interest in the area of public health (Art. 9.2.i), on the basis of Union or national law, or where there is the need to protect the vital interests of the data subject (Art.9.2.c).

For this reasons, in order to provide some operational tips, we suggest to:

1. measure the temperature but don’t register the collected data. It’s useful to identify the person and record the temperature only when it’s necessary to document the reasons that didn’t allow the employee’s access to the workplace;
2. provide policy on the processing of personal data. As regards the contents of the privacy policy, with reference to the purpose of the processing, the prevention of contagion from COVID-19 may be indicated and with reference to the legal basis, the implementation of the anti-infection security protocols pursuant to Art. 1, no. 7, letter d) Prime Minister’s Decree dated 11 March 2020; furthermore, with reference to the data retention period, it can be indicated until to the end of the state of emergency;
3. define the appropriate security and organizational measures to protect the data. Controllers and processors shall give the necessary instructions to person acting under their authority who has access to personal data. Moreover, please note that the data may be processed exclusively for purposes of prevention from infection by COVID-19 and must not be disclosed or communicated to third parties, except in the cases provided for by specific  provisions (such as the request by the Health Authority aimed at the reconstruction of the chain of any „close contacts” of a worker found positive to COVID-19); we recommend, in any case, to review the company’s policy on data protection;
4. ensure arrangements to guarantee the confidentiality and dignity of the worker. These guarantees must also be ensured in the event that the employee informs the HR manager that he or she has had, outside the company context, contact with people who have tested positive for COVID-19 and in the event of removal of the worker who develops symptoms of respiratory infection during his or her work activity.

In the event that the employer intends to request the worker to issue a self-certification attesting that, in the previous 14 days, the worker has not had any contact with people tested positive for COVID-19 or does not come from areas considered at risk, it must be considered that the acquisition of such information constitutes personal data processing, with consequent application of the protection measures indicated above. In any case, it should be considered that the employer is required to inform  their staff in advance – also by means of information signs – of the prohibition of access to those who, in the previous 14 days, have got contact with individuals who have tested positive for COVID-19 or who come from risk areas, as indicated by the WHO.

The European Data Protection Board (the “Board”) has issued a statement on personal data processing in association with the outbreak of the COVID-19 infection (the “statement”). In its statement, the Board has stated that the fight against the infection is most certainly in the interests of all humankind, but that administrators and processors must still adhere to the fundamental data processing principles set out in the General Data Protection Regulation (the “GDPR”) and secure adequate protection of all the personal data of the data subjects even in these exceptional times.

The Board’s statement also deals with the processing of personal data associated with the infection on the part of the public health authorities and employers, amongst other things. According to the Board, GDPR also covers exceptional situations and it enables processing which is in line with national law. In the case of employers, the Board has stated that the processing of any such data may be necessary for compliance with employer’s legal obligations associated with securing health and safety in the workplace. The statement also draws attention to the possibility of processing so-called sensitive personal data (which includes data on an individual’s state of health) in cases where the processing is necessary for reasons of public interest in the area of public health or for the protection of the vital interests of the data subject.

However, the Board calls upon employers to exercise restraint when processing sensitive personal data. It has especially emphasised the principles of proportionality and data minimisation. According to the Board, the employer may only process any sensitive personal data, if it is obliged to do so according to national law or if the national law enables it to do so. The Board has also appealed to the principle of integrity and confidentiality, whereby employers should not provide more information than is actually necessary in a specific case (for example, not providing the identity of any infected employees to the other employees when adopting protective measures, unless it is absolutely necessary to do so).

The Office for Personal Data Protection (the “Office”) has also issued statements on the processing of the health data of employees by employers in association with COVID-19 infections on its website. It has essentially permitted said personal health data processing with reference to the legal obligation of employers to provide a safe working environment and working conditions which are conducive to good health by means of the suitable organisation of occupational health and safety practices and measures aimed at preventing any risks. It is because GDPR enables the processing of sensitive personal data, if it is necessary for the purposes of carrying out the obligations of the controller in the field of employment. At the same time, however, the Office recommends proceeding in cooperation with the public health authorities. Like the Board, the Office has also stated that, if an employer informs the other employees of a potential risk (for example, that there is an infected person in the workplace) within the framework of the performance of its obligations, said employer should only provide this information about a specific individual at the extent which is necessary for the protection of health and always so that the dignity and integrity of the person in question is not impugned.

The Board’s statement further resolves the use of mobile location data to determine the positions of individuals by the governments of the member states for the purpose of monitoring, controlling or mitigating the spread of the infection. According to the Board, the public authorities should attempt to process any location data anonymously (i.e. process data aggregated in a way that individuals cannot be re identified). Each member state should adopt the appropriate legislation to process any non anonymised data. In this regard, we hereby state that so-called tracing has been made possible in the Czech Republic by Government Resolution no. 250 dated 18th March 2020 in association with the subsequent exceptional measures of the Ministry of Health dated 19th March 2020.

Based on these decisions, the Ministry of Health or the authorised regional hygiene stations can request mobile telephone operators to provide data on the movements of infected individuals based on the location data acquired from their mobile phones. The individual in question must give explicit consent for this to happen.

If you have any questions pertaining to personal data processing connected with the COVID-19 infection in your company, please do not hesitate to contact our specialists Matyáš Kužela or Tomáš Zwinger. They will be happy to help you set-up the data processing so that it is fully in line with GDPR.

