Short Reads

How to cope with data protection rules in times of the coronavirus pandemic?

How to cope with data protection rules in times of the coronavirus pa

How to cope with data protection rules in times of the coronavirus pandemic?

24.03.2020 BE law

Privacy issues are very pertinent in the fight against the coronavirus. Also in times of a global pandemic, general data protection restrictions must be respected. This section will focus on a number of considerations that can be taken into account.

Does an individual's health status involve personal data?

The General Data Protection Regulation (“GDPR") defines personal data as any information relating to an identified or identifiable natural person. The GDPR clarifies that a natural person can be identifiable, directly or indirectly, by identifiers such as a name or an identification number, but also by factors specific to the physical, physiological, genetic or mental status of that natural person.

Within this category of personal information, the GDPR qualifies certain types of data as “sensitive data", which deserve a more rigorous protection than other types of information. Such sensitive data include genetic data, biometric data and data concerning the health of the person involved. Consequently, any information relating to an individual's health status, including whether he/she is infected by the coronavirus, will be considered sensitive information and stringent rules must be abided by.

Can an employer ask for an individual's (health) information in relation to the coronavirus?

In case an employer wishes to ask for its employee's health status, it is advisable to refer the employee to the prevention advisor-doctor. In addition, an employer can collect a family member's health data if the family member has consented or if the collection is necessary for reason of public interest in the area of public health (such as protecting against serious cross-border threats to health) as an implementation of explicit directives imposed by the competent authorities. In any event, the individual whose information is collected must be properly informed about the processing (see below).

In case the employer needs to know non-health related information, such as contact details or location details, the employer may collect such data if there is a valid legal ground, e.g. in the employment contract or if the collection is necessary for the employer's or other person's legitimate interest. There is no need to run such collection via the prevention advisor-doctor, although such might be the most pragmatic way to operate.

In any case, whether or not the information is relating to an employee or its family member, proportionality must be safeguarded, as emphasized by the European Data Protection Board. Only information strictly necessary for the prevention, detection or handling of the coronavirus pandemic may be collected. For example, only a list of the person's contacts of the last few days may be collected, but no information relating to his/her contacts over the past months. In addition, the French and Belgian data protection authorities have advised that employers must refrain from systematically collecting all types of (health) data which go beyond the suspected exposure to or contamination by the virus. Mandatory body temperature readings or the collection of medical information through questionnaires will not pass the European data protection test.

Lastly, the (health) information collected in light of the prevention or detection of contamination may not be used for another purpose. For example, in case the employer collects an employee's location data during the past week, this information may not be used to track the employee's whereabouts relating to the employee's mileage allowance. Such will lead to a breach of the applicable data protection rules.

Can a company carry out checks on visitors?

Mainly, the same reasoning as to employees' (health) checks can be applied to checks on visitors. Although a company may have a legal ground to check a visitor's health status (e.g. body temperature), e.g. because the visitor has consented or such may be necessary for reasons of public interest in the area of public health, the need for proportionality will probably limit (body) controls on visitors. Consequently, only under certain conditions, including collecting information proportionately and after providing transparent information on the data collection, body temperature checks may be conducted on visitors.

Surely, you can ask visitors to leave the premises if they feel like they are at risk. In addition, visitors can be requested to abide by the health and safety standards of the company when on site, such as hand washing policies. Hence, it is important to use clear and concise guidelines to inform visitors as to what is expected from them (e.g. by using pictograms).

Can a company track location data to check where its users have been?

Data of device users, such as employees, clients or visitors, can also be relevant in the fight against the coronavirus. For instance, a company can track its users' whereabouts through different apps, or taking it even further by inferring with whom the user has been in contact.

In the absence of derogating legislation, such tracking actions will need the consent of the user. Again, proportionality must be safeguarded, whereby no more information may be collected than necessary for the purpose served, and the user must thereby be properly informed about the tracking actions taken. It must also be examined whether or not a less intrusive method could be used to divert where the user has been and with whom he potentially has been in contact (e.g. through anonymous data).

Can a company share the information with others?

The information the company has collected, whether it concerns its employees, family members, visitors, users or other individuals, may be shared with other parties under certain conditions.

