COVID-19 (coronavirus) and personal data protection in employment relationships – what should we pay attention to?
Amidst all the government regulations and measures that result from the occurance of an epidemic of the infectious disease SARS-CoV-2 (COVID19) - coronavirus, in recent weeks, and the resulting measures and adjustments that needed to be made by many companies, the field of personal data protection has been slightly pushed aside. However, the issue of the protection of personal data should not be of secondary importance at this time, as health data falls in the group of the co-called special categories of personal data which are subject to particularly stringent processing conditions.
At the same time, in the current situation, it is almost inevitable that a particular organization will need to collect certain data that will be classified as health data. It should be emphasized that the medical data are not only narrow information about the state of health (for example specific symptoms), but also other related data (for example, the very fact that the person is or will be on sick leave). Since this is an important question, on 19 March 2020, the European Data Protection Board made a statement, in which it pointed out that in the current situation it is possible to find the legal basis for processing personal data related to the health status of employees without obtaining their consent, and in relation to the sharing of this data with other employees, inter alia, emphasized:
“Employers must inform employees of COVID-19 cases and take safeguards, but may not provide more information than necessary. In cases where the name of an employee who has contracted the virus (eg for preventive reasons) needs to be disclosed and national law allows, the employees concerned must be informed in advance and their dignity and integrity protected.”
National legislation in Slovenia is still not aligned with the General Data Protection Regulation (GDPR), but on the one hand GDPR is directly applicable and on the other hand we have a number of sectoral laws that (at least to some extent or indirectly) also touch on issues in the field of personal data protection at work. For example, the Occupational Safety and Health Act (ZVZD-1) prescribes, among other things, one of the basic obligations of both the worker and the employer to protect the life and health of himself and other workers. Similarly, Article 35 of the Employment Relationships Act (ZDR-1) stipulates the same obligations for the employee, and Article 45 of the ZDR-1 for the employer. These obligations could (as the case may be) be the basis for the processing of health-related personal data, since information about whether or not they have been in contact with a person who is infected with a dangerous virus is undoubtedly part of ensuring the health of other workers.
The GDPR already stipulates, among others, that the processing of special categories of personal data may be necessary for reasons of public interest in the field of public health without the consent of the data subject. Such processing should be subject to appropriate and specific measures to protect the rights and freedoms of individuals (recital (54) of the GDPR preamble). Recital 46 of the GDPR preamble also explicitly provides for a situation in which an epidemic has occured, and states that the processing of personal data should be considered lawful when it is necessary to protect the interest essential to the life of the data subject or to the life of a third party. In doing so, it emphasizes that types of processing can serve both important reasons in the public interest and the vital interests of the data subject, for example when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in an emergency humanitarian situation, especially in natural and man-made disasters.
The basis for the processing of certain, including special categories, of personal data of employees can therefore be found in both the GDPR and the national legislation (in particular, Articles 9(2)(b) and 9(2)(c) of GDPR), however each specific situation needs to be assessed in order to establsih whether a legal basis exists and what information can be processed on that basis. In particular, the following points should be taken into account:
o Individuals should be notified of such processing and, if necessary, the company’s privacy notice for employees should be updated
o Appropriate and particularly stringent and effective security measures must be in place to protect such personal data
o All measures taken must be documented
o Strict adherence to the principle of proportionality and minimization is required
o Access to personal data should be restricted to only those who absolutely need it
o If employees are made aware of this personal information, they should be reminded that they should not share it with others.
All in all, it is not unnecessary to point out that, of course, personal data obtained in this way should not be used by the employer for any other purpose.