With the World Health Organization (WHO) officially categorising the coronavirus disease (COVID-19) as a pandemic on 11 March, it has become clear that the world is immensely struggling with the outbreak. It has even led to a massive slowdown in economic activity, causing volatility and turbulence in the financial markets. Therefore, apart from being a threat to our health, COVID-19 has proven that it is and will continue to be a threat to the world economy and businesses.
Governments throughout the world have put in place measures to promote social distancing and restrict the transmission of the disease. The UK is also starting to see a tightening of approach, with Prime Minister Boris Johnson saying that everyone should avoid going to pubs, clubs and theatres and, if possible, work from home, as a part of a range of new stringent measures.
At the same time, businesses are working on creating a safe and healthy work environment for their employees, customers and business partners. In this time of coronavirus, this includes certain health related measures. With growing data protection concerns among businesses, this alert looks at the data protection issues at an EU and UK level and seeks to provide answers to a number of legal questions we have been asked in the past few days as well as give guidance on whether or not certain measures comply with applicable laws in the UK. Despite many EU countries issuing guidance, the spokesperson for the EU Data Protection Board issued a helpful statement on the virus which provides an overview of the EU approach.
Q: Can an organisation collect health data from employees and visitors and ask them to self-report if they consider they may have been exposed to the virus?
A: Yes. The organisation can ask employees and visitors to self-report and can collect health data; however, this doesn’t provide an unlimited ability to collect excessive volumes of information.
Employers have an obligation to protect employees’ health, and so the Information Commissioner’s Office (ICO) considers it reasonable for employers to ask people to tell them if they have visited a particular country or are experiencing COVID-19 symptoms, or have been in close proximity to someone who has.
Questions on health status are considered special categories of personal data that have to be processed with higher caution (sec. 9 GDPR) under certain strict requirements. Coronavirus as such can, for example, be considered a “serious cross-border threat to health” (Art. 9(2)(i) GDPR) that permits employers to take measures to protect the health of employees (Art. 9(2)(h) GDPR). These legal bases do not, however, mean that all measures can by justified by ‘coronavirus’.
Asking this information of visitors to a company’s premises is also permitted, but it is always best to consider government advice. For instance one would be permitted to ask someone if they have visited certain countries, have COVID-19 symptoms or have been in close proximity to anyone who has, and to restrict entry to persons who answer ‘yes’ to any of those questions.
In both cases, it would be unusual and most likely disproportionate to ask about symptoms and to record them as this is something that should be limited to the public health authorities. Any decision to systematically record symptoms or actual health data should be limited, and it would behove organisations to record their rationale for doing so and to ensure that more data than necessary is not collected and that the personal health data is appropriately safeguarded.