Over the past few weeks, we have witnessed governments, public authorities as well as private organizations and companies within the EU, taking measures to contain the pandemic outbreak of Covid-19. Such measures have inevitably affected the processing of special categories of personal data especially with the context of employment.
The European Data Protection Board (the "EDPB") in its statement of 20th of March 2020 has stated that:
"Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. A number of considerations should be taken into account to guarantee the lawful processing of personal data and in all cases it should be recalled that any measure taken in this context must respect the general principles of law and must not be irreversible. Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period".
It is therefore essential that data controllers and processors ensure the lawful processing of the personal data of data subjects and the protection of such data.
Public health authorities and employers are allowed under the GDPR to process personal data in the context of an epidemic, in accordance with national laws and within the conditions set therein.
The employment sector is one of the sectors that has been seriously affected in terms of compliance with data protection rules in view of the COVID-19 outbreak. Employers may need to request their employees to disclose data in relation to their trips, health etc. Employers need to be very careful when collecting and processing personal data so as to respect the general principles of law and simultaneously honour their legal obligations as well as the integrity and privacy of their employees.
In order to lawfully process a special category data, the so-called sensitive data, which include health data, one needs to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9.
- Article 9:
The general restriction under Article 9 of the GDPR states that the processing of data concerning health shall be prohibited. The consent of the data subject is usually required as a derogation to the general rule.
However, the consent of the data subject is not the only derogation. The GDPR provides for legal grounds as exceptions that allow for the processing of personal data without consent of data subjects if it's "necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or where there is the need to protect the vital interests of the data subject".
- Article 6:
As also mentioned in the statement of the EDPB, in the context of employment, the employer has a legal obligation relating to health and safety at the workplace and may thus be required to process data to this respect. The processing of data by the employer may also be required for matters of public interest, such as the control of diseases and other threats to health. Processing under Article 6 may also be lawful if it is necessary in order to protect the vital interests of the data subject or of another natural person.
THE ROLE OF THE EMPLOYERS:
Employers should only require health information to the extent that national laws allow it and the principle of proportionality and data minimization is relevant. Employers should be really careful in disclosing information and data that may not be required.
At the same time, they should update their internal procedures with regards to the purposes of processing of these additional sensitive data as well as update their record retention policy to ensure that provision is made for the period of retention of these additional data. Further security measures and mechanisms must be put in place that ensure protection of the data (i.e. limited/secured access).
WORKING FROM HOME:
The new reality has forced employers to ensure that a business continuity plan is put in place, which allows employees to work from home. The provisions of GDPR do not impose a barrier to this.
The employer shall need to ensure that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Such measures include pseudonymization and encryption measures which ensure confidentiality and the use of systems that allow the remote access of employees to the network and firewall of the office/company (i.e. VPN). Procedures will also have to be put in place regulating the employee's use of hardcopies and they should also be educated with regards to the steps that need to be taken in case of a breach.
- take appropriate care to require from their employees and visitors, information that relate to sensitive data only to the extent that national laws allow it while at the same time it honour the principle of proportionality and data minimization;
- inform their personnel about any COVID-19 related incidents and take protective measures. At the same time, they need to ensure that they do not reveal any unnecessary information and ensure that the dignity and integrity of the affected employee are secured;
- ensure that security measures are increased and procedures are updated when it comes to the processing of sensitive data and working from home. They should at all times ensure that the personal data of the data subjects are secured.