COVID-19: What precautions should companies take when processing personal data within an employment context?
Data Protection Alert Portugal
Within the context of the global spread of COVID-19 (Coronavirus), companies have discovered a new reality, which also raises questions within the scope of the processing of personal data, in particular the fulfillment of the General Data Protection Regulation (GDPR) and Act 46/2012, dated August 29 (Electronic Communications Privacy Act).
In contrast to most supervisory bodies and other European countries, the Portuguese National Data Protection Commission (Comissão Nacional de Proteção de Dados) (CNPD) has not yet commented on this matter, only clarifying, through Resolution/2020/170 (which can be consulted here), that the response times to draft resolutions have been interrupted until the end of the country’s state of emergency due to Covid-19 is declared (with such period recommencing on the business day following the publication of such declaration).
As it is essential to respond to basic questions relating to the processing of personal data carried out within the context of the fight against the pandemic, we decided to “cast an eye over Europe” and analyze the position of other data protection authorities in this area, as they reflect the way the legal bases and principles of the GDPR are being interpreted.
Based on this premise, and while we await the necessary clarifications and measures from the Portuguese authorities, Garrigues has decided to prepare and provide a set of responses to questions raised with us by some clients and which are of the utmost relevance for the businesses.
In general, as a preliminary point, it should be recalled that, in the terms of the GDPR, the processing of personal data by the employer depends: (i) on the existence of a legal basis for the processing, (ii) on the existence of an exception allowing the processing of health or other data which are specially protected (if the company is intending to process these categories of data) and (iii) on the processing actually being necessary, appropriate and proportional (principle of data minimization).
Aside from this, it should be recalled that, in any case, the employees should be informed of the processing of any personal data the company intends to carry out, and the companies must apply appropriate safety measures in line with the risk of such processing.
1. Can the employer ask its employees to undergo COVID-19 diagnosis tests it provides?
Imposing these tests on all the employees, as this involves the processing of health data, should not only comply with the requirement of the legal bases and exceptions for the processing of health data, but also with the suitability of and need for such processing (i.e. the company would have to be able to prove that it would not be possible to achieve the intended objective of containing the virus through methods which are less invasive of the privacy of the employees).
Many European supervisory authorities now consider that the general systematic collection of information relating to the infection or symptoms of COVID-19 is not proportional, and therefore nor is testing all the employees. However, there are other, more permissive authorities that allow this action under national legislation relating to the protection of health and safety in the workplace.
In Portugal, we will also need to verify the labor legislation related to medical examinations, as this may be relevant for defining the applicable legal bases and exceptions for the processing of health data. We must also ask whether the processing of the personal data arising from these tests is necessary, appropriate and proportional.
In general, we believe that subjecting all the employees to tests will, in many cases, be considered excessive. However, depending on the specific case, it may be possible to justify tests being carried out on just some of the employees, depending on the criteria used.
2. Can the employer systematically check the body temperature of its employees?
Although, at first sight, this measure seems less intrusive than performing COVID-19 diagnosis tests, it is true that this also involves the processing of health data. Therefore, the answer to this question is similar to the previous one.
On a European level, the Belgian, French, Dutch and Luxemburg supervisory authorities have commented on this matter and have decided that no, the employer cannot systematically control the body temperature of its employees, whereas the German and Spanish supervisory authorities have decided to allow it, within certain limits. We consider it relevant to emphasize the Italian position, which expressly establishes and authorizes these controls being performed within the context of the current pandemic.
3. Can the employer require its employees to periodically complete questionnaires relating to COVID-19 symptoms? And questionnaires relating to recent trips of its employees and the dates they left and returned to the country? Can these questionnaires include questions relating to people living with the employee?
As regards questionnaires relating to COVID-19 symptoms, it should be noted that these also involve collecting health data. Therefore, the legality of this processing would of course depend on the application of one of the exceptions allowing the processing of specially protected data. As regards questionnaires related to trips made, since they do not involve the processing of specially protected data, they depend on the existence of legal bases allowing the processing. However, in either case, there is a general systematic collection of information which must adhere to the principles of suitability, need and proportionality.
On a European level, supervisory authorities such as those from Belgium, France and Luxemburg have commented on this matter and consider that these systematic controls should not be carried out. As regards the Spanish authority, it has taken a more permissive position, allowing this questionnaires, provided they respect certain limits. In Italy, this is also allowed under the exceptional measures approved within the context of the current pandemic.
