As the coronavirus has spread worldwide to reach pandemic level, employers are putting into place measures group-wide to limit risks of contagion within the work place. Some of these measures have led companies to question their staff and visitors about their health, recent travels and/or contacts with a contagious person. Can and how should companies collect such data?
The French data protection authority (the so-called “CNIL”) issued strict do’s and don’ts last March 6, which forbid employers from systematically and generally collecting information on symptoms presented by an employee and his family. As such, employers should not ask employees and visitors to daily remit their temperature, nor collect medical questionnaires for all their staff.
Alertingemployees on coronavirus risks and inviting them to individually disclose information regarding a potential exposure to dedicated company services or persons (for example, HR or health services) or competent sanitary authorities is permissible, just as encouraging remote work.
The CNIL further states that only limited information can be collected (name of the suspected exposed person, date and measures taken, such as remote work and contact of occupational health services), which may also be disclosed to sanitary authorities. No health data should thus be collected, unless solicited by sanitary authorities. Only such authorities can be responsible for evaluating data on symptoms and recent movements and take adequate measures. This seems hardly feasible with the rapid expansion of COVID-19. Moreover, employers remain bound to a safety obligation of result and must ensure a safe workplace.
In light of these recommendations, what data can an employer collect and process to limit risks of COVID-19 exposure and contagion?
Bear in mind that processing of health data requires explicit consent but that such consent must be freely given and is therefore difficult to envisage in an employee/employer subordinate relationship. Preventive or occupational medicine or assessment of the employee’s working capacity may also justify such processing if based on EU Member State law (such legislation is however pending).
The following measures take into account the fact that employers have a safety obligation of result to ensure a safe workplace but also that employees must implement all means to preserve their health and safety and that of others, so that they must inform the employer in case of suspicious contact with the virus.
- Avoid, if possible, collecting information on symptoms: consider providing for a list of symptoms and asking persons if they have any of the listed symptoms instead;
- Do not take and record every visitor or employee’s temperature: if you need to process this information, only record restricted information, such as “temperature equal or above 38°C”;
- Limit questionnaires to visitors and rely on and collect explicit consent to process any of their health data, listing the purposes, legal basis, data subject rights, recipients, data retention period and all information listed by Article 13 of the GDPR in the consent form:
- if the visitor refuses to consent, consider checking the information orally and not recording or processing it;
- if the visitor withdraws thereafter consent, the data should be destroyed ;
- For employees, instead of collecting data on symptoms, list symptoms and request employees to contact sanitary authorities if they have any symptoms and to inform their supervisor or HR of the need.
- Encourage employees to disclose to HR, their supervisor or company health services their recent travels to a city or country identified as at “risk” (without stating precise list of countries) or contact with a contagious or sick person and record the name of the person and isolation measure taken (remote work, leave to attend to children, sick leave).