COVID-19 and Data Protection
The Norwegian and three other European data protection supervisory authorities on employers' collection and disclosure of employee data.
The Norwegian supervisory authority, like its Danish counterpart, has taken a pragmatic approach to the processing of personal data in the context of the coronavirus (“COVID-19”) and seeks to clarify when an employer can collect and disclose employee data and also health data, where circumstances make it necessary. The Italian and French supervisory authorities seem to have taken a stricter approach to processing in connection with COVID-19. We look at the statements and guidance published by each of these supervisory authorities below.
Norway and Denmark: Pragmatic approach
The Norwegian Supervisory Authority (“Datatilsynet”) succinctly clarifies that while information that an individual is infected by COVID-19 is health data, information that an employee has returned from a so-called “risk area” as well as information that an individual is in quarantine (without further indication of the reason), though constituting personal data, is not health data.
As regards what information may be disclosed internally to employees, the Norwegian Datatilsynet emphasises that the Working Environment Act and the Infectious Disease Act limit what personal data employees are obliged to report to their employer and the extent to which the employer may process such data. To the extent that it is necessary to ensure a proper working environment, the employer may disclose internally within the organisation that an employee has been infected or is in quarantine. However, the employer should ensure that the employee’s integrity and dignity are safeguarded and use common sense with the parties affected.
On the contrary, the Norwegian Datatilsynet holds that information that an employee has been infected and/or is in quarantine should not be disclosed to persons outside the organisation. One should rather state that such employee is absent or unavailable. If the employee is working from home, the employer should assess how the employee’s contact information may best be communicated, and such employee should be consulted when making this assessment. If a large number of employees or all the employees are unavailable because of quarantine or some other reason, the management should have in place a plan on how to disclose this to persons outside the organisation and the general public in a good and proper manner which takes into account the employees’ situation.
As regards processing by the relevant authorities, the GDPR permits processing that is necessary for reasons of public interest in the area of public health, cf. article 9(2)(i), as do sector-specific health legislation and legislation on infectious disease in Norway.
The Danish Supervisory Authority ("Datatilsynet") also takes a rather flexible approach (see here, in Danish). It holds that it is first and foremost labour law and public health rules that determine what information an employer may demand from its employees and what information employees are required to provide. As long as it is not in conflict with such rules, the Danish Datatilsynet holds that an employer, within the limits of the GDPR, can to a large extent collect and disclose data which are not so concrete and specific as to be deemed to be health data, where circumstances make it necessary. Such circumstances can, for example, according to the Danish Datatilsynet include:
- that an employee has returned from a so-called "risk area"
- that an employee is at home in quarantine (without stating the reason)
- that an employee is sick (without stating the reason)
An employer may also be justified, according to the Danish Datatilsynet, to collect and disclose health data, e.g. that an employee is infected by COVID-19. The reason for this can, for example, be so that management and colleagues can take necessary preventative measures.
Denmark’s Datatilsynet emphasised that collection and disclosure must be justified, and that the information stored and disclosed must be limited to what is necessary. Employers should therefore assess whether there is a good reason to collect or disclose the information in question, whether it is necessary to specify the information, including whether the purpose can be achieved by saying less, and whether it is necessary to mention names (e.g. the name of the person infected and/or in quarantine).
Italy and France: No blanket collection of personal data
According to the Italian Supervisory Authority for data protection ("Garante"), the collection of data on the symptoms typical of COVID-19 and on the recent movements of individuals is the responsibility of healthcare professionals and the civil protection. Employers should refrain from any blanket do-it-yourself collection of such types of employee or visitors data. As such, the Garante states that employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the work and his/her closest contacts, or anyhow regarding areas outside the work environment.
As regards civil servants and other persons who work in various ways with the public sector, the Garante notes that the Minister for Public Administration provided operational instructions concerning such persons' obligation to report to the respective administration if they have travelled to a risk area. In this context, the employer may invite their employees to make, where necessary, such communications by facilitating the way they are routed, including through dedicated channels.
The Garante emphasises that employees, on their part, must inform their employer of any danger to health and safety at the workplace. Employees who perform duties that entail contact with the public (e.g. front office, service desk) who encounter a suspected COVID-19 case in the course of their work must ensure that the competent health services are informed, including through their employer.
The Garante takes a rather strict approach to the collection and procession of COVID-19 personal data by private and public entities. Though the statement is silent on this, it would appear that any such collection or processing must either be necessary for compliance with a legal obligation to which the private or public entity is subject, or is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller.
The French Supervisory Authority ("CNIL") takes a similar strict approach (see here, in French). It holds that employers should abstain from collecting in a systematic and generalised manner, or through individual inquiries and requests, information relating to the search for possible symptoms by an employee, an agent or their relatives. The CNIL states that it is therefore not permissible to subject employees, agents or visitors to regular temperature checks or to collect health data from them through questionnaires.
The CNIL notes that, according to French labour law, an employer is responsible for the health and safety of its employees and agents and must therefore implement measures to prevent occupational risk, provide information and training, and set up appropriate resources. As such, it is allowed:
- To invite employees to give feedback to the employer or the competent health authorities, of information concerning them in connection with a possible exposure;
- To facilitate the transmission of such information by setting up, if necessary, dedicated channels;
- To promote schemes for remote working.
Relevant information may be shared with competent health authorities.
The CNIL also notes that, according to labour law, each employee must take measures to protect his and her own as well as other's health and safety. They must inform their employer in the event of suspected contact with the virus. CNIL also emphasized that health data can be collected by health authorities qualified to take the measures appropriate to the situation.