Coronavirus, businesses and personal data
Coronavirus, businesses and personal data (: safeguarding life & health or personal data);
Coronavirus SARS-CoV-2 is, without a doubt, a visitor-not a householder. As such it will sooner or later (hopefully sooner) say goodbye. And so will the relevant pandemic (COVID-19). The consequences, however, of their visit are already leaving their mark. Our daily lives have changed dramatically. We are even forced to keep distances from loved ones, in order to protect them. And/or to protect ourselves. At the business level, the employer has an obligation to take appropriate measures to protect the lives and health of their employees. To what extent? Is it right, for example, to use a thermometer on employees when the latter enter the workplace? On the customers? And the occupational physician is obliged to inform the “boss” about the (“suspicious”) symptoms of one of the employees? Is it important to protect the personal data of the sick employee or the life and health of others?
The (relative) questions that already concern employers and businesses.
A series of questions concern all of us. Some of them, coming from employers / businesses, have been taken into account by the Personal Data Protection Authority (hereinafter referred to as the “DPA”). On the one hand, it refers to the employers’ obligations to ensure the health of their employees (and of course of themselves). On the other hand, to their obligation to comply with the legislation on personal data. Indicatively:
(a) Can a thermometer be used on those who enter the business’s premises?
(b) Is it permissible to require the completion of a questionnaire on the health status of employees or their relatives?
(c) Is it permissible to require the completion of a questionnaire on a recent travel history of employees or their relatives in a foreign country with an increased risk of coronavirus transmission, etc.?
(d) Can the rest of the employees be informed about the event and/or the information of an already sick employee or of the latter’s relatives?
The obligation to safeguard the life and health of employees
In our first article of the series of articles regarding the above topic (Coronavirus and Businesses: a first decalogue for their operation and employment relations) we referred to the basic obligations of employers to ensure the life and health of employees.
These obligations are neither theoretical nor vague. They derive from the existing institutional framework (mainly: the Labor Code for the Health & Safety of Employees [ratified by the first article one of law 3850/2010 (Government Gazette 84 A ‘)].
One is the main pillar of this institutional framework: “the sole responsibility of the employer, who is obliged to ensure … the health of employees in all aspects of work, to take measures to ensure the health … of third parties.”(Art. 42, par. 1. Labor Code for the Health & Safety of Employees). In fact, within the framework of their responsibilities, the employer must not only take the necessary measures to protect the health and safety of employees, but also to supervise their implementation (art. 42, par. 5 and 6c Labor Code for the Health & Safety of Employees).
And all this is not enough!
The employer must have at their disposal a written assessment of the safety and health risks at work. The written occupational hazard assessment should have already been updated on COVID-19 risk and prevention measures.
The Ministry of Labor made the relevant reminders in time. Among them, with the guidelines and prevention measures in the workplace by the new Coronavirus. Quite early, too, with its document No. 94243 / 09.03.2020, it focused on the obligations of businesses and employees associated with the current pandemic.
Ensuring health in the workplace – the position of the Authority
The DPA felt the need to address the issue of the protection against the pandemic and the impact on personal data.
In its Guidelines for the Processing of Personal Data when managing COVID-19 (hereinafter referred to as the “Guidelines”) it accepts – with regard to the private sector – that:
(a) The employer is obliged to ensure the health and safety of employees by taking the necessary relevant protective measures to avoid the occurrence of serious, immediate and unavoidable risks. They must also guarantee a safe and healthy work environment with the help of employees.
(b) Employees are obliged to comply with the rules introduced for their health and safety. Also, for the health and safety of those affected by their actions or omissions. In this context, they are also obliged to immediately report to the employer and / or the occupational physician all situations that may be considered to constitute an immediate and serious risk to safety and health.
What is the position of the DPA regarding the obligations of businesses to secure personal data in relation to the pandemic?
The DPA accepts that:
(a) Employers are entitled to the processing of personal data of their employees in order to protect their health. This processing is done on the basis of the General Regulation for the Protection of Personal Data (hereinafter: “Regulation”). And, of course, in the context of the directions given by the competent authorities for the implementation of the measures decided by the Legislative Acts (“LDs”).
(b) Information relating to the health of an individual (or to the provision of health care to them) constitutes a special category of personal data. This data is subject to a stricter protection regime.
In this data category which is under special protection -sensitive data- are included (indicatively): (a) The fact that a person is ill-an employee e.g. (which is named or which, at least, can be identified), (b) Their stay at home due to illness, (c) The finding of signs of illness, possibly through their clinical picture (cough, runny nose, fever above normal .etc.).
On the other hand, there is other information that might be of interest in the current pandemic. Indicatively: If someone recently traveled to a foreign country were coronavirus is extensively spread or if the concerned employee or associate is ill or has been infected with coronavirus. The specific information does not concern the health of the specific subject -eg employee. Therefore, these are not sensitive personal data. But they could possibly constitute personal data.And that too is protected.
What is the scope of application of the legislation on Personal Data?
The legislation on the protection of personal data applies (article 2 par. 1 of the Regulation and article 2 of law 4624/2019) in two cases. Specifically, when the following take place: (a) automated (total or partial) processing of personal data, as well as (b) non-automated processing of such data, which are included or will be included in an archiving system.
