Checks on employees returning to work during COVID-19 emergency risk to be challenged if not performed in a privacy-compliant manner.
During the last days, I received several calls from clients panicking because their HR department is planning to introduce stringent checks on employees returning to work after the COVID-19 lockdown period. There is the general feeling that any type of control can be performed due to a frequently misinterpreted definition of “public interest” which in several circumstances becomes the private interest of the company to protect its reputation.
There will not be a waiver of data protection fines during the coronavirus emergency
Some privacy law experts even requested data protection authorities to stop issuing fines during the coronavirus emergency because companies are already facing considerable financial difficulties, and the ICO published a position paper with the following ambiguous position on the matter
in deciding whether to take formal regulatory action, including issuing fines, we will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. We may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
Other authorities took no similar position. Even though no investigations will likely be initiated during the next days of the emergency, the emergency will not last forever. And the potential negative consequences on individuals due to, for instance, uncontrolled internal communications concerning infected employees or the loss of their health-related data might have long term effects on their career, leading to fines and significant disputes.
Top 5 recommendations on handing employees returning to work during the COVID-19 emergency
- Collect only the information really necessary to assess potential risks: the collection of data on health conditions, movements and contacts of all the employees through tests, thermometers, questionnaires, and apps can be unjustified and in breach of the data minimization principle, if not correctly set to collect only relevant information relating to the actual situations of risk, also limiting the access to that information;
- Make sure that the collection of data does not impair the dignity of individuals: due to the current situation of emergency, even a minor alteration of the body temperature of an employee visible to other employees or in general unauthorized persons can lead to significant damages to their reputation. The collection of data shall occur in a manner able to protect their confidentiality;
- Ensure that you have the right legal basis for processing COVID-19 data: in several European countries, public interest can be a legal basis for the processing of health-related data only if identified by a law expressly defining the relevant public interest and allowing the data processing activity. In this respect, as stressed by the European Data Protection Board, even location data can be considered health data if used in a specific context such as “information regarding a recent trip to or presence in a region affected with COVID-19 processed by a medical professional to make a diagnosis“. There, you need to be careful in assessing the applicable legal basis;
- Have in place a procedure for the handling of COVID-19 data: if data related to individuals infected by COVID-19 or at risk of infection is communicated to individuals that are not authorized to receive that piece of information and then disseminated with no control within the company, there are potential risks of discrimination and damages for the relevant individual. A procedure shall outline the people to which the information on the infection (or the potential infection) shall be communicated, the body in charge of taking decisions and the actions to be taken to handle the information and the following steps;
- Don’t communicate the identity of infected people internally: people need to be informed of a risk of infection, but the same goal can also be achieved just informing them of the area, department or floor where the person works, without disclosing the identity of the individual. Even if the infection occurred during a period of prolonged absence of an employee from work, the communication of the infection might not be justified in any manner.
What is your view on my recommendations? Happy to discuss, and on a similar topic, you can find interesting the article Top takeaways from EDPB opinion on privacy issues relating to coronavirus contact tracing apps.