United States: COVID-19 And Employees' Privacy: Capita Selecta

The fight against the COVID-19 pandemic lead to the deployment of unprecedented responses by states and organizations; from "data against corona" initiatives (i.e., use of "anonymized" and "aggregated" mobile data as part of monitoring the success of in-shelter rules) to employers around the globe eager to protect their workforces and launching corona-investigations (inquiring about personal travels, imposing self-quarantine measures, etc.).

Even more in stretched times, attention shall be paid to the balancing of those initiatives against the fundamental right to privacy of individuals. In this context, many national data protection authorities in the European Union and the United Kingdom issued guidelines on the processing of personal data as part of the COVID-19 crisis in an effort to define what is possible and what is not.

We summarize below the approach taken in relation to three aspects of employee-privacy, namely: the opportunity for employers to request employees to disclose symptoms, the conduct of examination of employees and, finally, the disclosure of affected employees' identity to peers.

A snapshot is provided for Belgium, France, Germany and the United Kingdom. For a broader review of cybersecurity and data privacy aspects in relation to COVID-19, please read our Legal Update on the subject.

Enjoy the reading.

Diletta De Cicco and Charles Helleputte

COVID-19 and data protection in Belgium

What are the guidelines issued?

On March 13, 2020, the Belgian data protection authority ("APD") published its initial guidance (the "Guidance") to assist employers having to balance preventive measures for the health and safety of their employees while preserving the employees' right to privacy and data protection:

https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-données-à-caractère-personnel-sur-le-lieu-de-travail

The Guidance was last updated on March 2020 and on March 31, the APD launched a dedicated COVID-19 page on its website (available here:

https://www.autoriteprotectiondonnees.be/epidemie-covid-19).

Snapshot of guidelines issued covering:

Asking employees about their diagnoses or symptoms

The APD made it clear that employers cannot oblige employees to fill in medical questionnaires or reports of recent travels. However, the APD suggests that employers may encourage employees to communicate voluntarily any symptoms or travels to highly infected areas.

Conducting or requiring examinations of employees

The APD pointed out that the assessment of health risks should be carried out by occupational physicians, namely the workplace doctors, and not the employers themselves. Similarly, only the occupational physicians and not the employers are authorised to conduct general and systematic health checks of the employees and visitors, such as temperature controls.

Sharing information about affected individuals

The fact for the employer to disclose the identity of data subjects who contracted COVID19 would likely a breach of GDPR. Rather, the physicians can detect infections and share such information to the employers and persons who have been in contact with the infected persons.

Any other relevant consideration from the guidelines

The APD reminds that the processing of special categories of data can only be based upon one of the legal bases set forth in Art. 9 (2) GDPR. Collection of health data as part of the COVID-19 pandemic cannot extensively and systematically be justified using Art. 6(1)(d) GDPR ("processing necessary to protect the vital interests of the data subject or of another natural person"). Further, while relying on the public interest in the area of public health could be possible, this would only apply for those processing activities required pursuant to explicit instructions from the authorities. The APD insists on employers to comply with the data protection principles of proportionality, transparency, data minimisation and purpose limitation. Should there be a reason for collecting the minimum required amount of personal data, employers shall ensure that employees are informed about the purposes for which their data are processed and the storage period of their data.

Authors: Diletta De Cicco, Charles Helleputte

Covid-19 and data protection in France

What are the guidelines issued?

The French data protection authority ("CNIL") has released a statement on March 6, 2020 reminding a few data protection principles to apply in the context of the Covid-19 crisis:

https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles.

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms

It is not possible for an employer to collect and process information about its employees, his/her relatives and visitors concerning their health condition, whether globally or individually, either through the collection of medical sheets or questionnaires or by way of binding body temperature testing of each employee / visitor.It is however recommended for an employer to inform visitors, customers and employees entering the buildings about Covid-19 and to invite them to contact the company as soon as possible in case of suspicion of contagion or symptoms (it is recommend to appoint a specific person to whom the employee, visitor or customer will report).

Employees have a duty to report to their employer any suspected contact with the virus.

Conducting or requiring examinations of employees

Health data are subject to specific protection both by the GDPR and the French public health code. This code notably provides for a strict medical secrecy which prohibits any doctor from disclosing information regarding an employee's health condition. In any case, an employer can only refer employees to the company occupational doctor who is bound by the same professional secrecy.

Sharing information about affected individuals

In the event of a report, an employer may:

• record the date and identity of the person suspected of having been exposed;
• list the organizational measures taken (confinement, teleworking and contact with the occupational doctor, etc.); and
• as the case may be, inform health authorities.

