By Anas A. Malik, Legal Counsel & Data Protection Manager, Aon Germany.
Coronavirus is an outbreak of a respiratory disease, also known as “Covid-19”. The outbreak first became noticeable at the end of December 2019 in the city of Wuhan in China. By March 2020 Covid-19 had spread into a worldwide pandemic with over 237,996 cases confirmed in 159 countries and 9,819 victims and rising, which became a financial threat to corporates as well as economies. This paper deals with how to solve data protection challenges and privacy approaches, since many companies are currently facing the question of how to deal with the personal health data of their employees.
Requirement of health data
Information about an individual’s health is a ‘special category’ of personal data, and the ability to collect health data lawfully is more limited. The GDPR defines health data as any information related to an individual’s physical or mental health. Therefore, health data not only covers information that is “obviously” health-related – such as a description of symptoms – but also more general information. This includes information on past or present health conditions, but also information concerning the person’s future health. So, data that the company receives through self-declaration or questionnaires from employees or external parties in order to check the current health status is always sensitive data that requires protection.
Lawfulness of processing
Health data are subject to the processing prohibition in accordance with Art. 9(1) GDPR, which results in stricter requirements in which processing is permitted. The legal basis for processing health data regarding protection of employees against coronavirus would be:
Art. 9(2)(a) GDPR permits data processing on the basis of consent of the employee. It must be taken into account that a consent cannot be given by implication or an opt-out procedure. Consent for processing personal data must be given in an informed and voluntary manner and not per the general consent requirement of the national law. The most appropriate would be a written consent or an oral consent. Both have to be filed with the purpose of processing and date of consent for accountability reasons by the controller. The disadvantage is since the consent is voluntary it can be freely revoked at any time. A comprehensive use and evaluation would therefore not be guaranteed. In addition, the question of how to obtain the consent of all potentially affected persons who have had contact with a patient is also an issue.
According to Art. 9(2)(i) GDPR, the processing of sensitive data is permissible due to the increasingly rapid spread of the coronavirus, if it concerns the area of public health, which includes in particular “serious cross-border threats to health“. It should be considered that this is a flexibility clause that’s why the national legislature may, under certain conditions, create its own regulations.
As a similar legal basis, the exceptional circumstances of Art. 9(2)(g) GDPR could apply. According to this, the national legislature can enact legislation that allows companies to process special categories of personal data if there is a substantial public interest. Such an interest certainly exists in the case of the fight against coronavirus, but it is precisely the national legislature, which must create appropriate specific provisions, which specify the processing and conditions of the required data in more detail.
Every processing of health data of employees concerning coronavirus has to be necessary to fulfil the data minimisation principle. Companies as controllers should continuously reflect whether the employees’ health data is “adequate, relevant and limited to what is necessary in relation to the” coronavirus safety purpose. It should be considered how the same goals can be achieved by a reframing from a question or an alternative procedure.
The normal requirements around provision of information to be provided to the related data subjects will apply. Employees about whom health data is collected should receive a privacy notice, before or at the moment of collection, that details the main characteristics of the data use. Companies can either update existing privacy notices or if they do not cover disease containment – create a new privacy notice dedicated to coronavirus. All data subject rights will remain relevant for companies and will need to have processes in place to deal with requests, especially exercising the right of access and right of erasure (Article 12-21 GDPR).
Given the nature of coronavirus-related data processing activities, when sensitive health data and evaluation of health risks is involved according to Article 35 GDPR a Data Protection Impact Assessment has to be undertaken by organisations. A Data-Processing-Agreement or Joint-Controller-Agreement should be put in place if employees’ health data is passing to another entity. The GDPR allows companies to outsource the collection and analysis of coronavirus-related personal data, until this outsourcing does not reduce the level of data protection. According to Article 30 GDPR a Record of Processing Activities should be maintained and updated in a timely and accurate manner to reflect the new personal health data processed.
Moreover, appropriate safeguards as technical and organisational measures have to be implemented and ensure the security of the personal data to the level of risk. It is recommended to store or process employees’ health data in an encrypted file on a hard drive. Only employees from whom it is strictly necessary to undertake their tasks should have access to the employees’ health data. Lastly, the process of deletion has to be initiated by the company after the legal retention period or fulfilment of purpose has been lapsed.
Companies can collect and store health data relating to their employees through self-disclosure or questionnaires on their recent locations and indications of potential symptoms and their indicators. They can also conduct surveys on specific occasions after business trips or contact with suspected persons. In the event of a positive finding on an employee by an official body or in the event of confirmed contact with a person who tested positive, it would be permissible to process information about the employee concerned, e.g. time and close contact persons and measures taken. But it should not be permissible to require all employees to provide information on their travel destinations and health status or collect blanket information about flu symptoms from employees or to have them communicated by colleagues.
The fever testing of employees at the entrance of the company premises and other medical measures can be justified under strict conditions. A fever test can certainly be regarded as permissible if the results are only used for an admission control with the necessary and limited decision undertaken by a simple “yes or no”, without further processing of information it would not constitute the processing of personal data.
In order to ensure that employees can be warned at short notice and not when they appear at work, companies may also request and temporarily store the current private phone number of their employees with a consent. At latest after the end of the pandemic, the collected contact private contact data must be deleted by the company.
Other measures currently under discussion should be viewed extremely critically, e.g. mobile phone tracking of infected persons in order to better identify contact persons or the naming of specific addresses of infected persons. In any case, this could only be carried out by the state, the governmental agencies authorized to protect public health.
Knowing about an employee’s Covid-19 disease can lead to a stigmatisation for the employee. Mentioning the name of the infected should therefore be avoided. Simultaneously, employees who have been in direct contact with an infected person must be warned and be excused from work themselves to reduce the risk of infection. Such a measure can be carried out on a department or team basis. If, in exceptional cases, this is not sufficient, the company must contact the health authorities and request their decision.
Companies should only collect necessary personal data. In the context of coronavirus containment, this means collecting the minimum information needed to evaluate the risk that an individual carries the virus and take proportionate risk-based measures. In terms of data collection method, the least intrusive and disturbing option should be selected. This may require adopting a gradual risk-based approach, such as providing questionnaires with targeted ‘yes or no’ questions to carry out a first screening of individuals’ coronavirus threat and review the questionnaires to ensure only required and necessary information is collected.
As long as no official written order has been issued, companies are only free to collect and store the names and contact details of their employees on the basis of consent for the purpose of transmitting them to the health authorities on request. In this case, the duration of storage should be based on the presumed incubation and detection period of infections.
In view of the infection rate on the one hand, and the intensity of an intrusion into the privacy of employees when accessing health data on the other, a collection and evaluation can be regarded as proportionate. Still the potential for abuse from the collected health data is great, it would be relatively easy to draw further conclusions about religious beliefs or sexual orientation. However, the risk to public health is increasing and is existential. It is then up to find a good balance between data and health protection of the employees.