The fight against the COVID-19 pandemic lead to the deployment of unprecedented responses by states and organizations; from “data against corona” initiatives (i.e., use of “anonymized” and “aggregated” mobile data as part of monitoring the success of in-shelter rules) to employers around the globe eager to protect their workforces and launching corona-investigations (inquiring about personal travels, imposing self-quarantine measures, etc.).

Even more in stretched times, attention shall be paid to the balancing of those initiatives against the fundamental right to privacy of individuals. In this context, many national data protection authorities in the European Union and the United Kingdom issued guidelines on the processing of personal data as part of the COVID-19 crisis in an effort to define what is possible and what is not.

We summarize below the approach taken in relation to three aspects of employee-privacy, namely: the opportunity for employers to request employees to disclose symptoms, the conduct of examination of employees and, finally, the disclosure of affected employees’ identity to peers.

A snapshot is provided for Belgium, France, Germany and the United Kingdom. For a broader review of cybersecurity and data privacy aspects in relation to COVID-19, please read our Legal Update on the subject.

Enjoy the reading.

Diletta De Cicco and Charles Helleputte


COVID-19 and data protection in Belgium

What are the guidelines issued?

On March 13, 2020, the Belgian data protection authority (“APD“) published its initial guidance (the “Guidance“) to assist employers having to balance preventive measures for the health and safety of their employees while preserving the employees’ right to privacy and data protection:
https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-données-à-caractère-personnel-sur-le-lieu-de-travail

The Guidance was last updated on March 2020 and on March 31, the APD launched a dedicated COVID-19 page on its website (available here:
https://www.autoriteprotectiondonnees.be/epidemie-covid-19).

Snapshot of guidelines issued covering:

Asking employees about their diagnoses or symptoms
The APD made it clear that employers cannot oblige employees to fill in medical questionnaires or reports of recent travels. However, the APD suggests that employers may encourage employees to communicate voluntarily any symptoms or travels to highly infected areas.

Conducting or requiring examinations of employees
The APD pointed out that the assessment of health risks should be carried out by occupational physicians, namely the workplace doctors, and not the employers themselves. Similarly, only the occupational physicians and not the employers are authorised to conduct general and systematic health checks of the employees and visitors, such as temperature controls.

Sharing information about affected individuals
The fact for the employer to disclose the identity of data subjects who contracted COVID19 would likely a breach of GDPR. Rather, the physicians can detect infections and share such information to the employers and persons who have been in contact with the infected persons.

Any other relevant consideration from the guidelines
The APD reminds that the processing of special categories of data can only be based upon one of the legal bases set forth in Art. 9 (2) GDPR. Collection of health data as part of the COVID-19 pandemic cannot extensively and systematically be justified using Art. 6(1)(d) GDPR (“processing necessary to protect the vital interests of the data subject or of another natural person”). Further, while relying on the public interest in the area of public health could be possible, this would only apply for those processing activities required pursuant to explicit instructions from the authorities. The APD insists on employers to comply with the data protection principles of proportionality, transparency, data minimisation and purpose limitation. Should there be a reason for collecting the minimum required amount of personal data, employers shall ensure that employees are informed about the purposes for which their data are processed and the storage period of their data.

Authors: Diletta De Cicco, Charles Helleputte


Covid-19 and data protection in France

What are the guidelines issued?

The French data protection authority (“CNIL”) has released a statement on March 6, 2020 reminding a few data protection principles to apply in the context of the Covid-19 crisis:
https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles.

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms
It is not possible for an employer to collect and process information about its employees, his/her relatives and visitors concerning their health condition, whether globally or individually, either through the collection of medical sheets or questionnaires or by way of binding body temperature testing of each employee / visitor.It is however recommended for an employer to inform visitors, customers and employees entering the buildings about Covid-19 and to invite them to contact the company as soon as possible in case of suspicion of contagion or symptoms (it is recommend to appoint a specific person to whom the employee, visitor or customer will report).

Employees have a duty to report to their employer any suspected contact with the virus.

Conducting or requiring examinations of employees
Health data are subject to specific protection both by the GDPR and the French public health code. This code notably provides for a strict medical secrecy which prohibits any doctor from disclosing information regarding an employee’s health condition. In any case, an employer can only refer employees to the company occupational doctor who is bound by the same professional secrecy.

Sharing information about affected individuals
In the event of a report, an employer may:

  • record the date and identity of the person suspected of having been exposed;
  • list the organizational measures taken (confinement, teleworking and contact with the occupational doctor, etc.); and
  • as the case may be, inform health authorities.

The CNIL does not specify that other employees may receive such information. The employer should, in order to comply with its health and safety obligation, inform the employees of a potential risk of infection. However, it does not seem necessary to provide the employees with the name of the sick individual. Should it be necessary to reveal the name of the person concerned, the individual concerned should be informed in advance and provide his/her prior consent.

