Data Processing in Times of Coronavirus Disease 2019 (COVID-19): Guidance from EU and National Data Protection Authorities
As many countries reach the second stage of the Coronavirus Disease 2019 (COVID-19) outbreak, privacy protections may be relaxed under certain circumstances. The European Data Protection Board (EDPB) issued a statement on the processing of personal data in this period of time, and several national data protection authorities have issued COVID-19 specific guidelines and advice. As there are considerable differences between the various guidelines, it is essential that organizations subject to these EU data protection laws become familiar with these national information and guidelines.
This guidance – amongst others – touches upon the question what employers are allowed to do and say when an employee has or appears to have contracted COVID-19.
This blog covers the following topics:
European Data Protection Board Guidance
EDPB Statement: General Information About Legal Bases for Data Processing
The EDPB adopted a ‘Statement on the processing of personal data in the context of the COVID-19 outbreak’ on March 19, 2020.
In this statement the EDPB reiterates that employers and public health authorities may process personal data without consent of the data subject in case of a pandemic. The EDPB refers to several legal bases in articles 6 and 9 of the General Data Protection Regulation (GDPR).
Article 6 (1) (e) GDPR contains a legal basis for processing if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (the public interest legal basis).
Article 6 (d) GDPR provides for the processing of personal data if it is necessary to protect the vital interests of the data subject or another natural person (the vital interest legal basis). Such vital interest can be found in the protection of the data subject’s or another natural person’s life, but only where the processing cannot be based on another legal basis. Generally, it is regarded as a ‘last resort,’ for instance when an individual is unconscious and in mortal danger.
Recital 46 of the GDPR explains that the above-mentioned legal bases can go hand in hand:
‘Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters’.
Where it concerns health data, which qualify as a special category of personal data, the employer or public health organization can rely on the same legal bases; articles 9 (2) (c) and 9 (2) (g) GDPR are the counterparts of the public interest and vital interest legal bases as referred to above.
In addition, pursuant to article 9 (2) (i) health data may also be processed if this is necessary ‘for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices’ (the public health legal basis).
The EDPB also lists several core principles that must be taken into account in the context of the COVID-19 outbreak. Personal data which is necessary to pursue the objectives should only be processed for specified and explicit purposes and the data subject must receive transparent information on the processing activities and their main features.
Lastly, the EDPB answers specific questions, which are particularly relevant for employers. The answers to these questions demonstrate that the national law of the member states is decisive to determine the employer’s obligations.
The EDPB’s answer to the question ‘Can an employer require visitors or employees to provide specific health information in the context of COVID-19?’ is as follows:
The application of the principle of proportionality and data minimization is particularly relevant here. The employer should only require health information to the extent that national law allows it.
In addition, the question ‘Can an employer disclose that an employee is infected with COVID-19 to his colleagues or to externals?’ is answered as follows:
‘Employers should inform staff about COVID-19 cases and take protective measures but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.’
The Dutch data protection authority (AP) published an approach towards an employer’s obligations on its website, which was updated several times. The approach has been criticized by some for limiting an employer’s options to obtain information and prioritizing an employee’s privacy.
Generally, an employer is not allowed to check whether its employee is contaminated with the COVID-19 virus. This is only allowed if the employee works in the health sector.
In addition, an employer may not request any information about the nature and causes of a sickness notification. Consequently, it may also not register such information as it is not considered necessary. This applies to a bone fracture, a cold, and to COVID-19. While most employees may feel obliged to inform their employer about the nature of their sickness (especially in times of a pandemic), such limitation may preclude an employer from ensuring the health and safety of its employees.
The AP advises that instead, an employer may request a company doctor to test an employee in cases of suspicions of COVID-19. The AP specifically states that an employer may also request its employee to contact such company doctor.
If the doctor suspects a contamination on the basis of this test, it will file a report to the regional health service. This service will then discuss the required next steps with the employer. Note that, with this mechanism, the employer only indirectly receive information about the employee’s illness. The company doctor is allowed to process and register health data, as required under Dutch law, and as this is necessary for reasons of public interest in the area of public health (article 9 (i) GDPR).
Recently, the AP added that an employer may also request the employee to check its health during work hours, for example by measuring its temperature. This is specifically the case if the employee does not work from home.
In addition, the AP notes that under the current circumstances, an employer may send employees home if they are sick, and if the employer suspects that the employee is sick (the employee has flu or cold symptoms for example).
