Spread of COVID-19 Raise Data Protection Issues
Certain measures that are under consideration to help combat the threat of COVID-19 raise a number of questions about the practical impact of current guidance and efforts to prevent the spread of infection. Clearly, in light of the serious global threat posed by this virus, data protection is not likely to be the primary concern, but we know that businesses are keen to understand (and, where possible, to comply with) their obligations in this context and we are dealing with queries, such as the following:
Can you ask employees about their travel plans (either before or after a holiday abroad)?
Can you require employees to undergo a medical examination or submit to tests to check their temperature?
Considering these issues from a UK data protection perspective, they certainly involve the processing of employees’ personal data. To comply with the GDPR/Data Protection Act 2018, the employer (the “controller” under data protection law) would be required to have a lawful basis, under Article 6, to collect and to process such information, before any processing begins.
Employee consent is difficult to rely on, given the perceived imbalance of power between the parties, so unless the processing becomes truly necessary to protect the “vital interests of the data subject or of another natural person” (usually understood to mean an emergency, “life or death” situation), it seems likely that the most appropriate lawful basis to rely on would be the legitimate interests of the controller or a legal obligation. Legitimate interests require the controller to assert that it has a strong legitimate interest to carry out the processing of employees’ personal data, which is not overridden by the fundamental rights and freedoms of the data subject.
Dealing with the first question, it may, in ordinary circumstances, be considered an unusual request and an unwarranted intrusion into private and family life. However, in the current climate, an employer could have a valid, legitimate interest in asking employees to disclose where they are going on holiday, or have recently been, in light of the very real threat posed by travel to certain jurisdictions currently most affected by COVID-19. The employer has a clear interest in and an obligation to ensure the safety of all staff and visitors where the employee works and must take into account the rights of all data subjects.
In this situation, it is likely that the employer’s legitimate interest is not overridden by the individual’s privacy rights, but they should still be respected. The information collected should be kept confidential and be limited, in line with the data protection principles of data minimisation and purpose limitation, to that which is strictly necessary to safeguard employees and visitors and to combat the threat of the virus. As the virus is fast spreading around the world, it is difficult to judge whether any location is safer than another, but areas deemed higher risk might be grouped accordingly, with employers making decisions based on government advice. Supported by a legitimate interest assessment (LIA), and retained for no longer than necessary, the processing of such information for restricted purposes ought to be lawful under data protection law.
Regarding the second question, a medical examination or temperature check would involve processing of health data (special category data), so in addition to a lawful basis (such as satisfying the legitimate interests basis, as described above, or having a legal obligation), a further condition would be required, under Article 9.2 of the GDPR/Data Protection Act 2018, before any processing is carried out. Although explicit consent of the employee might be preferred, the employer will not be able to rely on this under data protection laws, unless the employee is genuinely free to decide whether to provide their consent, with no threat of adverse consequences if they refuse, in addition to ensuring that the consent meets all of the other requirements for a valid consent under the GDPR. If employees’ consent cannot be relied on as a valid condition to process the data, then one or more of the following alternative conditions under Article 9.2 may apply:
9.2(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law… This may apply if the employer can assert that it is necessary to take a particular measure in order to comply with its obligation to safeguard employees or others.
9.2(g) – processing is necessary for reasons of substantial public interest.
9.2.(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.. subject to the conditions and safeguards referred to in paragraph 3.
9.2(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care….
(Art. 9.2(h) and (i) require the processing to be carried out by a professional (or other person) who is subject to an obligation of professional secrecy.)
The key test here is “necessity”. Is it strictly necessary to conduct this processing of health data in order to safeguard employees/combat the threat of COVID-19? This will depend largely on the level of threat posed by COVID-19 in the UK, whether the intended measure is likely to be effective in combating that threat and whether any alternative, effective but less intrusive measures are available. The employer should also consider how it can reduce the level of intrusion caused by the testing or assessment (“proportionality”). If a medical assessment is needed, will the employer conduct this through Occupational Health or rely on the employee’s own GP? What results will be given in the light of the specific purposes of the disclosure? Finally, how long will these records be kept and by whom? Again, an assessment of the risks and rights of data subjects should be conducted. If there is likely to be a high risk to the rights and freedoms of individuals, or special category data processed on a large scale, then a Data Protection Impact Assessment (DPIA) will be required before any processing is carried out.
Several of the above grounds for processing special category data require suitable and specific measures to safeguard the fundamental rights and interests (or freedoms) of the data subject(s) involved. Furthermore, in accordance with the exceptions for UK law, the Data Protection Act 2018 provides that there must also be an appropriate policy document in place to support the processing when it is required to comply with laws in connection with employment, social security and social protection or on the grounds of public interest. This separate policy should explain the procedures for complying with the data protection principles (in Article 5 of the GDPR) and the retention of this type of data. Whatever the business decides to do, it should provide employees with clear information about its plans and how their personal data will be processed. It is worth revisiting existing employee privacy notices and policies to address any gaps, if necessary, whilst prioritising the efforts to protect employees’ health. It may be necessary to provide a supplementary privacy notice with key information about the additional purposes of processing personal data and special category data.
While some European supervisory authorities have issued GDPR guidelines for companies to consider when putting in place measures to combat the threat of COVID-19 (e.g., in Italy, Denmark), neither the ICO nor the EDPB have issued guidance yet.