With the spread of coronavirus (COVID-19), employers are facing increasingly complex challenges in the day-to-day operation of their businesses. A key issue that many employers are facing is how to stop the disease spreading within their workforce, and what measures to implement to protect employees and the business. This is particularly crucial in international companies with highly mobile workforces, where the risk of infection and contagion is higher.
To respond to the increasing threat of the virus, numerous employers are considering monitoring their employee's state of health, their travel plans in and outside of work and their possible contacts with infected individuals outside the workplace. Employers are taking two approaches to stop the spread of the virus: either actively monitoring these factors, for example by asking employees to regularly fill in health questionnaires, and/or implementing policies and procedures to minimise the risk of infection and contagion.
Some data protection authorities have started to provide guidance, but there are divergent views on how employers should comply with data protection requirements, depending on the jurisdiction.
Monitoring employee health and travel – France and Italy
Companies considering the former approach should be aware that data protection regulators in the EU have issued guidance on COVID-19 related monitoring. In both France and Italy, the data protection supervisory authorities (the CNIL and the Garante respectively), have stated that employers should not actively collect information about their employee's state of health.
In France, the CNIL has informed organisations that they should not collect information about the body temperature of their employees or visitors to the premises or information about health and possible COVID-19 symptoms from them. This does not prevent employers from reporting cases of COVID-19 in the workplace to relevant health authorities. The CNIL has specifically stated that, if an employer is alerted to case of COVID-19 amongst their employees, the employer may record:
- the date and identity of the person suspected of having been exposed to the virus;
- the organisational measures taken (isolation, remote working, contact with the workplace doctor, etc.).
Guidance from the Garante in Italy similarly prohibits employers from actively collecting health information about employees, or gathering information about employee's travel outside of work. There is an exemption to this for situations in which the health risk to the employee is higher (e.g. because of a high risk working environment) – in such cases, the employer can request an in-house health care professional to carry out health checks.
Employees are however required to report COVID-19 to their employers: in France, this is a direct requirement, while in Italy it stems from the employee's duty to report health and safety risks.
Both authorities also warn against asking employees to supply information about the state of health of their friends and family.
Elsewhere in the EU
Elsewhere in the EU and in the UK, no specific data protection guidance on this issue has yet been issued. It is therefore for organisations to decide what appropriate method to use to prevent the spread of COVID-19 in the workplace.
If employers decide to collect information about symptoms from visitors and employees, they will need to ensure that the processing relies on a valid condition under Article 9 of the GDPR, as the employer will be processing sensitive personal data. This will require a thorough analysis; in addition to national data protection laws in each member state implementing the GDPR, which vary when it comes to sensitive personal data, national health regime laws may apply.
This will make it difficult for international companies to adopt a unified approach on collecting health-related information for coronavirus prevention across the EU.
Employers who seek to rely on consent (by requesting employees and visitors to tick a consent box or by making the questionnaire optional) should consider the fact that, in an employment context, consent is often deemed to be invalid due to the imbalance of power between the employer making the request and the employee, who may feel compelled to provide the information. Consent under the GDPR must also be revocable, which may undermine the organisation's monitoring process.
Whatever legal basis is relied on, employers will also need to ensure they comply with data protection principles, as per any processing of personal data. The data minimisation and purpose limitation principle are of particular importance in this context.
Compliant approaches to tackling COVID-19 – a practical approach
An alternative to monitoring symptoms, travel patterns and possible encounters with infected patients is for employers to implement procedures and policies to reduce the risk of infection at work. Both the Garante and the CNIL advocate this approach, suggesting that employers provide remote working options and implement clear procedures on self-isolation in case of contagion. In Italy, the local health authorities are regularly issuing and updating new measures to be followed. Employers can (or must, for Italy) also provide their workforce and visitors with good practice hygiene recommendations, make hand sanitiser available and restrict interpersonal contact to reduce the risk of infection.
Without actively collecting any information about their employees, employers can also implement clear procedures, discouraging employees from coming to work if they have travelled to affected regions, have certain symptoms or have come into contact with a COVID-19 patient.