Temperature scanning using infrared thermal camera showing the processing of personal health data under GDPR during COVID-19 outbreak

The Processing of Personal Health Data according to the GDPR for Organizations in the time of Coronavirus (COVID-19)

Coronavirus is an outbreak of a respiratory disease, also known as”COVID-19″ or “SARS-CoV-2”. The outbreak first became noticeable at the end of December 2019 in the megacity of Wuhan in the Chinese province of Hubei. On 30 January 2020, the World Health Organization declared it a public health emergency of International concern. By March 2020 COVID-19 had spread into a worldwide pandemic with over 125,000 cases confirmed in 118 countries and 4,291 victims and rising, becoming a financial threat to corporates as well as economies. Many European organizations are currently facing the question of how to deal with the personal health data of their employees. This article deals how organizations could deal with data protection challenges and privacy approaches within their entities.

Requirement of health data

Under the General Data Protection Regulation 2016/679 of the European Union (GDPR), ‘special categories’ of personal data require an additional layer of protection because they are particularly sensitive.[1] Information about an individual’s health is a ‘special category’ of personal data, and the ability to lawfully collect personal health data is more limited. Information about an individual’s travel history will be personal data and depending on the context may be considered under special category of personal data, i.e. if the person who is travelling has a health concern and discloses this sensitive data relating to his health.

GDPR broadly defines health data as any information related to an individual’s physical or mental health. Therefore, health data not only covers information that is “obviously” health-related (such as a description of symptoms) but also more general information (e.g. where an individual is calling in sick). This includes not only information on past or present health conditions, but also information concerning the person’s future health. It means if an organization stores information of an employee that shows symptoms of coronavirus, it is already a health data regarding Article 9(1) GDPR. Therefore, data that the organization receives through self-declaration or questionnaires from employees or external parties in order to check the current health status is also sensitive data that requires protection. Entry controls and surveys related to specific occasions after business trips are also subject to special requirements, whereby, for example, a manual fever test without further processing of information would not constitute processing of personal data.

Lawfulness of processing

Health data are subject to the processing prohibition in accordance with Art. 9(1) GDPR, which results in stricter requirements than Art. 6(1) GDPR, which applies to regular data processing. Nevertheless, Art. 9(2) GDPR provides exceptional cases in which processing is permitted. The legal basis for processing health data in connection with measures to protect against Coronavirus should be:

Processing via consent

Art. 9(2) lit. a GDPR permits data processing on the basis of consent of the data subject. It must be taken into account that a consent cannot be given by implication or an opt-out procedure. Furthermore, consent under GDPR for processing personal health must be given in an informed and voluntary manner and not as per the general consent requirement of the national law, but the wide requirement contained in Article 4 No. 11 GDPR. The most appropriate would be a written consent, which have to be given and filed for accountability reasons under Art. 5(2) GDPR, or an oral consent, in which case the purpose, date and time would also have to be noted and filed.

However, every protection comes with some disadvantages, since consent is voluntary it can be freely revoked at any time. A comprehensive use and evaluation would therefore not be guaranteed. In addition, the question of how to obtain the consent of all potentially affected persons who have had contact with a patient is also an issue.

Processing to protect the vital interests of a natural person

According to Art. 9(2) lit. c GDPR, processing is permissible if it is necessary to protect vital interests. The need to protect “vital” interests constitutes a high barrier to processing. According to Recital 46, the processing of personal data for humanitarian purposes, including the monitoring of epidemics and their spread may be necessary to protect the vital interests of other persons.

The admissibility of processing may fail due to the subsidiary legitimacy effect. According to Recital 46 GDPR, personal data should in general only be processed on the basis of a vital interest of another natural person if the processing cannot obviously be based on another legal basis. This underlines the exceptional and case-by-case character of the legal norm. It is therefore not suitable for the general collection of location data of an undefined number of persons over a longer period for preventive purposes.

Processing for reasons of public interests

It should be considered that Art. 9(2) lit. i GDPR is an opening clause and that’s why the national legislature may, under certain conditions, create its own regulations. [2] According to Art. 9(2) lit. i GDPR, the processing of sensitive data is permissible if it concerns the area of public health, which includes in particular “serious cross-border threats to health” and “ensuring high standards of quality and safety in health care and in medicinal products and medical devices“. So, due to the increasingly rapid spread of the coronavirus, measures for protection must be increased under cross-border health threats.

