Organisations should keep these considerations top of mind whenÂ processing employee personal data for COVID-19 detection andÂ prevention purposes.
By David Dumont and Anna Pateraki
As the COVID-19 pandemic continues to evolve,Â businesses are dealing with new, unprecedented, andÂ rapidly changing operational and legal challenges. OverÂ the past weeks, data protection authorities in the EUÂ and the European Data Protection Board (EDPB) haveÂ issued guidance on the processing of personal data forÂ COVID-19 detection and prevention purposes, includingÂ the processing of employeesâ health data by privateÂ sector organisations.
The general message of the authorities has beenÂ consistent: the General Data Protection RegulationÂ (GDPR) does not prevent the processing and disclosureÂ of personal data that is necessary to fight the COVID-19Â pandemic. Nonetheless, it is important that the generalÂ data protection principles set forth by the GDPR areÂ respected, even during a crisis.
In terms of lawfulness, several legal bases of the GDPRÂ can be relied upon to legitimise the processing ofÂ employee personal data for COVID-19 detection andÂ prevention purposes, including the legitimate interestsÂ legal basis. In addition, for the processing of healthÂ data, which is considered sensitive personal data underÂ the GDPR, EU data protection authorities have identifiedÂ various legal bases on which companies may be able toÂ rely. For example, companies may be able to assert thatÂ the processing of health data of employees is necessaryÂ for companies to carry out their obligation under localÂ labour law to ensure health and safety in the workplace.
All data processing operations, however, must beÂ proportionate to the purpose that the data controllerÂ is seeking to achieve. In addition, the data processingÂ must respect the other data protection principles andÂ requirements set forth by the GDPR, such as the principleÂ of data minimisation (i.e., avoiding excessive informationÂ collection) and the requirement for transparency (i.e.,Â ensuring that data subjects are fully aware of theÂ processing of their personal data for COVID-19 detectionÂ and prevention purposes).
EU data protection authorities, amongst others, haveÂ issued recommendations for a number of practicesÂ involving the processing of employee personal data forÂ COVID-19 detection and prevention purposes.
- Surveys, tests, and reporting. As a general best practice,Â companies should avoid conducting systematic surveysÂ for COVID-19 infections of employees and contractors,Â or their relatives. Conducting mandatory temperatureÂ tests of these individuals may be similarly problematicÂ from a scale perspective, but mandatory temperatureÂ tests could be justified if no other less intrusive measuresÂ are available and appropriate safeguards to minimiseÂ the impact on employees privacy are put in place.Â With respect to reporting, companies may encourageÂ employees and contractors to voluntarily reportÂ COVID-19-related symptoms or exposure. MandatoryÂ questionnaires, on the other hand, will require a carefulÂ assessment from a privacy and labour law perspective.
- Identity of infected employees. Due to confidentialityÂ and data minimisation obligations, companies generallyÂ should not reveal the names of employees infected withÂ COVID-19, but may inform others (including coworkers,Â customers, and public authorities) about an infectionÂ or the number of infections within the companyâsÂ workforce. If revealing the name of an employee whoÂ contracted the virus is strictly necessary for preventionÂ purposes and the applicable national law permits doingÂ so, the employee at issue should receive advance notice.
- Employeesâ personal contact details. In general, theÂ processing of employeesâ personal contact details, suchÂ as private cell phone numbers and email addresses, isÂ allowed to the extent necessary for the employer toÂ communicate with the relevant employee for COVID-19Â detection and prevention purposes.Â Although there is a certain level of consistency in theÂ COVID-19-related issues addressed by regulators, theÂ guidance of EU data protection authorities aroundÂ these issues varies by country. As a result, whenÂ designing COVID-19 detection and prevention measuresÂ involving the processing of personal data, companiesÂ operating in multiple EU member states should stronglyÂ consider examining requirements and regulatoryÂ guidance at a national level.
David Dumont is a partner of Hunton Andrews Kurth based in theÂ firmâs Brussels office, with expertise assisting large, multinationalÂ clients with various aspects of EU privacy and data protection law.Â
Anna Pateraki is a partner working in the Brussels office whoseÂ practice focuses on global and European data protection matters,Â with emphasis on new technologies.