The outbreak of Covid-19 pandemic has forced governments to take measures that pose exceptional limitations to individual's rights and freedoms for the benefit of public safety. Companies on the other hand are asked to employ best practices in relation to hygiene and are asked to protect the workplace from health hazards, and for this, they are requesting the provision of certain personal information from their employees such as whether the employees have recently travelled, and in certain cases medical information such as symptoms and medical examinations which relate to the virus. However, do employers have a legal right to process such information which in ordinary circumstances would be a violation of the right of privacy of the employee.
Can medical data relating to the virus be processed by employers?
Information about symptoms of the virus are considered data concerning health and pursuant to The General Data Protection Regulation (EU) 2016/679 (the "GDPR" or "Regulation"), the processing of such data is prohibited as it falls under the "special category of personal data" unless one of the conditions of Article 9(2) apply.
Following the instructions of the European Board of Data Protection, it was stated that "Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic and that companies could process data necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation".
Initially, it was possible for business and organizations to rely on Article 6(1)(c) where processing is necessary for compliance with a legal obligation (duty to ensure the health, safety and welfare of employees – Safety and Health at Work Law 89(I) as amended (the "Safety and Health Law") and Article 6(1)(c) where processing is necessary for the performance of a task carried out in the public interest and in more rare cases Article 6(1)(d) protection of vital interests.
Whilst the above could justify processing of certain data, it does not allow the processing of special categories of personal data. For this, employers would need to consider Article 9(2)(b) which states that processing of special categories of data is allowed when it is necessary for the purposes of carrying out obligations of the employer in the field of employment. As explained above, pursuant to Article 13 of the Safety and Health Law, employers have the obligation to ensure the health, safety and welfare of their employees, and should take the necessary measures to achieve that. Therefore, it could be justifiable for businesses to request from their employee's certain data, in an effort to protect the employees and the workplace.
Furthermore, controllers could also rely on Recital 46 which offers guidance on the processing of information in instances where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. As per the Recital "Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and manmade disasters." Therefore, public interest and the vital interest of the data subject or of another natural person may constitute sufficient grounds for an employer to process medical data of its employees.
The role of employers in combating the Covid-19 virus. Pending the issue of official guidance from the Office of the Commissioner of Personal Data Protection ("OCPDP"), useful guidance in relation to the role of employers in the response to the outbreak can be obtained from Data Protection Authorities across the EU, many of which have adopted varying approaches on how such information should be handled. The Spanish Agency for Data Protection has published a report which relates to the same matter and provides a lot of insightful information in relation to such processing. The Hellenic Data Protection Authority (the "HDPA") has taken a different approach, stating that the right to personal data protection is not absolute and it should be balanced with the fundamental rights and the right to life and health, whilst agreeing that the public interest and protection of employees health are sufficient grounds for the processing. On the other hand, the Italian Data Protection Authority said that Companies should refrain from "DIY" (Do It Yourself) data collection, but instead should act as dedicated channels of communication to the authorities of employees reporting symptoms. Furthermore, some useful guidance can also be sought from The Information Commissioners Office, the UK's Data Protection Commissioner (although not part of the EU anymore, following Brexit) stating that employers and organizations have an obligation to protect their staff and may need to ask their employees to provide certain information, such as if they have visited a particular country or if they have experienced coronavirus symptoms (click here and here for the guidance).Companies could also be asked to provide information about their employees to the authorities.
How should companies process medical data?
Businesses and organizations must understand that whilst they can request some information, the law is still the law. By gathering special categories of personal data, controllers carry a higher compliance burden, and adherence to the principles which relate to the processing of personal data pursuant to Articles 5, 6 and 9 is of paramount importance when processing such data. These principles should lie at the heart of every employer's approach to the processing of employee related personal data.
What information should companies request?
Companies must follow instructions and guidance provided by public authorities, bearing in mind the sensitivity of the information and the impact it has on the rights and freedoms of individuals. Information requested should be restricted to only what is strictly necessary and should be processed in a secure and confidential way.
How should the Company request that data?
Transparency and communication are essential. Employees should be informed that they are required to notify their employer if they travelled to certain countries or whether they or people close to them came in contact with a suspected case for reasons of workplace and public safety. Further, employers also need to inform their employees of confirmed cases of the virus, however that can be done in a way to protect the identity of the employee in question. Finally, employers should consider establishing a secure and confidential route or point of contact in relation to such reporting and ensure that access to that information is provided only to those on a strict "need-to-know" basis.
To see the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.