CNIL provides further guidance in the context of the global pandemic, on the collection of personal data by employers.
In the context of the health crisis brought on by the spread of the coronavirus, many authorities and organisations have been providing as much help and guidance to relevant agents, in navigating the current situation and continuing business during the pandemic. We are collectively at the point of the pandemic where it has been established that life must go on and organisations and businesses are trying to establish some sort of normalcy to facilitate business continuity. The CNIL recently released a document, providing guidance which may aid employers in navigating data protection in the current atmosphere in the workplace with regard to the coronavirus-related health crisis.
Employers are obligated to ensure the safety of their employees.
it is the employer’s responsibility to implement measures to prevent occupational risks and information and training actions, as well as to ensure that work organization and resources are adapted to working conditions. Employers are encouraged to remind their employees, working in contact with other people, of their obligation to report individually in the event of contamination or suspected contamination, to them or to the competent health authorities, for the sole purpose of enabling them to adapt working conditions.
CNIL provides guidance to employees as well, on navigating working through the pandemic.
Employees are responsible for preserving their own health and safety and also that of the people with whom they may come into contact during their professional activity. Under normal circumstances, employees who are home sick, typically need only to communicate the terms (usually length) of their sick leave. However, in a context of a pandemic such as that of COVID-19, an employee who works in contact with other people (colleagues and the public), each time he has been able to expose some of his colleagues or for example clients, to the virus, must inform his employer in the event of contamination or suspicion of contamination with the virus. If this employee works in isolation or teleworks, they need not provide this information.
How does the GDPR say that health data should be processed?
Employers can only process health data necessary for the satisfaction of their legal and contractual obligations, that is to say necessary to take organizational measures (teleworking, referral to the occupational doctor, etc.), training and information, as well as certain actions to prevent occupational risks. For this reason, only elements of data linked to the date, to the identity of the person, to the fact that they have indicated to be or suspected of being contaminated, as well as the organizational measures taken, should be processed by the employer. The employer may communicate to health officials, the elements necessary for a possible health or medical care of the exposed person. However, under no circumstance is the employer to identify or communicate any personal info about the likely infected person to other employees.
In developing and implementing company protocol, employers cannot take measures likely to disproportionately infringe on the privacy of employees, or other data subjects, in particular through the collection of health data, that would go beyond managing suspected exposure to the virus to protect employees and the public. In order to be processed, the use of the data must necessarily fall within one of the exceptions provided for by the GDPR, thus securing the balance between the desire to ensure the security of individuals and respect for their fundamental rights and freedoms.
What does the law say about temperature readings at entrances?
In an effort to prevent contamination or spread of the virus, or to remove employees from the working environment who may have a fever, some employers may wish to systematically monitor employees’ temperatures at the entrance to their premises. Recently on our blog we reported on the CNIL calling for caution in the use of smart and thermal cameras in this process. The CNIL has noted that the effectiveness and appropriateness of the temperature measurement is disputable, as this symptom is neither systematic of, nor exclusive to COVID-19. In any case an individual’s body temperature constitutes sensitive data relating to his health and is therefore considered subject to special protection under the GDPR. In particular, Article 9 of the GDPR prohibits employers from keeping data on employees’ temperatures if taken at the entrance of a site.
CNIL provides further guidance, that only competent health personnel can collect, implement and access any medical forms or questionnaires from employees or agents containing any data related to the state of the health or information relating particularly to their family situation, living conditions, or even their possible movements. The same would apply for medical, serological, or COVID-19 screening tests, as the results of these are subject to medical confidentiality.
The CNIL has provided further tips on business continuity in the context of the pandemic.
Companies may also be required to establish a business continuity plan, aiming to maintain the essential activity of the organisation during a crisis like the COVID-19 health crisis. This plan must be inclusive of all the measures to protect the safety of employees, and to identify the essential activities to be maintained and also the people necessary for the continuity of the service.
There are a few additional key points noted by the CNIL. The CNIL notes that the employer is responsible for the health and safety of his employees and must take collective protective measures, like social distancing protocol, and provision of personal protective equipment, hand sanitiser and so on. The authority also reiterates that the employer does not have to organise the collection of health data from all employees. The only situation that would warrant an employer taking individual measures, is in the event that a report is made by an employee himself that he may have been exposed, or may have exposed some of his colleagues or the public to the virus. In addition, the authority advises that employers who would like to go beyond their obligations and ensure the state of health of their employees by setting up individualized working conditions must necessarily rely on the occupational health service, which has sole competence on the subject.