Covid-19: Data protection of employee health information

14/04/2020 As the world deals with an exponential increase in Covid-19 cases, many regulatory bodies have issued public policy guidance concerning data collection, sharing and use of personal information related to employee health. Overall, they emphasise that data protection legislation (GDPR) is by no means an obstacle to public health. However, they advise organisations against carrying out "systematic and generalised" surveillance and data collection of employee health outside of the official measures permitted by public health authorities.

Sarah Taïeb, Data Protection Officer at UGI International – a leading gas suppliers in Europe – shares her analysis on privacy protection during this global health crisis.
This interview was originally published on www.mazars.fr

CAN COMPANIES MAKE IT MANDATORY TO SCREEN EMPLOYEE TEMPERATURES?

Several countries have concluded that screening employee temperatures is not permitted, despite the Covid-19 pandemic, such as France, Luxemburg, Sweden, the Netherlands and Hungary. The European Data Protection Board (EDPB) has advised that companies should consult existing employment, health, and safety laws for further guidance, although it does suggest that temperature checks without subsequent analysis of the results does not breach GDPR.

One alternative to temperature screening could be to place non-contact thermometers at the entrance of a company’s premises, thus, allowing employees to check that they do not have a fever before going into work.

CAN INFORMATION ABOUT A SICK EMPLOYEE BE SHARED WITH COLLEAGUES AND FOR WHAT PURPOSE?

Most regulatory bodies allow employers to inform their employees of a confirmed Covid-19 case in order to adopt protective measures for colleagues who may have been exposed. However, to the fullest extent possible, only the necessary preventive information should be divulged, and when possible the name of the employee or any other identifying information should not be disclosed "so as not to infringe on the individual’s dignity".

CAN COMPANIES QUESTION THEIR SUPPLIERS OR VISITORS ABOUT THEIR RISK OF BEING IN CLOSE PROXIMITY TO A PERSON DIAGNOSED WITH COVID-19 OR ABOUT THE POSSIBILITY THAT THEY HAVE GONE TO AN AT-RISK AREA?

Regulatory bodies are divided on this point. If we look at examples in Europe, some countries believe this type of questioning to be excessive and unnecessary, such as Belgium, France and Luxemburg. A larger majority (UK, Denmark, Hungary to cite a few) have adopted a more flexible approach and authorise this practice, which is usually based on relevant local legal obligations. Nevertheless, these inquiries should not include questions about the individual’s health history and should not require supporting medical documentation.

ARE THE RESPONSE TIMES IMPOSED BY GDPR AFFECTED BY COVID-19 (INFORMATION REQUESTS ON PERSONAL DATA, FOR EXAMPLE)?

Regulators remain silent on this matter, but are expected to be flexible with companies that receive requests from people concerning their personal information, whilst still managing the Covid-19

pandemic. Some regulatory bodies have stated that, in certain cases, corporate resources can divert from usual compliance protocol. Other regulators have emphasised that, although statutory deadlines cannot be extended, companies are to inform the persons concerned that they may experience delays regarding their rights to information requests.

Obviously, companies should be able to justify that their lack of resources is due to the current pandemic, and not merely an excuse.

WHAT ARE THE OBLIGATIONS FOR EMPLOYEES?

In some countries, employees are required to notify their employers if they have Covid-19. In Europe, this is the case in Italy, France, Hungary and Denmark, but other regions around the world have also required such disclosures. Other countries have encouraged companies to deploy specific communication channels linked to this type of information.

WHAT HAS BEEN THE STRATEGY FOR UGI INTERNATIONAL? DO YOU HAVE ANY ADVICE FOR DPOS?

Despite the exceptional circumstances due to the Covid-19 pandemic, data protection obligations continue to apply. At UGI, we are fully aware of this, especially since the amount of sensitive data that the group can hold on its employees is likely to increase, and that remote work presents new challenges in itself in terms of information security. As the global situation is in constant evolution due to Covid-19, new developments and recommendations issued by regulatory bodies will continually emerge. Therefore, it is essential that DPOs keep themselves informed of the latest legislative measures so that they can best advise data controllers and their teams.