The response to the COVID-19 outbreak has infiltrated nearly every aspect of daily life. Polish laws have not been immune to the epidemic’s impact either, with the government recently announcing a draft of the so-called Anti-Crisis Shield designed to amend a number of acts in order to support businesses. Amid the fight against the coronavirus, in the statement of 12 March, the President of the Personal Data Protection Office (UODO) declared that the personal data protection regulations must not stand in the way of the coronavirus response. Read the article below to learn more about the protection of personal data in the face of the coronavirus epidemic.

GDPR still applie

There is no doubt that data protection should be no barrier to managing the coronavirus spread, however, one must bear in mind that all personal data protection regulations, including GDPR (and administrative fines), still apply, regardless of how difficult and unprecedented the current situation is. The statement issued by UODO’s President was meant as guidance only and it does not change the fact that personal data requirements must still be complied with.

However, there are still no specific regulations for business who worry about the legal processing of personal data in managing issues concerned with the coronavirus.

Are employers allowed to take a worker’s temperature?

There has been growing concern over whether employers are allowed to take the temperature of a worker or a person not employed thereby and, if so, what rules should they follow.

Body temperature data represent data concerning health – one of special categories of person data the processing of which is prohibited, in accordance with Article 9(1) of GDPR. Data concerning health may be processed only in cases specified in Article 9(2) of GDPR.

Without going into theoretical detail, we believe that personal data may be processed in connection with body temperature measurement in the case of both employees and other persons so long as the below rules are followed.

Taking an employee’s temperature

We believe that the legal basis for the measurement of a worker’s temperature is Article 9(2)(b) of GDPR, stating that the processing of the personal data is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. The relevant obligation of the employer in the field of employment law is provided for in Article 207 of the Labor Code.

It should also be noted that the draft bill on amending the act on emergency solutions designed to prevent, counteract and combat COVID-19, other infectious diseases and emergency situations caused thereby, and amending selected other acts, dated March 13, 2020, includes Articles 3a, which provides that:
“in order to counter the spread of COVID-19, the employer has the right to:
1) request an employee to confirm whether or not he/she has recently been to a region affected by COVID-19;
2) request an employee to undergo the necessary medical examinations where there is a reasonable belief that he/she is infected with COVID-19 or has recently been to a region affected by COVID-19; medical examinations represent health care services as defined in Article 9;
3) screen an employee for symptoms of COVID-19 before allowing him/her to work, especially through body temperature measurement;
4) introduce additional workplace sanitary regulations or occupational health and safety regulations;
5) request an employee to go to a regional affected by COVID-19 only when necessary and with the employee’s consent, in accordance with Article 3a.”

The above-quoted provision would be a valuable addition to the Polish labor law as it would settle all the doubts surrounding temperature measurement by employers.

Taking a non-employee’s temperature

In our opinion, employers are allowed to measure the temperature of a person not employed by them on the basis of such person’s explicit and freely-given consent, in accordance with Article 9(2)(a) of GDPR. Written form of the consent is not required.

As far as body temperature measurement is concerned, we see a growing popularity of thermal imaging cameras, which may be used without the need to process personal data.

Whatever the method of processing, you should remember about fulfilling the obligations in the field of personal data processing resulting from GDPR, especially the obligation to provide relevant information to the person whose data are processed.

In case you have any questions, do not hesitate to contact us.

The measures aimed at ensuring a safer workplace and preventing the spread of the virus may increase personal data processing of employees and third persons outside the organization. The data fundamentally affected by these measures are concerning health.

In accordance with article 9.1 GDPR, health data are considered special categories of personal data and, as a general rule, their processing is prohibited, unless any of the exceptions set out in article 9.2 GDPR is applicable, in which case a test of proportionality, necessity and transparency must be performed.

In the present case, the processing of health data derived from COVID-19 of employees and third persons that are being processed by the companies is covered by the exceptions provided for in article 9.2 GDPR, that is the protection of vital interests, public interest and compliance with labour law obligations.

Below are the main points that companies should consider at this respect:

Contact information

As a result of teleworking measures, it may be necessary to use contact details and personal information of employees. Consideration should be given to whether there is a legitimate basis for the processing and employees should be informed about the purpose of the use of such personal information, duration of the processing and retention period.

Health data

Monitoring the coronavirus situation and complying with the obligations imposed on companies by the public authorities may involve excessive processing of health data concerning employees and third persons such as suppliers, visitors, among others.

There are two essential points:

• These are health data, the processing of which is necessary for the protection of vital and public interests.

• Such processing shall be limited to the specific purpose of protecting vital interests arising from the coronavirus. The information may not be used for other purposes, nor may previous health information be used for this purpose.

Confidentiality

The employee has an obligation to disclose personal and health information and the company must modulate the confidentiality of such information and whether it is shared with other employees.

Retention

Throughout these days, HR departments are collecting numerous information from workers, such as travel plans, illnesses and others. Companies must assess how long this information is being retained and when highly confidential data should be destroyed.

Communication

There is a high chance that health information may be shared with other entities, such as health care providers. At this point, companies need to find a legitimate basis for communicating this information, how the information should be provided and with whom it is shared.

Transparency and duty of information

The need to inform employees and third persons of any processing of personal data resulting from the adoption of measures to prevent the spread of the virus and to ensure workplace health.