The individual concerned must be properly informed about the third parties that will be receiving his information, such as governmental bodies, hospitals or other authorities. The company must also assure that only the information relevant for the purposes pursued by the third party is shared. For instance, location details and symptoms of the coronavirus may be necessary to share, but by also sharing an individual's full medical history, a breach of the relevant data protection rules may occur. Moreover, from a practical point of view, in times of immense influxes of data relating to the coronavirus, this additional information is not deemed helpful for the authorities.

In any event, the employer may not divulge the names of the individuals. The employer should only share information with other employees without mentioning the identity of the person(s) concerned.

Are there any practicalities that a company can take into account?

Given the dramatic spread of the coronavirus, the need for actions can be very urgent. Nevertheless, the (data protection) rights of the individuals involved must be respected. Especially the communication of prior, accurate and transparent information regarding the data collected, the purposes and the third parties with whom the data will be shared is important. This can happen ad hoc at the moment of the investigation, or more broadly, through an update of the company's privacy policy. Furthermore, a valid legal basis must be present. Since an employee's consent is considered to not be “freely given", as expressed in the GDPR, an employee's consent can never be used as a valid ground. Other legal grounds, such as necessary for reasons of public interest or to comply with a legal obligation, may be appropriate. In addition, it is also important to adopt adequate security measures and confidentiality policies ensuring that information is not being disclosed to unauthorized parties.

Lastly, in case deviations are deemed necessary, it is important that the circumstances and justification for such deviations are recorded, and that the DPO or privacy responsible as well as the Committee for Prevention and Protection at Work are consulted.

 

This article provides some general insights on different legal questions. These insights do not constitute legal advice and may not be relied upon as if they were legal advice. The outcome of any legal analysis will strongly depend both on the specific facts and circumstances of each case and on the particularities of the sector and legal relationship involved. Our legal experts in the various domains concerned are available to assist you with the analysis of your questions and provide specific advice tailored to your case and circumstances.

Team

Related news

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more

20.04.2021 NL law
Podcast: 'de NOW en faillissementen'

Short Reads - Wat gebeurt er als werkgevers die gebruikmaken van de NOW failliet gaan? Wat kunnen de curator en het UWV doen? En wat gaat er gebeuren als de overheid de NOW afbouwt of stopt? In de vierde en tevens laatste aflevering van een podcastserie over de NOW geven advocaat bestuursrecht Sandra Putting en Job van Hooff gespecialiseerd in het insolventierecht antwoord op deze en andere vragen over de NOW en de faillissementen.

Read more

03.05.2021 NL law
De overheid behoeft de besten, maar krijgt zij die nog wel?

Short Reads - ‘De overheid behoeft de besten; zij moet aantrekken en opkweken de bekwaamsten onder de jongeren; haar mensen moeten het in kennis maar ook in levenshouding en beschaving kunnen opnemen tegen de leidende figuren uit de maatschappij; het zou noodlottig zijn voor de publieke zaak, zo de overheid zich tevreden zou stellen met degenen, die elders niet aan de slag konden komen of mislukten.’ (C.H.F. Polak 1957, geciteerd in NJB 2018/1044)

Read more

21.04.2021 NL law
Voorschotbepaling (NOW-1) en peildatumbepaling (NOW-2) zijn niet in strijd met het evenredigheidsbeginsel (annotatie)

Short Reads - In deze annotatie bespreken Jan Reinier van Angeren en Sandra Putting de eerste uitspraak van de Centrale Raad van Beroep (CRvB) over de NOW. In de uitspraak van 8 januari 2021 oordeelt de CRvB dat de voorschotbepaling uit de NOW-1 en de peildatumbepaling uit de NOW-2 niet in strijd zijn met het evenredigheidsbeginsel. De CRvB ziet daarom geen aanleiding de bepalingen in het voordeel van de desbetreffende werkgever buiten toepassing te laten. In de annotatie gaan Jan Reinier en Sandra in op een aantal bestuursrechtelijke aspecten van de NOW-subsidieregeling en de CRvB-uitspraak.

Read more