In the above context, verbal information that the data subject (eg an employee is ill with coronavirus or that his or her body temperature has been measured to be higher than normal) is indeed personal data. The relevant legislation, however, does not apply when the above information is not included in a system: (a) with completely (or partial) automated processing or, alternatively, (b) non-automated processing if they are included (or will be included) in an archiving system.
However, it is important to emphasize that the scope of the Regulation is determined in a binding manner (Article 2 §1). It is not possible to extend it by national legislation.
Needless to say, such an expansion (or expansion attempt) does not exist in our country.
What should the employer do?
The controller, in this case the employer, carries out the (necessary and in accordance with the Regulation) personal data processing operations. Always in the direction of achieving the goals pursued each time.
At this stage (as far as Covid-19 is concerned), it is not possible to exclude any processing as prohibited in advance. Furthermore, the GDPR provides the legal basis for processing permitted under Article 6. In particular, in cases where it is necessary to safeguard the vital interest of the data subject or other individuals (subsection d’), as well as for reasons of public interest (subsection e΄). However, since these are data of a special category (health), processing is exceptionally permitted (art. 9). Among other things, when “processing is necessary for reasons of public interest in the field of public health” (par. 2 subsection i΄).
The data is such that what matters (and of course we are all called upon to preserve it) is human life and health. With respect, at the same time, to the legislation on Personal Data.
Any processing by the employer is governed by the principle of accountability. In other words, in the present case: No matter how the employer handles personal data they should always be able to prove their legal processing.
Gathering a large amount of information is easy and ultimately very cost-effective. The choice of hardware that cave the capacity of holding a large volume of data is very easy. But when it comes to collecting personal data, we must pursue our own self-restraint. Their collection should be limited to personal data that is absolutely necessary. That is, those related exclusively to the intended purpose – in this case, the prevention of the spread of corona and, consequently, the protection of the health of those in the workplace (principles of purpose and restriction of processing, in combination with the principle of proportionality), taking into account the principle of secure processing (especially information confidentiality). And all this through the adoption of the necessary technical and organizational security measures.
In fact, it is possible that in the case of large-scale processing of sensitive health data, it may be necessary to carry out an impact assessment. That is, to assess, before processing, the consequences of personal data processing operations.
The collection and processing of personal data that are sensitive and constitute a restriction of rights of individuals should take place very sparingly. The controller (in this case the employer) should always make sure that the relevant legal requirements are met. Especially the principle of proportionality. The measures they will eventually take must be the least burdensome – since of course any other (less burdensome) measure will have been ruled out as inappropriate.
It would be easy for us to slip, especially under the current circumstances, into a systematic, continuous and generalized collection of personal data. We could, perhaps, consider very useful and safe the creation and continuous renewal of a record on which we would keep track of the development of the health of each of the employees. The creation of such a record, however, according to the DPA, “could hardly be described as consistent with the principle of proportionality”.
The ability of sick employees to disclose the status of their health.
Things are very different when patients who are already suffering from coronary heart disease (employees in this case) voluntarily disclose their state of health. In this case we have a different (legal) basis for processing specific health data (Article 9 §2 par. e of the Regulation). It is always sufficient that the principles of the Regulation and any special provisions of national law (including the LDs) are complied with.
The ability (?) of employers to notify third parties on the health status of their sick employees.
Is it permissible or not to disclose to third parties information on the health status of data subjects (here employees) by the controllers (here the employers)?
According to the DPA, “it is not permissible if it creates a climate of prejudice and stigma, and if there is a chance it will act as a deterrent to the observance of the measures announced by the competent public authorities, thus ultimately opposing their effectiveness”. And this, even if it is initially carried out in the context of the regulations of the existing legal framework.
The Regulation sets guidelines. It goes without saying that it would not be possible, on a case-by-case basis, to regulate each case involving personal data. Nor does it answer, on a case-by-case basis, specific questions.
However, in its preamble, the Regulation (Reasoning 46) accepts the processing of personal data as useful when “it is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
Following, defining public interest, it accepts the processing of sensitive data “… for the prevention or control of communicable diseases and other serious health threats” (reasoning paragraph 52). Reasonable thoughts which, while guiding the employer and the business, do not relieve them of their obligations.
The employer and the businesses have specific obligations to ensure health in the workplace. Of course, the protection of personal data of their employees (as well).
The questions asked are many and serious.
Answers cannot be given in advance to most of them. The DPA avoids giving completely specific answers and directions.
Its position is that “The Authority reminds that the controller carries out the necessary and in accordance with Articles 5 and 6 of the GDPR, acts of personal data processing to achieve the intended objectives, without being it being impossible to in advance rule any act of processing as prohibited, especially at this critical and unprecedented time and if the conditions included in nos. 1-2 thoughts of the present. It is self-evident that this elaboration takes place in the context of the principle of accountability. ”
In other words: do what you access as right (“the situation is difficult”) but, you know, “I may ask you to plead your case.”
The assessment of each case is left to each business, to the DPO and its consultants.
However, there is no doubt that behind every measure taken, under the current circumstances, there should only be one goal by the employer / business: The protection of the life and health of the employees.
With respect, of course, to the legislation on personal data.
With even greater respect, however, for the lives and health of their people.
Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.