As a further and similar legal basis for the lawfulness of the processing, according to the exceptional circumstances of Art. 9(2) lit. g GDPR could apply. According to this paragraph, the national legislator can enact legislation that allows organizations to process special categories of personal data if there is a substantial public interest. Such a substantial public interest certainly exists in the case of the fight against coronavirus, but it is precisely the national legislature, which must create appropriate specific provisions, which specify the processing and conditions of the required data in more detail.

The GDPR aims to protect against pandemic risks and would like to permit data processing  “for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health.” (Recital 52 GDPR). Special attention must be paid to the transparency of the measures concerning confidentiality[3], technical security[4] and data minimization[5]. Furthermore, Recital 46 GDPR clarifies “Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

Recommendation of organizational measures

Immediate privacy measures for the organizations

Primarily every processing of health data of employees concerning coronavirus has to be necessary to fulfill the data minimization principle. Accordingly, the organizations as controllers should continuously reflect whether the personal health data is “adequate, relevant and limited to what is necessary in relation to the (relevant) purposes”. [6] At this point the Data Processing Officer (DPO) and the Business should consider together how the same goals can be achieved by a reframing from a question or alternative procedure.

The normal requirements around provision of information to be provided to the related data subjects (Articles 12 to 14 GDPR) will apply. Data subjects about whom personal data is collected should receive a privacy notice, before or at the moment of the data collection, that details the main characteristics of the data use. Existing privacy notices should be examined to see whether they address the right and relevant data processing, in particular the collection and storage of the data in question and the transfer to whom. Organizations can either update existing privacy notices and policies if they do not cover disease containment or create a new privacy notice dedicated to coronavirus. This privacy policy needs to be implemented and handed over to the employees including with the relevant conditions for processing the data, how the controller can satisfy a lawful basis for that processing, and specific details about applicable retention and deletion periods.

All data subject rights will remain relevant for organizations as controllers and will need to have processes in place to deal with requests exercising these rights:

  • the right of access (Article 15);
  • the right to erasure (Article 17); and
  • the right to object to the processing of the personal health data where it is processed on the basis of Articles 6(1) lit. e or f (Article 21).

Given the nature of coronavirus-related data processing activities, when sensitive health data and evaluation of health risks is involved according to Article 35 GDPR a Data Protection Impact Assessment (DPIA) has to be undertaken by organizations, and furthermore for the processing of health data appropriate safeguards have to be implemented.[7] Any kind of data processing agreement should be put in place to govern the sharing of personal health data passing between a client organization and its supplier to help manage coronavirus risks.[8] Especially for large corporations, where data is transferred back and forth rapidly and comprehensively, a Joint Controller Agreement[9] should be concluded and, if necessary, supplemented with the purpose of sharing health data regarding the coronavirus.[10] According to Article 30 GDPR a record of processing activities should be maintained and updated to reflect the new personal data processed as a consequence of the coronavirus. This should be done in a timely manner as precise and accurate as possible.

Moreover, the technical and organizational measures implemented must ensure the security of the personal data appropriate to the level of risk. It is recommended to store or process personal health data in an encrypted file and area.[11] Most importantly, only employees from whom it is strictly necessary to undertake their tasks should have access to the data and according to the storage limitation.[12] In addition, the process of deletion is to be advanced by the organization after the legal retention period or fulfillment of purpose has been lapsed.  In all cases, organizations as controllers will need to remain accountable in respect of their data processing activities (Art. 5(2) GDPR).

Measures by organizations towards employees

Organizations can collect and store health data relating to their employees through self-disclosure or questionnaires on their recent locations and indications of potential symptoms and their indicators. They can also conduct surveys on specific occasions after business trips or contact with suspected persons. In the event of a positive finding on an employee by an official body or even in the event of confirmed contact with a person who tested positive, it must be permissible to process information about the employee concerned, e.g. time and close contact persons and measures taken. However, it should not be permissible to require all employees to provide information on their travel destinations and health status. It is also inadmissible to collect blanket information about flu symptoms from employees or to have them communicated by colleagues.

