Organisations should keep these considerations top of mind when processing employee personal data for COVID-19 detection and prevention purposes.
By David Dumont and Anna Pateraki
As the COVID-19 pandemic continues to evolve, businesses are dealing with new, unprecedented, and rapidly changing operational and legal challenges. Over the past weeks, data protection authorities in the EU and the European Data Protection Board (EDPB) have issued guidance on the processing of personal data for COVID-19 detection and prevention purposes, including the processing of employees’ health data by private sector organisations.
The general message of the authorities has been consistent: the General Data Protection Regulation (GDPR) does not prevent the processing and disclosure of personal data that is necessary to fight the COVID-19 pandemic. Nonetheless, it is important that the general data protection principles set forth by the GDPR are respected, even during a crisis.
In terms of lawfulness, several legal bases of the GDPR can be relied upon to legitimise the processing of employee personal data for COVID-19 detection and prevention purposes, including the legitimate interests legal basis. In addition, for the processing of health data, which is considered sensitive personal data under the GDPR, EU data protection authorities have identified various legal bases on which companies may be able to rely. For example, companies may be able to assert that the processing of health data of employees is necessary for companies to carry out their obligation under local labour law to ensure health and safety in the workplace.
All data processing operations, however, must be proportionate to the purpose that the data controller is seeking to achieve. In addition, the data processing must respect the other data protection principles and requirements set forth by the GDPR, such as the principle of data minimisation (i.e., avoiding excessive information collection) and the requirement for transparency (i.e., ensuring that data subjects are fully aware of the processing of their personal data for COVID-19 detection and prevention purposes).
EU data protection authorities, amongst others, have issued recommendations for a number of practices involving the processing of employee personal data for COVID-19 detection and prevention purposes.
- Surveys, tests, and reporting. As a general best practice, companies should avoid conducting systematic surveys for COVID-19 infections of employees and contractors, or their relatives. Conducting mandatory temperature tests of these individuals may be similarly problematic from a scale perspective, but mandatory temperature tests could be justified if no other less intrusive measures are available and appropriate safeguards to minimise the impact on employees privacy are put in place. With respect to reporting, companies may encourage employees and contractors to voluntarily report COVID-19-related symptoms or exposure. Mandatory questionnaires, on the other hand, will require a careful assessment from a privacy and labour law perspective.
- Identity of infected employees. Due to confidentiality and data minimisation obligations, companies generally should not reveal the names of employees infected with COVID-19, but may inform others (including coworkers, customers, and public authorities) about an infection or the number of infections within the company’s workforce. If revealing the name of an employee who contracted the virus is strictly necessary for prevention purposes and the applicable national law permits doing so, the employee at issue should receive advance notice.
- Employees’ personal contact details. In general, the processing of employees’ personal contact details, such as private cell phone numbers and email addresses, is allowed to the extent necessary for the employer to communicate with the relevant employee for COVID-19 detection and prevention purposes. Although there is a certain level of consistency in the COVID-19-related issues addressed by regulators, the guidance of EU data protection authorities around these issues varies by country. As a result, when designing COVID-19 detection and prevention measures involving the processing of personal data, companies operating in multiple EU member states should strongly consider examining requirements and regulatory guidance at a national level.
David Dumont is a partner of Hunton Andrews Kurth based in the firm’s Brussels office, with expertise assisting large, multinational clients with various aspects of EU privacy and data protection law.
Anna Pateraki is a partner working in the Brussels office whose practice focuses on global and European data protection matters, with emphasis on new technologies.