Data Protection and COVID-19: FAQs on the Approach of European Regulators

By John Benjamin and Edward Pickard

01.04.2020

The spreading COVID-19 pandemic across Europe has meant that many of its data protection authorities have faced questions from organisations as to how they should meet their privacy obligations during this time.

The European Data Protection Board (EDPB) has now published its own guidance to ensure that a consistent approach is taken across Europe regarding privacy compliance during this period. However, this came after a number of national regulators published their own guidance that in some cases is slightly contradictory.

The below article considers some of the key issues that may be facing during the COVID-19 pandemic and how the EDPB and some of Europe’s data protection authorities approach these issues. The EDPB has made clear that it is business as usual when it comes to compliance.

We are also seeing an increase in cyber-related attacks, so please make sure that your systems and processes regarding data security are robust within a working from home environment. Dealing with a data breach in the current environment will be no fun for anyone!

The increasing number of layoffs that are taking place will mean that we are likely to see an increasing number of access requests from individuals to their employers in connection with unfair dismissal claims. Make sure that you have robust systems in place to deal with these, and that you can process the large number of requests that may come your way. We are here to help as needed.

Development of mobile-based applications to monitor the public’s compliance with lockdowns and isolations will also mean the workload of privacy regulators will become even busier. If you are developing applications in this space remember the need to have a robust data protection impact assessment in place.

The conversation will then also move to the development of new technologies to avoid infection rates rising again, which will undoubtedly involve big data analytics. Whilst this pandemic will likely be defeated through private/public collaborations using sophisticated data analytics, this is likely to raise concerns from privacy advocates and other consumer protection groups.

1. When employees start to return to work, can we ask them to provide health data to protect the workforce from the coronavirus?

Employers will no doubt want to understand from their employees whether they have had the disease and if they remain infectious.

Whenever an organisation requests personal data from an individual, they must first establish whether the data they are requesting is strictly necessary and that they are not collecting more data than they need. The EDPB makes it clear that a request for information relating to the coronavirus pandemic needs to be clear and precise rather than general. Employers cannot therefore make excessive and unwarranted demands for information relating to an employees’ health.

Guidance from data protection authorities in France, Spain and the UK state that employers can only process health data that is strictly necessary. The French regulator has advised against collecting data that would go beyond what is necessary to determine exposure to the virus. Collection of temperatures (see below) and general health questionnaires, for instance, would be unacceptable, whereas focused questions around whether an employee has been exposed to the virus or how long have they been contagious for may be justified. Requesting employees to inform you if they have any symptoms of coronavirus would likely be reasonable in this scenario, but healthcare information should only be requested to the extent permitted by national law (which is one area of the GDPR that Member States can introduce their own laws). In France, the collection of health data can generally only be done by a labour doctor, so think about who should collect this data. The Dutch data protection authority’s guidance states that employers are not allowed to process health data of their employees. If the company doctor suspects coronavirus, the regional health service must be informed, who will consult on appropriate workplace measures that can be taken.

When collecting data relating to health, individuals must be informed in a concise and easily understandable notice the purpose of collecting the personal data and how long the data will be retained. Further, as with the collection of any personal data, appropriate safeguards should be in place to protect the data securely. The UK data protection laws require organisations to have a policy in place for processing of special category data, which includes health data. Our experience is that many companies do not have such a policy in place.

2. Can we take employees’ temperatures?

This point is an extension of point 1 above. Whether an employer can take an employee’s temperature will vary depending on the extent to which national laws allow such measures and whether it is reasonable and proportionate. For example, guidance in France, Belgium, Hungary, Italy and the Netherlands specifically state that employers cannot take the temperature of their employees. In comparison, authorities in Spain and the UK do not mention whether taking temperatures is permissible, but point out that processing of health data should be limited to what is strictly necessary. The principle of proportionality and legal basis should be observed. Thought needs to be given as to how long such information should be stored and who has access to it. Also, how accurate will the temperature reading be? Inaccurate readings may result in employees being turned away from work wrongly, and may mean they bring a claim under data protection laws resulting for incorrect processing of data.

3. What if an employee contracts COVID-19? Can we tell our employees?

Data protection legislation is not intended to stand in the way of provisions of healthcare, including ensuring the health and safety of your employees. However, organisations must consider whether they can achieve this outcome using the least amount of personal data. Names of individual should only be disclosed to the extent it is essential and national law allows it. For example, employees could be informed of a fellow employee contracting COVID-19 and the steps that need to be taken without the need to disclose any personal data such as the employee’s name. This position is reiterated by data protection authorities in the UK, Germany and Spain.

Of course, if certain individuals have come into contact with the infected individual, or it needs to be established which individuals have come into contact, it may be necessary to disclose the name of the individual in order to protect the health and safety of all of your employees. The EDPB guidance states however that disclosure of an employee’s name should only be made after the affected workers have been informed of this requirement beforehand.

Organisations should ensure any action taken is proportionate and reasonable in the circumstances.

4. Can we share employees’ health information to authorities for public health purposes?

The EDPB has made it clear that the GDPR does not prevent you from sharing employee’s health information/concerns with public health authorities where there is a legal duty to do so.

5. Will authorities take action against us if our data protection standards do not meet the usual standard or we do not respond to information requests as quickly as usual?

Each country will take a different attitude and will deal with this issue differently, as this is the responsibility of each state’s data protection authority. By way of example, the UK’s Information Commissioner’s Office (ICO) are taking a pragmatic approach during this pandemic. They have stated that whilst they cannot extend statutory timescales for responding to information requests, they understand that some organisations may need to prioritise other areas or adapt their usual approach and as such the ICO will not be looking to penalise organisations that have their resources stretched during this period.

However, organisations should continue to do their utmost to maintain the same level of data protection standards, so this is not an excuse for being lax on compliance. Certain disruptive employees may try and take advantage of the law to be as difficult as possible during these challenging times.

6. With most of our workforce working from home, what are our GDPR obligations in relation to remote working?

Organisations must maintain the same security standards for homeworking as they do normally. This means there is an even greater responsibility on employers to be fully aware and be vigilant when it comes to data protection compliance. Organisations should consider implementing/updating their remote working policies to ensure they are sufficient for the extended period of time in which individuals will be working from home. Particular focus around printing documents and using own devices for work is vital. You might organise a secure disposal service to collect papers at regular intervals from employees’ homes and make sure they are destroyed. Also avoid the temptation of allowing individuals to download personal data onto portable devices even in these difficult times. If it is unavoidable, make sure that only ones issued by the IT department are used. These should be properly encrypted. Make sure a central log of these devices is kept.

Refresher training webinars are useful tools for promoting good remote working practices and ensuring continued compliance from employees.

For further guidelines on data protection and remote working, visit our previous article, Top Tips: Keeping Data Safe When Working Remotely.

John Benjamin, Sandra Jeskie and Edward Pickard