The CNIL does not specify that other employees may receive such information. The employer should, in order to comply with its health and safety obligation, inform the employees of a potential risk of infection. However, it does not seem necessary to provide the employees with the name of the sick individual. Should it be necessary to reveal the name of the person concerned, the individual concerned should be informed in advance and provide his/her prior consent.

Any other relevant considerations from the guidelines

Employers should follow directions given by public authorities and process health data only to the extent required by such authorities.

Author: Régine Goury

Covid-19 and data protection in Germany

What are the guidelines issued?

On March 13, 2020, The German "Datenschutzkonferenz", a collective body comprising independent federal and state data protection authorities, published guidelines regarding Covid-19 and data protection. ¹ On the same day, the state data protection authority of Baden-Württemberg published Q&As on the subject ². A few days later, the state data protection authority of Rhineland-Palatinate issued a note focusing on employee data protection. ³

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms

Controllers are allowed to collect and process personal data of employees and visitors, including health data, in particular to determine whether they are infected with Covid-19, have been in contact with a person who is proven to be infected, or have traveled to an area classified by the German Robert Koch Institut as a Covid-19 risk area.

Conducting or requiring examinations of employees

Employers are not allowed to actively collect health data of employees (data protection authority of Baden-Württemberg). In addition, temperature testing is not lawful given the existing doubts as to the suitability of such tests, as well as the various less intrusive measures that could be used (data protection authority of Rhineland-Palatinate). This applies even where employees do not oppose the tests.⁴

Sharing information about affected individuals

It is only lawful to share personal information of individuals infected with Covid-19 or suspected of being infected if the knowledge of their identity is exceptionally necessary for protecting people they had contact with. In this case, controllers may rely on Art. 6(1)(c) or (f) GDPR.

Any other relevant considerations from the guidelines

Health data must be kept confidential, used solely for the intended purpose and deleted once the purpose is achieved (as a general rule, at the latest after the end of the pandemic). For data processing activities that are not covered by the legal ground of necessity of data processing for reasons of public interest in the area of public health, controllers may rely on consent only where data subjects have been informed about the data processing and have voluntarily consented.

Authors: Vanessa Klessy, Ana Bruder

1 https://www.bfdi.bund.de/DE/Datenschutz/Themen/Gesundheit_Soziales/GesundheitSozialesArtikel/Datenschutz-in-Corona-Pandemie.html?nn=5216976

2 https://www.baden-wuerttemberg.datenschutz.de/faq-corona/

3 https://www.datenschutz.rlp.de/de/themenfelder-themen/beschaeftigtendatenschutz-corona/

4 https://www.covid19.law/2020/03/compulsory-temperature-testing-and-the-protection-of-employee-data/

COVID-19 and data protection in the United Kingdom

What are the guidelines issued?

  The UK's Information Commissioner's Office (the "ICO") recommended organisations adopt a proportionate approach to their data protection practices during the pandemic. The ICO reassured organisation that it understands the challenges that some organisations are facing when allocating financial and human resources away from their usual compliance work during this period.

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms

It is reasonable for businesses to ask individuals that they come into contact with, such as members of staff or visitors whether they have visited a particular country, or are experiencing COVID-19 symptoms but organisations may not need to collect more specific information about individuals' health conditions and should not collect more personal data than they need (proportionality and data minimisation).

Conducting or requiring examinations of employees

From an employment law perspective, although it is possible for an employer to ask if an employee would consent to a test, it is not permissible for an employer to require an employee to take a test or, for example, face being suspended without pay or dismissed. Further information about this can be found at:

https://www.mayerbrown.com/en/perspectives-events/publications/2020/03/coronavirus-covid19-practical-points-for-uk-employers.

Sharing information about affected individuals

Where there has been a case or suspected case within an organisation, businesses may inform its personnel but it is probably not necessary to name the affected individual(s) unless it is strictly required to protect other individuals. In cases where it is necessary to reveal the name of the person concerned, the individual concerned should be informed in advance and their dignity and integrity protected. Further information about this can be found on our blog at:

https://www.employerperspectives.com/2020/03/right-to-know-covid-19/

Any other relevant considerations from the guidelines

• Security of personal data and homeworking: An organisation's legal obligations to keep personal data secure remains the same, even during a crisis. Businesses need to consider and implement security requirements that are appropriate to protect personal data that may be processed in a homeworking environment. These may be the same or tougher than those used at the organisation's premises.
• Data protection compliance related deadlines: While the statutory timescales under the GDPR and the Data Protection Act 2018 continue to apply, the ICO said that it will take a more pragmatic view during this extraordinary period and will not penalise organisations that they know need to prioritise other areas.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.