With the World Health Organization (WHO) officially categorising the coronavirus disease (COVID-19) as a pandemic on 11 March, it has become clear that the world is immensely struggling with the outbreak. It has even led to a massive slowdown in economic activity, causing volatility and turbulence in the financial markets. Therefore, apart from being a threat to our health, COVID-19 has proven that it is and will continue to be a threat to the world economy and businesses.
Governments throughout the world have put in place measures to promote social distancing and restrict the transmission of the disease. The UK is also starting to see a tightening of approach, with Prime Minister Boris Johnson saying that everyone should avoid going to pubs, clubs and theatres and, if possible, work from home, as a part of a range of new stringent measures.
At the same time, businesses are working on creating a safe and healthy work environment for their employees, customers and business partners. In this time of coronavirus, this includes certain health related measures. With growing data protection concerns among businesses, this alert looks at the data protection issues at an EU and UK level and seeks to provide answers to a number of legal questions we have been asked in the past few days as well as give guidance on whether or not certain measures comply with applicable laws in the UK. Despite many EU countries issuing guidance, the spokesperson for the EU Data Protection Board issued a helpful statement on the virus which provides an overview of the EU approach.
Q: Can an organisation collect health data from employees and visitors and ask them to self-report if they consider they may have been exposed to the virus?
A: Yes. The organisation can ask employees and visitors to self-report and can collect health data; however, this doesn’t provide an unlimited ability to collect excessive volumes of information.
Employers have an obligation to protect employees’ health, and so the Information Commissioner’s Office (ICO) considers it reasonable for employers to ask people to tell them if they have visited a particular country or are experiencing COVID-19 symptoms, or have been in close proximity to someone who has.
Questions on health status are considered special categories of personal data that have to be processed with higher caution (sec. 9 GDPR) under certain strict requirements. Coronavirus as such can, for example, be considered a “serious cross-border threat to health” (Art. 9(2)(i) GDPR) that permits employers to take measures to protect the health of employees (Art. 9(2)(h) GDPR). These legal bases do not, however, mean that all measures can by justified by ‘coronavirus’.
Asking this information of visitors to a company’s premises is also permitted, but it is always best to consider government advice. For instance one would be permitted to ask someone if they have visited certain countries, have COVID-19 symptoms or have been in close proximity to anyone who has, and to restrict entry to persons who answer ‘yes’ to any of those questions.
In both cases, it would be unusual and most likely disproportionate to ask about symptoms and to record them as this is something that should be limited to the public health authorities. Any decision to systematically record symptoms or actual health data should be limited, and it would behove organisations to record their rationale for doing so and to ensure that more data than necessary is not collected and that the personal health data is appropriately safeguarded.
Q: Should an organisation inform its employees that a colleague may have potentially contracted COVID-19?
A: Yes. Employers have an obligation to ensure the health and safety of their employees as well as a duty of care. Thus, an organisation must keep their staff informed about COVID-19 cases that may have occurred within the organisation, especially those employees that are particularly threatened with infection (e.g., they work at the same company site or in the same team).
It is important to note, however, that organisations shouldn’t provide more information than necessary – for example, details such as the name of the individual(s) need not be shared.
Q: Can an employer enter additional data (e.g., home phone number, private mobile phone number or email address) into its HR system so as to be able to contact employees who are in quarantine?
A: Yes. As more companies limit the number of staff on premises, it is possible to record individuals’ private mobile numbers, particularly if they have not been issued with a work mobile and there is no other way to contact them should an organisation need to. It may also be possible that private mobile numbers would need to be disclosed to public health authorities for contact-tracing. That said, it is still an employee’s choice whether they want to give their private mobile phone number to their employer, particularly if the reason for collection of this data relates to the possibility of permanent availability.
Q: Can a business screen visitors for coronavirus or coronavirus-like symptoms?
A: Yes, but a visitor need only do so on a voluntary basis, and if a visitor refuses to answer screening questions, a business can deny access to their premises. The same goes for any request to take a temperature. A visitor to a premise can refuse to have their temperature taken, and an organisation can then refuse entry. Organisations should not keep a record of the temperatures, but merely use a handheld device to detect whether an individual has an elevated temperature.
Q: Can a company share health information regarding an employee with authorities for public health purposes?
A: Yes. It is unlikely that an organisation would need to share health information relating to specific individuals; however, if necessary, data protection laws allow such a transfer of data.
Q: Given the current situation, will the ICO penalise organisations if their data protection practices do not meet their usual standard or responses to information rights requests take longer?
A: No. The ICO understands that, during the pandemic, resources may have to be diverted from compliance or information governance work to other areas and so will not take regulatory action under these extraordinary circumstances.
Whilst the ICO will not be able to extend statutory timescales, it has said that it will inform people through its communications channels that they may experience understandable delays when making information rights requests during the pandemic.
Q: Can health care organisations contact individuals in relation to COVID-19 without having prior consent?
A: Yes. Data protection and electronic communication laws do not stop the government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing. In fact, public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
Q: What does the EU Data Protection Board (EDPB) say about data protection under the current situation?
A: In its statement the EDPB confirmed that data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. Even in these exceptional times, however, the EDPB reiterated that data controllers must ensure the protection of the personal data of data subjects and take appropriate safeguards.
The EDPB also commented on the processing of electronic communication data (such as mobile location data to carry out contract-tracing) and highlighted that under the ePrivacy Directive (as it is currently implemented by national laws), this can only be done in an anonymous way. However, it added that in certain circumstances, including matters of national and public security, member states are entitled to introduce legislation that would override their existing interpretations of the Directive, as long as they put in place adequate safeguards, such as granting individuals the right to judicial remedy.