Any other relevant considerations from the guidelines
Employers should follow directions given by public authorities and process health data only to the extent required by such authorities.

Author: Régine Goury


Covid-19 and data protection in Germany

What are the guidelines issued?

On March 13, 2020, The German “Datenschutzkonferenz“, a collective body comprising independent federal and state data protection authorities, published guidelines regarding Covid-19 and data protection.[1] On the same day, the state data protection authority of Baden-Württemberg published Q&As on the subject[2]. A few days later, the state data protection authority of Rhineland-Palatinate issued a note focusing on employee data protection.[3]

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms
Controllers are allowed to collect and process personal data of employees and visitors, including health data, in particular to determine whether they are infected with Covid-19, have been in contact with a person who is proven to be infected, or have traveled to an area classified by the German Robert Koch Institut as a Covid-19 risk area.

Conducting or requiring examinations of employees
Employers are not allowed to actively collect health data of employees (data protection authority of Baden-Württemberg). In addition, temperature testing is not lawful given the existing doubts as to the suitability of such tests, as well as the various less intrusive measures that could be used (data protection authority of Rhineland-Palatinate). This applies even where employees do not oppose the tests.[4]

Sharing information about affected individuals
It is only lawful to share personal information of individuals infected with Covid-19 or suspected of being infected if the knowledge of their identity is exceptionally necessary for protecting people they had contact with. In this case, controllers may rely on Art. 6(1)(c) or (f) GDPR.

Any other relevant considerations from the guidelines
Health data must be kept confidential, used solely for the intended purpose and deleted once the purpose is achieved (as a general rule, at the latest after the end of the pandemic). For data processing activities that are not covered by the legal ground of necessity of data processing for reasons of public interest in the area of public health, controllers may rely on consent only where data subjects have been informed about the data processing and have voluntarily consented.

Authors: Vanessa Klessy, Ana Bruder

[1] https://www.bfdi.bund.de/DE/Datenschutz/Themen/Gesundheit_Soziales/GesundheitSozialesArtikel/Datenschutz-in-Corona-Pandemie.html?nn=5216976

[2] https://www.baden-wuerttemberg.datenschutz.de/faq-corona/

[3] https://www.datenschutz.rlp.de/de/themenfelder-themen/beschaeftigtendatenschutz-corona/

[4] https://www.covid19.law/2020/03/compulsory-temperature-testing-and-the-protection-of-employee-data/


COVID-19 and data protection in the United Kingdom

What are the guidelines issued?

 The UK’s Information Commissioner’s Office (the “ICO”) recommended organisations adopt a proportionate approach to their data protection practices during the pandemic. The ICO reassured organisation that it understands the challenges that some organisations are facing when allocating financial and human resources away from their usual compliance work during this period.

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms
It is reasonable for businesses to ask individuals that they come into contact with, such as members of staff or visitors whether they have visited a particular country, or are experiencing COVID-19 symptoms but organisations may not need to collect more specific information about individuals’ health conditions and should not collect more personal data than they need (proportionality and data minimisation).

Conducting or requiring examinations of employees
From an employment law perspective, although it is possible for an employer to ask if an employee would consent to a test, it is not permissible for an employer to require an employee to take a test or, for example, face being suspended without pay or dismissed. Further information about this can be found at:
https://www.mayerbrown.com/en/perspectives-events/publications/2020/03/coronavirus-covid19-practical-points-for-uk-employers.

Sharing information about affected individuals
Where there has been a case or suspected case within an organisation, businesses may inform its personnel but it is probably not necessary to name the affected individual(s) unless it is strictly required to protect other individuals. In cases where it is necessary to reveal the name of the person concerned, the individual concerned should be informed in advance and their dignity and integrity protected. Further information about this can be found on our blog at:
https://www.employerperspectives.com/2020/03/right-to-know-covid-19/

Any other relevant considerations from the guidelines

  • Security of personal data and homeworking: An organisation’s legal obligations to keep personal data secure remains the same, even during a crisis. Businesses need to consider and implement security requirements that are appropriate to protect personal data that may be processed in a homeworking environment. These may be the same or tougher than those used at the organisation’s premises.
  • Data protection compliance related deadlines: While the statutory timescales under the GDPR and the Data Protection Act 2018 continue to apply, the ICO said that it will take a more pragmatic view during this extraordinary period and will not penalise organisations that they know need to prioritise other areas.

Authors: Mark Prinsley, Oliver Yaros

***

If you wish to receive periodic updates on this or other topics related to the pandemic, you can be added to our COVID-19 “Special Interest” mailing list by subscribing here. For any other legal questions related to this pandemic, please contact the Firm’s COVID-19 Core Response Team at FW-SIG-COVID-19-Core-Response-Team@mayerbrown.com.