In Portugal, we note that, once more, it may be difficult to find a legal basis allowing the processing, and justifying its need, suitability and proportionality, including within the framework of legislation relating to health and safety in the workplace.
The response relating to questionnaires regarding relatives is similar, with the qualification that, in this case, it may be more difficult to claim that the processing is necessary for the protection of the health and safety of the employees.
4. Can the employer require its employees to state whether or not they belong to risk groups?
All the foregoing applies to this matter.
We would just point out that asking the employee whether or not they belong to risk groups (obviously explaining to them the conditions covered) is not the same as asking them to describe the conditions they suffer from, providing them with a list to this end, therefore classifying them as part of a risk group. Because it is less intrusive in respect of the privacy of the employees, we believe the first option would always be preferable, always within the framework of occupational health services and activities.
The employer must, however, identify the legal basis it is using for this classification, the case being that the employer must be able to evidence that it actually needs this information (e.g. for deciding which employees will have direct contact with the general public); consequently, the answer would vary case by case.
5. Can a company ask those visiting its facilities to state whether they have COVID-19 symptoms and/or where they have travelled to recently, along with their departure and arrival dates?
The English supervisory authority allows these controls, with the proviso, however, that it should not lead to the collection of excessive information. The Spanish supervisory authority and Italian authorities have pronounced likewise, the case being that, in each case, this position is supported by the legal obligation of the employer to protect the health of its employees.
In Portugal, there are still no guidelines relating to this matter. Therefore, companies will have to verify the circumstances already described in the previous questions. Note that, in order to mitigate the risks related to data processing, companies should always try to collect the minimum indispensable amount of information and inform the visitor, when arranging their visit, of the controls that will be carried out, in order to manage the expectations of the visitors as regards the processing of their personal data to be carried out.
6. Can the employer inform the rest of the employees when it identifies a company employee infected by COVID-19?
As regards this matter, the European Data Protection Board has clarified that, on informing the rest of the employees of the existence of an infected employee, the employer must take special care as regards the information provided, i.e. it should only provide the information necessary (principle of data minimization). In this sense, by way of example, the Belgian supervisory authority considers that the employer, in accordance with the principle of confidentiality and the principle of data minimization established in the GDPR, should not reveal the name of the infected employee when informing the other employees. In other words, it should only report the occurrence of the situation, without mentioning the details of the holder of the data. The name of the infected person can only be revealed to the workplace physician or the competent authorities.
In Portugal, the General Directorate of Heath (in Guideline nº 006/2020, dated February 26) recommends that, in view of a validated suspicious case (still awaiting laboratory test results), the employer should inform the other employees of the existence of such a case. However, it does not state that this notification should include the name of the employee.
Therefore, if it suffices to inform the employees of the existence of a case, without identifying the employee in question, the notification should be limited to this.
7. Can I ask an employee suspected of being infected with COVID-19 to give the names of the employees with whom they have recently been in contact?
According to the aforementioned Guideline nº 006/2020, the employer is recommended to collaborate with the Local Health Authority in identifying the close contacts of the ill person after verification of the suspected case validated by professionals of the SNS 24 helpline.
However, in this case, the employer must also guarantee the verification of the legal basis allowing the processing and the existence of grounds evidencing the need, suitability and proportionality of the processing, recording them, and must involve the occupational health services in any action.
8. Can I share data on employees suspected of being infected with COVID-19 with the health authorities?
In line with the previous responses, this of course depends on the existence of legal bases allowing it (with the existence of legal provisions making this notification obligatory or permissible being particularly relevant within this context). Once again, the employer should check whether the processing is necessary and appropriate.
It should be noted that the aforementioned Guideline nº 006/2020 establishes that any employee performing their duties at the facilities of the employer and informing it of the existence of COVID-19 symptoms should go to an “isolation” area prepared by the employer, with the employee then able to contact the SNS 24 helpline. Therefore, for reasons of precaution, any divergence from these guidelines (such as the aforementioned contact with the SNS 24 helpline being carried out directly by the employer) must be justified.
As regards notification to the health authorities of the details of those employees who have been in contact with an employee who is a validated suspected case, the provisions of the response to the previous question apply.
Contacts