This Data Protection Alert aims at providing brief and practical answers from a data privacy perspective to certain key queries that might arise at the level of organizations in the context of recent COVID-19 outbreak. The information provided herein is mainly based on the views expressed recently by EU data privacy regulators in respect to various data privacy.
1. What actions or measures can employers generally take in the context of COVID- 19 pandemics?
– Encourage their employees being transparent about any contacts with persons known or suspected to be infected with COVID-19.
– Exceptionally, verbally inquire the employees about their contact with persons known or suspected to be infected with COVID-19 or coming from abroad (e.g., from the “hot” areas), particularly where there are grounded reasons to deem that the inquired employees may be infected.
– Encourage the employees to be responsible and report any presence of flu symptoms, such as fever, cough, sour throat, etc.
– Use questionnaire with “Yes/No” questions to assess the risk and limit the spread of the disease in the organization (e.g. Do you experience symptoms of COVID-19 such as headaches, fever, bone pain and shortness of breath? Have you interacted with someone who recently came from a defined risk area?). Negative answer from the employees should be usually sufficient.
– Set-up medical check points in their organization (e.g., in the working premises) and advise (yet not oblige) the employees to visit the company doctor .
2. What actions or measures should be avoided by employers in the context of Covid- 19 pandemics?
Employers should avoid:
– Asking the employees (eventually under disciplinary sanctions) to brief them on any private travels they have made recently, any persons they were in contact with recently or on any flu symptoms they or their closest contacts might have.
– Asking the employees (eventually under disciplinary sanctions) to report them regularly (e.g. on a daily basis) their body temperatures or other symptoms.
– Collecting in a systematic and generalized manner (particularly through specific requests before the employees) information on the presence of any flu symptoms of the employees and their closest contacts.
– Have visitors or other individuals sign pre-established statements certifying that they have no symptoms of the COVID-19 or that they have not recently travelled to a risk zone.
3. Can employers run body temperature measurement tests or other medical tests on their employees where there is a direct threat of COVID-19 infection?
In principle, employers cannot collect health data (body temperature included) on their own. Instead, employers might consider asking the suspected employees to take urgently a medical check, for instance by contacting the dedicated health service provider – if available. If the suspected employee refuses, the employer should be able to send the employee home (see, for details, also our answer from Question 5 below).
4. What employers should do in case of a speak-up/ whistleblowing in the organization?
When receiving information about a potential infected employee, employers should record, as part of their safety and health obligations:
– The date and identity of the person suspected of having been exposed, and
– The organizational measures taken (containment measures, teleworking, contacting the occupational health service provider, etc.).
5. What if the suspected employees refuse to contact the health services provider?
Employers should first duly document:
– The source of the information causing the suspicion of infection (Speak-up/ Whistleblowing, visible illness, etc.).
– The investigations conducted. Particularly, the employers should invite the suspected employees to contact the health provider to run some tests/ investigations to exclude the suspicion.
– The refusal of the employee to do the health tests/ investigations.
After conducting the above, the employers should be entitled to send home the suspected employees until the situation is clarified.
6. Can employers inform other employees about their colleagues having been diagnosed with COVID-19?
Employers can only inform the other employees that one (or some) of their colleagues has been found COVID-19 positive. However, unless the employers have strong arguments to do so, they should not disclose the identity of the infected employee(s). The employers should therefore act very careful when taking measures in this context as to reasonably ensure that the other employees cannot determine the identity of the infected employee. Of course, this should be assessed on a case-by-case basis and it might be that, despite all reasonable efforts taken by the employers, the other employees would figure out who is the infected employee.
7. Can employers disclose to outsiders that their employees have been diagnosed with COVID-19?
Save for the competent authorities, the employers should not disclose outside organization that individual employees have been found COVID-19 positive and/ or they are in quarantine or self-isolation. Instead, the employers could inform the outsiders (such as the external contacts) that the employees in question are absent or temporarily unavailable, eventually by also indicating the relevant substitutes.
8. Do employers still need to consider privacy requirements when acting based on the instructions or recommendations of public authorities?
Most likely, employers will be able to process personal data of employees (health data included) where this is specifically recommended or instructed by the public authorities (health authorities, labour authorities, etc.). Still, even in such case employers should put in place suitable safeguards to ensure privacy, such as using dedicated personnel bound by confidentiality duties, limitation of access to the data, strict retention periods, etc.
9. Can employers ask the private contact information of employees for issuing warnings or requests at short notice?
Employers are entitled to ask the employees to give their private contact information (e.g. private cell-number) after informing them in writing on the intended use (i.e., for emergency situations related to COVID-19 evolution).
Still, if employees refuse, employers may neither compel them to give the contact information, nor can they exercise any pressure over the employees to comply with. In any case, the private contact information should be deleted at the latest at the end of the pandemics.
10. Do the timelines for addressing GDPR data subject requests still apply where an organization is temporarily closed or capacity to handle requests is curtailed because of COVID-19?
COVID-19 health crisis might affect the organizations’ ability to timely address GDPR requests from individuals, such as requests for access to data.
Employers facing difficulties due to COVID-19 outbreak might consider:
– Communicating to the persons making the GDPR request that the response will be delayed and the reasons for such (along with related proofs). Employers should duly document the reasons preventing the response in the legally prescribed timeline.
– Assessing whether it is feasible to address the request in stages. For example, an organization whose staff is working remotely may have difficulties in accessing hard copy records. In this case it may be possible to provide the requester with electronic records, while hard copies will be provided at a later stage. Again, organizations should communicate all these with the individuals concerned.
– Readdress the request (or remaining part) as soon as possible after the cause preventing the answer has ceased to apply.