COVID-19 in the workplace: differing guidance from data protection authorities
Written By
With the spread of coronavirus (COVID-19), employers are facing increasingly complex challenges in the day-to-day operation of their businesses. A key issue that many employers are facing is how to stop the disease spreading within their workforce, and what measures to implement to protect employees and the business. This is particularly crucial in international companies with highly mobile workforces, where the risk of infection and contagion is higher.
To respond to the increasing threat of the virus, numerous employers are considering monitoring their employee's state of health, their travel plans in and outside of work and their possible contacts with infected individuals outside the workplace. Employers are taking two approaches to stop the spread of the virus: either actively monitoring these factors, for example by asking employees to regularly fill in health questionnaires, and/or implementing policies and procedures to minimise the risk of infection and contagion.
Some data protection authorities have started to provide guidance, but there are divergent views on how employers should comply with data protection requirements, depending on the jurisdiction.
Restrictions monitoring employee health and travel – France and Italy
Companies considering the former approach should be aware that data protection regulators in the EU have issued guidance on COVID-19 related monitoring. In both France and Italy, the data protection supervisory authorities (the CNIL and the Garante respectively), have stated that employers should not actively collect information about their employee's state of health.
In France, the CNIL has informed organisations that they should not collect information about the body temperature of their employees or visitors to the premises or information about health and possible COVID-19 symptoms from them. This does not prevent employers from reporting cases of COVID-19 in the workplace to relevant health authorities. The CNIL has specifically stated that, if an employer is alerted to case of COVID-19 amongst their employees, the employer may record:
- the date and identity of the person suspected of having been exposed to the virus;
- the organisational measures taken (isolation, remote working, contact with the workplace doctor, etc.).
Guidance from the Garante in Italy similarly prohibits employers from actively collecting health information about employees, or gathering information about employee's travel outside of work. There is an exemption to this for situations in which the health risk to the employee is higher (e.g. because of a high risk working environment) – in such cases, the employer can request an in-house health care professional to carry out health checks.
Both authorities also warn against employees to supply information about the state of health of their friends and family.
Collection and disclosure of employee personal data – Hungary and Denmark
Meanwhile, in Hungary, the NAIH declared that employers should encourage employees to report possible COVID-19 risks.
If the employee reports or the employer becomes aware of any suspicious circumstance based on the information provided by the employee, the employer may require the employees to fill out questionnaires that can contain certain information including travel destinations and dates as well as connections with infected persons.
However, the employer must not request information about the medical history of the employee or any medical documentation. The employer is also not permitted to generally and systematically require employees to undergo medical checks (such as measuring body temperature). As in Italy however, in certain circumstances and in relation to roles that are particularly at risk of infection, medical checks conducted or supervised by medical professionals can be carried out.
In Denmark, the Danish DPA has also issued guidance on whether employer's can collect and disclose information about employees in relation to the corona outbreak. Its guidance acknowledges that in some cases personal data, including sensitive personal data, may be collected and disclosed but stresses the importance of assessing whether the processing is legitimate and limited to what is necessary.
The Danish DPA therefore recommends employers to consider:
- whether there is a good reason to collect or disclose the personal data in question
- whether the specific personal data is necessary, including whether the employer's purpose can be achieved by collecting less
- whether it is necessary to name names - e.g. the name of the person infected or quarantined.
In Italy, France, Hungary and Denmark employees are required to report COVID-19 to their employers as part of employee's duty to report health and safety risks.
Elsewhere in the EU
in many jurisdictions in the EU and in the UK, no specific data protection guidance on this issue has yet been issued. It is therefore for organisations to decide what appropriate method to use to prevent the spread of COVID-19 in the workplace.
If employers decide to collect information about symptoms from visitors and employees, they will need to ensure that the processing relies on a valid condition under Article 9 of the GDPR, as the employer will be processing sensitive personal data. This will require a thorough analysis; in addition to national data protection laws in each member state implementing the GDPR, which vary when it comes to sensitive personal data, national health regime laws may apply.
This will make it difficult for international companies to adopt a unified approach on collecting health-related information for coronavirus prevention across the EU.
Employers who seek to rely on consent (by requesting employees and visitors to tick a consent box or by making the questionnaire optional) should consider the fact that, in an employment context, consent is often deemed to be invalid due to the imbalance of power between the employer making the request and the employee, who may feel compelled to provide the information. Consent under the GDPR must also be revocable, which may undermine the organisation's monitoring process.
Whatever legal basis is relied on, employers will also need to ensure they comply with data protection principles, as per any processing of personal data. The data minimisation and purpose limitation principle are of particular importance in this context.
Compliant approaches to tackling COVID-19 – a practical approach
An alternative to monitoring symptoms, travel patterns and possible encounters with infected patients is for employers to implement procedures and policies to reduce the risk of infection at work. Both the Garante and the CNIL advocate this approach, suggesting that employers provide remote working options and implement clear procedures on self-isolation in case of contagion. In Italy, the local health authorities are regularly issuing and updating new measures to be followed. Employers can (or must, for Italy) also provide their workforce and visitors with good practice hygiene recommendations, make hand sanitiser available and restrict interpersonal contact to reduce the risk of infection.
Without actively collecting any information about their employees, employers can also implement clear procedures, discouraging employees from coming to work if they have travelled to affected regions, have certain symptoms or have come into contact with a COVID-19 patient.
