COVID-19 and processing of personal data at work

March 20, 2020

These responses necessarily involve obtaining and potentially sharing personal information, including data about an individual’s health, travel, personal contacts, and employment. For example, in the U.S., the Centers for Disease Control and Prevention has asked airlines for the name, date of birth, address, phone number and email address for passengers on certain flights.[1]
In accordance with article 20, 2 ° of the Belgian law of July 3, 1978, the employer has the obligation ” to ensure with due diligence and care (Pater familias) that the work is carried out in conditions suitable from the point of view of the safety and health of the worker “. In pursuance of this provision, many employers therefore take preventive measures. However, the question arises as to how this obligation is reconciled with the worker’s right to the protection of his/her privacy and his/her personal data.

It’s been now few weeks that we all hear everyday about the COVID-19 outbreak. All countries are focused on how to monitor and understand it in order to stop its spread. Data protection and privacy laws, including the EU General Data Protection Regulation and various U.S. laws, are informing these responses.
One major response to limiting the spread of infection is contact tracing, which is the practice of identifying and monitoring anyone who may have come into contact with an infected person. Employers and educational institutions are also imposing travel restrictions, instituting self-quarantine policies, limiting visitors, and considering whether to require medical examinations.

1. Lawfulness of the processing (Articles 6 and 9 of the GDPR)[2]

Even in the context of taking preventive health measures, the general principle is that any processing of personal data must meet the conditions of article 6.1 of the GDPR and be based on one of the legal grounds mentioned in this article in order to be lawful.
In this regard, and according to the Belgian Data Protection Authority, it should be emphasized that at this stage and on the basis of the latest information published by the SPF Public Health concerning COVID-19, there is no reason to justify a more extensive nor a systematic application of the legal ground provided in Article 6.1.d) of the GDPR (“processing necessary to safeguard the vital interests of the data subject or another natural person”) in the context of the taking of preventive measures by companies and employers .
This applies in particular to the processing of health data, for which Article 9 of the GDPR in principle provides for a processing ban. As a reminder, health data, as a category of sensitive data, should not be processed unless one of the provisions provided in Article 9.2 apply. Attention should be drawn to the fact that for the processing of this category of personal data, companies and employers can only invoke Article 9.2, i) of the GDPR when they act in execution of explicit directives imposed by the authorities.
In addition, the health risk assessment if any should not be carried out by companies and employers, but by the occupational physician, who is competent to detect infections and to inform the employer and those who have been in contact with the infected person. This information is provided by the occupational physician based on articles 6.1, c) and 9.2, b) of the GDPR (processing for the purposes of the fulfilment of an obligation relating to work legislation).

2. Preventive measures and general principles regarding the processing of personal data[3]

In the event of any processing of personal data in the context of the application of prevention measures relating to COVID-19, in addition to the provisions of the GDPR, the general principles regarding data processing must also be observed.
Measures involving the processing of personal data must take account of the principle of proportionality and the principle of minimization (Article 5.1, c) of the GDPR).
As with any data processing, only the minimum necessary amount of data can be processed in order to achieve the desired purpose.
In addition, companies must be transparent with regard to the measures taken and sufficiently inform their workers and visitors, in particular about the purposes of processing and the duration of storage of personal data collected in this context (Article 5.1, a) of the GDPR).
Finally, the necessary security measures must be observed in order to protect the personal data to be processed (art. 5.1, f and 32 of the GDPR).

2. 3. Heightened Susceptibility to Phishing Attacks and Scams

   According to the US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA), malicious actors are using COVID-19 as a pretext to send emails with attachments or links to fraudulent websites to trick victims into downloading malware, revealing sensitive information or donating to fraudulent charities or causes.

   Health care providers, health plans and their business associates should consider sending a security reminder or bulletin to personnel to remain vigilant against potential cyber-attacks and scams by:

   • Not clicking on links or opening attachments contained in unsolicited emails;
   • Using only trusted sources, such as government websites, to obtain up-to-date, fact-based information about COVID-19; and
   • Not responding to solicitations by email to reveal personal or financial information.[4]

FAQ[5]

A) Can a company or worker practice generalize and systematic controls (for example systematically controlling the body temperature of workers and / or visitors)?
The practice of such generalized and systematic checks by companies or employers cannot be deemed proportional. It is the job of the occupational physician to monitor people whose employer presumes that they have been exposed to COVID 19 and / or have symptoms of it.

B) Can an employer compel his workers to fill out a medical questionnaire or a questionnaire relating to his/her recent trips?
The employer cannot compel workers to complete such questionnaires. It is recommended to encourage workers to spontaneously report risky travel or symptoms. In this case too, the role of the occupational physician must be emphasized.

C) In order to prevent the spread of the virus, can a company or an employer reveal the names of the infected people / workers?
Under the principle of confidentiality (Article 5.1, f) of the GDPR) and the principle of data minimization (Article 5.1, c) of the GDPR), an employer cannot reveal the names of the persons concerned. The employer can only inform other workers of the situation without mentioning the identity of the person (s) concerned.

D) Can my employer forbid me to participate in meetings or gatherings with family or friends during my free time, or even forbid me to travel abroad?
If these questions from an employer to an employee are not accompanied by an effective processing of personal data, these are not the responsibility of the Data Protection Authorities. In general, an employer cannot take measures which go beyond the framework of existing work legislation or the instructions of the competent authorities.

[1] « COVID-19 response and data protection law in the EU and US »; https://iapp.org/news/a/covid-19-response-and-data-protection-law-in-the-eu-and-us/
[2][3][5] « COVID-19 et traitement de données à caractère personnel sur le lieu de travail » https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-donn%C3%A9es-%C3%A0-caract%C3%A8re-personnel-sur-le-lieu-de-travail?fbclid=IwAR3RXeQE1qtjZnlcJrmGWni-E1bxgACRuiFRKsNbT8_qfpsN2QrfOzLm-DM
[4] « Privacy, HIPAA, Security and GDPR– COVID-19 Considerations »; https://www.natlawreview.com/article/privacy-hipaa-security-and-gdpr-covid-19-considerations