Roxana Ionescu and Madalina Bucur
In the past months, coronavirus disease (COVID-19) outbreak has been a major topic of interest worldwide and continues to be a source of concern for all businesses across industries. Among the significant disruptions brought to the global economy, COVID-19 has a direct impact on the workplace. Various companies have already struggled to find out solutions to mitigate risks related to COVID-19 and to ensure business continuity.
When planning to collect employees’ personal data as part of the efforts to monitor and prevent the spread of COVID-19 among the organization, the employers should consider also the data protection implications thereon. Such implications arise in particular when the envisaged processing entails the collection and use of special categories of data, such as health data (e.g., data resulting from screening or testing of employees’ health condition, information that an employee is or may be infected with the coronavirus that causes COVID-19).
Some say that the preventive effort is burdened by the need to comply with the General Data Protection Regulation (GDPR). But in reality, both aims – protecting the employees’ health and be GDPR compliant – can be achieved at the same time. So let us look at the processing of employees’ data while fighting with COVID-19 from a practical perspective:
- ensuring the lawfulness and legitimacy of the processing
Employers should always ensure that the envisaged processing is lawful and legitimate.
In order to achieve this, employers need to identify a legal basis under Article 6 and, in case the processing entails sensitive data, to also identify one of the additional guarantees under Article 9 of GDPR.
Employers should determine the legal basis under Article 6 of GDPR and the guarantees under Article 9 of GDPR before the commencement of the processing. The assessment made thereon, as well as the decision-making should be properly documented. But the good news is that, in most cases, such assessment has been already covered as part of the ongoing effort for GDPR compliance, even though without express reference to this latest health threat. So, before anything else, check the requirements detailed below against the compliance actions already taken and document this.
In respect of the legal basis, there may be cases where the processing would be necessary for compliance with a legal obligation incumbent upon the employer (e.g., to protect employees’ health at the workplace) or necessary in order to protect the vital interest of the employee concerned or of another natural person. Other legal basis under Article 6 of GDPR may be applicable depending on the jurisdiction where the processing takes place and on the specific particularities of the processing. Even the legitimate interests of employers may be a valid legal basis, but this comes with the added burden of having to demonstrate the legitimacy of processing by reference to the potential impact on the fundamental rights and freedoms of employees and ultimately with the need to implement strict safeguards to mitigate a disproportionate impact.
In respect of the guarantees under Article 9 of GDPR for the processing of special categories of data, their suitability also depends on the jurisdiction where the processing takes place, as well as on the specific particularities of the processing. Depending on such details, the employers’ may argue, for example, that the processing is necessary to comply with its obligations under the health and safety at work legislation, for assessing the employee’s work capacity or for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. In certain jurisdictions, the assessment to identify a proper guarantee may be challenging. This is because almost all guarantees that seem to fit at the first sight are subject to additional conditions that may prove difficult to comply with in practice.
For example, most of the guarantees under Article 9 of GDPR will work only if employers are able to demonstrate that the processing is “necessary” for the envisaged purpose. The processing shall pass the necessity test even in case it would not entail special categories of personal data. In a reasonable interpretation, this means that it is not sufficient for the processing to be just useful for the employer, but it has to be proportionate with the considered purpose. Likewise, the employers shall be able to demonstrate that they cannot achieve the same purpose by other less intrusive means (e.g., by not collecting special categories of data). Employers shall consider also the data minimization principle when deciding the purposes and means of the processing.
Before becoming to (GDPR) concerned, look at how your organization already assessed the processing of employees’ health data, including in connection with seasonal flu and other similar risks. It is likely that the same rationale that applied then would be applicable in the context of COVID-19. Any additional guidance, such as the ones at international level (e.g., the World Health Organization’s guidance on Getting Workplace Ready) or decisions issued by the local government will help substantiate the lawfulness of the processing.
- ensuring the fairness and transparency of the processing
Employers shall assess whether the existing privacy notices cover the processing intended to mitigate COVID-19, or if there is a need to supplement such privacy notices or to adopt new ones. More than likely, such notices cover the processing of health data, as this may be necessary in the ordinary course of business, e.g. to confirm the employees’ fitness as per local law or to manage medical leaves etc.
If your organization plans to adopt COVID-19 dedicated policies or internal norms, consider including at least a general reference to the privacy notice in there and add any information that deviate or supplements from the latter’s content. If employees have already raised concerns about the situation within the organization (by now, this is not only likely, but probable), make sure to underline how their concerns are addressed by the measures adopted.
- disclosing personal data both internally and externally should be limited
Employers should limit as much as possible the disclosure of their employees’ personal data, especially health data. But this is not something new, as normally any company has considered the “need to know” requirement when determining how and when personal data are disclosed.
But COVID-19, with its apparent long incubation period and increased risk of spreading, may lead to the need for disclosure. For sure, employers will have to comply with any reporting under local law. Such reporting exists for sure in Romania and is likely to be set out in other jurisdictions as well. In such cases, the employer shall limit the reporting to what is legally required and ensure that such is made only to the public authority that is officially competent to receive the information.
Beyond that, no public disclosures (both externally and internally) of the concerned employee’ identity should be made, as long as it would be sufficient to make a more general statement on the fact that (some) employee(s) was/were infected, without providing names.
Internal disclosures of the concerned employee’s identity should also be limited except when strictly necessary to investigate and identify the individuals who were in contact with the employee who is or may be infected with COVID-19. This recommendation to limit disclosure is meant to avoid any potential bulling or discrimination. In all cases, the disclosures shall be limited only to those persons within the organization who need to know such information in order to perform their attributions in the health and safety field.
- performing a data protection impact assessments (DPIA)
In case the processing is likely to result in a high risk to the rights and freedoms of employees, employers shall perform a DPIA. Such may be the case, for example, when it is intended to process on a large scale special categories of data. When deciding if such type of assessment is necessary, the employers shall take into consideration also the so-called DPIA Blacklist/Whitelist adopted by the supervisory authorities from the Member States.
In order to address the above mentioned concerns, as well as other data protection requirements, employers may wish to establish internal dataflow to document how they would collect, use, retain, share and secure any personal data as part of COVID-19 action plans.
In conclusion, managing the risks related to the COVID-19 do not necessarily imply assuming risks of non-compliance with GDPR. In this area, employers considering preventive actions should first look at what they already have in place and, if necessary, make what should be only small adjustments to already existing GDPR compliance actions given the specificity of this new risk.