Privacy issues are very pertinent in the fight against the coronavirus. Also in times of a global pandemic, general data protection restrictions must be respected. This section will focus on a number of considerations that can be taken into account.
Does an individual's health status involve personal data?
The General Data Protection Regulation (“GDPR") defines personal data as any information relating to an identified or identifiable natural person. The GDPR clarifies that a natural person can be identifiable, directly or indirectly, by identifiers such as a name or an identification number, but also by factors specific to the physical, physiological, genetic or mental status of that natural person.
Within this category of personal information, the GDPR qualifies certain types of data as “sensitive data", which deserve a more rigorous protection than other types of information. Such sensitive data include genetic data, biometric data and data concerning the health of the person involved. Consequently, any information relating to an individual's health status, including whether he/she is infected by the coronavirus, will be considered sensitive information and stringent rules must be abided by.
Can an employer ask for an individual's (health) information in relation to the coronavirus?
In case an employer wishes to ask for its employee's health status, it is advisable to refer the employee to the prevention advisor-doctor. In addition, an employer can collect a family member's health data if the family member has consented or if the collection is necessary for reason of public interest in the area of public health (such as protecting against serious cross-border threats to health) as an implementation of explicit directives imposed by the competent authorities. In any event, the individual whose information is collected must be properly informed about the processing (see below).
In case the employer needs to know non-health related information, such as contact details or location details, the employer may collect such data if there is a valid legal ground, e.g. in the employment contract or if the collection is necessary for the employer's or other person's legitimate interest. There is no need to run such collection via the prevention advisor-doctor, although such might be the most pragmatic way to operate.
In any case, whether or not the information is relating to an employee or its family member, proportionality must be safeguarded, as emphasized by the European Data Protection Board. Only information strictly necessary for the prevention, detection or handling of the coronavirus pandemic may be collected. For example, only a list of the person's contacts of the last few days may be collected, but no information relating to his/her contacts over the past months. In addition, the French and Belgian data protection authorities have advised that employers must refrain from systematically collecting all types of (health) data which go beyond the suspected exposure to or contamination by the virus. Mandatory body temperature readings or the collection of medical information through questionnaires will not pass the European data protection test.
Lastly, the (health) information collected in light of the prevention or detection of contamination may not be used for another purpose. For example, in case the employer collects an employee's location data during the past week, this information may not be used to track the employee's whereabouts relating to the employee's mileage allowance. Such will lead to a breach of the applicable data protection rules.
Can a company carry out checks on visitors?
Mainly, the same reasoning as to employees' (health) checks can be applied to checks on visitors. Although a company may have a legal ground to check a visitor's health status (e.g. body temperature), e.g. because the visitor has consented or such may be necessary for reasons of public interest in the area of public health, the need for proportionality will probably limit (body) controls on visitors. Consequently, only under certain conditions, including collecting information proportionately and after providing transparent information on the data collection, body temperature checks may be conducted on visitors.
Surely, you can ask visitors to leave the premises if they feel like they are at risk. In addition, visitors can be requested to abide by the health and safety standards of the company when on site, such as hand washing policies. Hence, it is important to use clear and concise guidelines to inform visitors as to what is expected from them (e.g. by using pictograms).
Can a company track location data to check where its users have been?
Data of device users, such as employees, clients or visitors, can also be relevant in the fight against the coronavirus. For instance, a company can track its users' whereabouts through different apps, or taking it even further by inferring with whom the user has been in contact.
In the absence of derogating legislation, such tracking actions will need the consent of the user. Again, proportionality must be safeguarded, whereby no more information may be collected than necessary for the purpose served, and the user must thereby be properly informed about the tracking actions taken. It must also be examined whether or not a less intrusive method could be used to divert where the user has been and with whom he potentially has been in contact (e.g. through anonymous data).
Can a company share the information with others?
The information the company has collected, whether it concerns its employees, family members, visitors, users or other individuals, may be shared with other parties under certain conditions.
The individual concerned must be properly informed about the third parties that will be receiving his information, such as governmental bodies, hospitals or other authorities. The company must also assure that only the information relevant for the purposes pursued by the third party is shared. For instance, location details and symptoms of the coronavirus may be necessary to share, but by also sharing an individual's full medical history, a breach of the relevant data protection rules may occur. Moreover, from a practical point of view, in times of immense influxes of data relating to the coronavirus, this additional information is not deemed helpful for the authorities.
In any event, the employer may not divulge the names of the individuals. The employer should only share information with other employees without mentioning the identity of the person(s) concerned.
Are there any practicalities that a company can take into account?
Lastly, in case deviations are deemed necessary, it is important that the circumstances and justification for such deviations are recorded, and that the DPO or privacy responsible as well as the Committee for Prevention and Protection at Work are consulted.
This article provides some general insights on different legal questions. These insights do not constitute legal advice and may not be relied upon as if they were legal advice. The outcome of any legal analysis will strongly depend both on the specific facts and circumstances of each case and on the particularities of the sector and legal relationship involved. Our legal experts in the various domains concerned are available to assist you with the analysis of your questions and provide specific advice tailored to your case and circumstances.