Companies with employees in multiple European locations may well be feeling challenged both in keeping up with public health-driven guidance – and more recently, mandates – relating to the SARS-COV2 risks in the workplace. On top of extraordinarily urgent efforts to limit the spread of the novel coronavirus while maintaining as much business continuity as possible, companies have legitimate concerns about their data protection obligations under the General Data Protection Regulation (GDPR) and national employment laws. A number of national data protection authorities, including the UK’s Information Commissioner’s Office, have issued specific guidance to employers on dealing with coronavirus and data protection issues in the workplace. Now, the European Data Protection Board (EDPB) has issued a concise three-page statement on how employers should deal with data protection issues in the midst of the coronavirus pandemic.
Here are some key takeaways from the EDPB’s statement:
1. Data protection laws should not be interpreted in ways that hinder the fight against the coronavirus pandemic. Reading between the lines of the EDPB’s statement, it seems fairly safe to say that where the employer is called upon to weigh up competing interests, this is not a time for employers to put greater weight on privacy interests than public health interests.
2. Employers should cooperate with public health authorities, but also remember that employers are still subject to the GDPR and other relevant data protection laws. The GDPR allows employers to process sensitive personal data, including health information, as “necessary for carrying out [their] obligations and exercising specific rights . . . in the field of employment and social security and social protection law” (Art, 9(2)(b)). That’s normally a fairly settled body of law. But now more than ever, employers should stay up to date with new laws and government-issued decrees and guidance. The EDPB does not state this expressly, but in essence, new, specific public-health driven laws and government-mandated measures will effectively take precedence over any apparently contrary restrictions in the GDPR or prior guidance. Looking at this practically, if a public health authority requests that an employer provides personal data about employees, the employer should comply promptly (and, as part of its regular GDPR record-keeping requirements, document what it disclosed and why it made the disclosure). But remember that general data protection requirements such as security, purpose limitation (not collecting information that isn’t needed for the intended legitimate use) and record-keeping still apply.
3. Let the relevant public health authorities decide what health data should be collected from your employees and visitors to your premises. Don’t come up with your own plan for that. With understandable eagerness to implement measures to reduce the transmission of coronavirus, it has been reported in the early weeks of the pandemic that some companies have asked employees and visitors to take their temperature, disclose symptoms and state which regions and countries they have traveled to in recent weeks. That’s okay only if national laws require such information to be collected – and in many cases, that will not be the case. Think about more neutral ways to limit transmission in the workplace, such as reminding employees and visitors to follow the government’s guidance. Of course, if you company is subject to specific health-related regulations and reporting requirements, you should continue to follow them.
4. Employers need to be transparent with employees about how their personal data is being used and who is receiving it. If an employer starts collecting more information than usual or sharing it with public health authorities (or other appropriate data controllers) in a way that it has not done in the past, the employer should update its data protection notice to its employees and ensure that they are aware of the change.
5. Minimize disclosing sensitive personal data within – and by -- your workforce. You can reveal the names of employees who have contracted the virus where that’s important to protect other workers, so long as national laws permit you to do that. Generally, if you can take appropriate steps to protect the other employees without revealing the name of the person who is ill, that’s what you should do. Recall that if the person who is ill makes the information public, it no longer qualifies as sensitive personal data under GDPR Art. 2(e). However, telling a few colleagues is not the same as making the information public, so be careful about that. It is also important to remind employees to respect the data protection rights of their fellow employees. Just because someone has been identified within the company as having the coronavirus does not mean that that information can be shared outside the company.
As employers are well aware, the GDPR is heavily tilted towards protecting individuals’ privacy rights and also allows for very high fines, so guidance from data protection authorities that offer clarity and any degree of reassurance are very welcome. The EDPB’s statement does not change the fact that employers need to stay up to date with national guidance and laws, but it does give a valuable snapshot view of the European data protection authorities’ general approach to the issues.