According to the AP, the question ‘what can I say about someone’s absence to its colleagues?’ is that it remains up to the employee what it wants to share. The employer may inform colleagues about an expected absence duration, but the AP reiterates that the employer/employee relationship is not considered equal. The AP advises that an employer must make sure that the employee does not feel any pressure to provide further information (such as its name and details of the illness).
The AP adds that the current situation requires specific and far reaching measures. The employer is encouraged to monitor the advice of national and regional health services closely.
The UK’s Information Commissioners’ Office (ICO) provides information on its website about ‘Data protection and coronavirus: what you need to know.’ The information is set up in a Q&A form.
The ICO answers the question ‘As a healthcare organization, can we contact individuals in relation to COVID-19 without having prior consent?’ as follows:
‘Data protection and electronic communication laws do not stop Government, the National Health Service or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health’.
The ICO also confirms that an employer can tell its staff that a colleague may have potentially contracted COVID-19. However, the ICO emphasizes that ‘you probably don’t need to name individuals and you shouldn’t provide more information than necessary.’
It makes it clear that the organization has ‘an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.’
Furthermore, the ICO advises that an employer is allowed to share employees’ health information with authorities – even though it is unlikely that this will be requested. The ICO emphasizes that it remains of importance to collect only strictly necessary data and to ensure that the information is treated with appropriate safeguards.
Interestingly, the ICO notes that it will not ‘penalize organizations that we know need to prioritize other areas (than data protection practices, red.) or adapt their usual approach during this extraordinary period.’
The Irish Data Protection Commission (Commission) emphasizes the employer’s obligation to protect its employees.
With regard to article 9 GDPR, the Commission notes that it is likely that Article 9(2)(i) GDPR and Section 53 of the Irish Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
The Commission concludes that an employer may process health data of its employees, if it is necessary and proportionate to do so. The legal basis for this processing is found in article 9(2)(b) and the obligation of an employer to protect its employees under the Irish Safety, Health and Welfare at Work Act 2005.
In addition, the Commission explicitly states that in light of this employer’s duty of care:
employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms; and
employers would be justified in requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow necessary steps to be taken.
Lastly, the Commission notes that an employer should avoid naming any individual employee that has contracted the virus. Rather an employer should inform its staff that there has been a (suspected) case and request the staff to work from home. This last part was clearly written in the first stage of the pandemic.
In its extensive report , the Spanish data protection agency (AEPD) touches upon the vital interest legal bases in articles 6 and 9 GDPR.
With regard to this legal basis in article 6 GDPR, the AEPD notes that this also aims to protect the vital interests of ‘another natural person.’ Consequently, this legal basis may be sufficient for the processing of personal data aimed at protecting all those persons susceptible to being infected in the spread of an epidemic, which would justify, […] in the widest possible way, the measures adopted to this end […]. This interpretation is clearly broader than the generally accepted interpretation.
The AEPD notes that this legal basis does not work where health data are concerned. The AEPD is then the first national authority that refers to article 9 (2) (b) GDPR, which provides a legal basis for processing of health data without consent, for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law.
A Spanish employer is subject to a Spanish law on the prevention of occupational risks. This law requires each worker to ensure its own and others’ safety and health at work. Consequently, they must immediately report any situation that reasonably involves a risk to that safety and health. This also includes any suspected contact with the virus. The employer must then process such data in line with the GDPR.
As possible legal bases for data processing in light of the COVID-19 pandemic, the AEPD lists:
the established article 9 (2) (g) and 9(2)(i) GDPR (the public interest and public health legal basis)
article 9 (2) (h) – the processing is necessary to carry out a medical diagnosis, or evaluation of the worker’s work capacity
article 9 (2) (c) (the vital interest legal basis), but only in the event that the data subject is not physically or legally capable of giving their consent.
The APED reiterates that Spanish laws contain provisions that allow processing of data in emergency situation. So, in order to protect the public health, the ‘different public administrations, who may adopt the necessary measures to safeguard said essential public interests in public health sanitary emergency situation.’ An assuring message from the AEPD, including its notion that all data protection principles (laid down in article 5 GDPR) must be respected.
The AEPD concludes with the highly relevant recital 54 GDPR:
“The processing of special categories of personal data, without the consent of the interested party, may be necessary for reasons of public interest in the field of public health. Such processing must be subject to appropriate and specific measures in order to protect the rights and freedoms of natural persons. […] This processing of health-related data for reasons of public interest should not result in third parties, such as businessmen, insurance companies or banks, treating personal data for other purposes”.
It is expected that other national data protection authorities will also provide specific Coronavirus Disease guidance.