The Garante took a more open view on compliance of coronavirus checks with privacy laws in Italy, which is more flexible but still provides stringent obligations.
Given the situation of emergency because of the spread of the Coronavirus, several companies adopt body temperature checks, run questionnaires to be filled in at the entrance of their building by any employee or visitor, are performing tests on employees, or even using Apps to track their level of risk.
To help companies handling the current situation, below is a list of do’s and don’ts on privacy related matters connected to the management of Coronavirus checks.
Top 3 don’ts on privacy issues relating to Coronavirus checks
1. Is it possible to collect information on movements, pathologies, or temperature of employees, suppliers, or visitors? Are collected data anonymous?
In the vast majority of cases, the collection of personal data is not necessary, and the data collection might be unjustified under the data minimization principle. The performance of temperature checks and the collection of questionnaires with very limited information is provided in Italy by the anti-contagion protocol validated by the Government with trade unions, and the Garante deemed that such practices are privacy-compliant provided that the temperature is never recorded and information collected through questionnaires is compliant with the data minimization principle.
Even the mere display of the body temperature and the answer (even in case of negative responses) to a questionnaire is a processing of personal data. Such data are not anonymous since the collection occurs at the presence of the individuals, then identified or already known. Therefore, checks need to be justified and require the provision of a privacy information notice and the compliance with stringent restrictions.
2. Is it possible to run serological or swap COVID-19 tests on employees?
The Italian data protection authority held that serological tests run on employees are privacy compliant in Italy provided that the occupational doctor is the data controller and is the sole individuals aware of the results of the test, communicating to the employer only the suitability/unsuitability of the employee to perform the working activity.
However, in my view, the occupational doctor shall inform the employer if the test is positive unless the employee has already done it, also because the employer needs to deal with authorities to track potentials contacts.
3. Is it possible to investigate movements, contacts, and health conditions of employees, suppliers, or visitors?
No, private companies are not in charge of investigating the movement of individuals; public authorities have to perform such activities. And the conclusion was reiterated in the protocol mentioned above, which emphasized the need to protect the dignity of infected individuals.
Also, the usage of Apps, bracelets, and other tools able to record contacts shall not record all the contacts of individuals. Still, they might only send a warning message if a contact is closer than the minimum distance to enable the employer to adopt the necessary security measures.
Top 3 do’s on privacy issues relating to Coronavirus checks
1. Informing individuals
Placing a notice at the entrance of the building and sending a communication to clients and suppliers indicating that if they either were at-risk areas or in contract with persons at risk or have flu symptoms or just fever or cough, they cannot have access at the company’s building, also encouraging smart working practices.
2. Do not record the body temperature
The temperature shall never be recorded, and if it is higher than the allowed threshold of 37.5°C, the company shall only record concerning employees that the threshold was exceeded, informing the occupational doctor of the circumstance.
3. Ensure privacy compliance of processing of personal data
If the company wants to run tests on employees, the data controller shall be the occupational doctor that shall provide his privacy information notice.
The company will also provide an addendum to the privacy information notice, informing employees that they can be informed of the results of tests if they are positive. Also, it is highly recommended that a data protection impact assessment is run on this process.
For questionnaires, apps, cameras, bracelets or other tools, they shall be able only to collect relevant information e.g., in case of questionnaires, they shall only record information that is an indicator of risk or in case of contact tracking apps, they shall record only contacts that are closer than the minimum distance. Also, in this case, the data controller shall be the occupational doctor.
I hope the above is useful, and you can read some recommendations on how to properly draft a GDPR compliant privacy information notice in this article “Privacy information notice – more complicated with the GDPR“.