The fever testing of employees at the entrance of the organization premises and other medical measures (e.g. throat swabs for saliva samples) can be justified under strict conditions. A fever test can certainly be regarded as permissible if the results are only used for an admission control with the necessary and limited decision undertaken by a simple “yes or no” in written form. Moreover, if the measures are purely voluntary without any obligation to use, it would be critical if a compulsory fever test were carried out for all employees and if a high temperature were to lead to immediate measures such as exemption or similar (if only because the temperature is not a definitive criterion for determining an infection). The admissibility and enforcement of these measures will probably be affirmed in the area of food production or similar.

Other measures currently under discussion should be viewed extremely critically, e.g. mobile phone tracking of infected persons in order to better identify contact persons or the naming of specific addresses of infected persons, as is done in Singapore. In any case, this could only be carried out by the state, the governmental agencies authorized to protect public health, not individually by individual companies.

In order to ensure that employees can be warned at short notice and do not when they appear at work, organizations may also request and temporarily store the current private mobile phone number etc. of their employees. However, this can only be done with the employee’s consent; there is no obligation for employees to disclose private contact details, but it will usually be in their own interest. For coronavirus prevention, the establishment of an “internal communication network” tailored to the respective organization is recommended, so that organizations can take certain communicational measures depending on the pandemic phase.

The decisive factor here is that private contact data is “collected for specified, explicit and legitimate purposes”.[13] In particular, the purpose is to reduce the employees’ risk of infection. At latest after the end of the pandemic, the collected contact private contact data must be deleted by the organization. It would not be permissible under GDPR to be used “through the back door” at a later date to establish contact for other purposes.

Summary

Knowing about an employee’s coronavirus disease can lead to an enormous stigmatization for the employee. The mention of the name of the affected employee should therefore be avoided. At the same time, employees who have been in direct contact with an infected person must be warned and are usually excused from work themselves to reduce the risk of infection. Such a measure can be carried out on a department or team basis without mentioning a specific name. If, in exceptional cases, this is not sufficient, the organization must contact the health authorities and request their decision. If this is also not possible, the other employees may also be informed of the suspected infection or illness of the specific employee in order to locate and contain sources of infection.

An alternative to monitoring symptoms, travel patterns and possible encounters with infected patients is for organizations to implement procedures and policies to reduce the risk of infection at work. Organizations can also provide their workforce and visitors with good practice hygiene recommendations, make hand sanitizer available and restrict interpersonal contact to reduce the risk of infection.

Without actively collecting any information about their employees, organizations can also implement clear procedures, discouraging employees from coming to work if they have travelled to affected regions, have certain symptoms or have come into contact with a COVID-19 patient.

If requested by health authorities due to an official written order, organizations may transmit the collected and stored data of employees in case it later becomes known that an infected person was at the office or event according to Art. 6(1) lit. c and (2)-(3) GDPR. Such an order for the storage of employee data regularly corresponds to an obligation to transmit the data to the authorities. As long as no official order has been issued, organizations are free to collect and store the names and contact details of their employees for the purpose of transmitting them to the health authorities on request, only on the basis of consent (Art.6(1) lit. a GDPR). In this case, the duration of storage should be based on the presumed incubation and detection period of infections.

How personal data could be collected by organizations

Organizations should only collect necessary personal data. In the context of coronavirus containment, this means collecting the minimum information needed to evaluate the risk that an individual carries the virus and take proportionate, risk-based measures.

Data likely deemed necessaryData unlikely deemed necessary
• Coronavirus (medical and health) symptoms

• Travel data (yes/no, date, time, duration) whether the person recently traveled to “hot zones,” for example currently China, Italy and Iran. The information can cover both: business and non business travel

• Close contact data with individuals who have recently been in “hot zones” and/ or showing coronavirus symptoms (yes/no, date, time, duration).
• Nationality, political opinions, religious or philosophical beliefs, or trade union membership, or data concerning a natural person’s sex life or sexual orientation

• The identity of the individuals to whom that person has been exposed

• Countries visited that are not “hot zones” or countries visited before the incubation period two weeks.

As a result, organizations could legally check employees’ temperature depending on how risky it would be for them to contaminate or infect sensitive material at work or labor, but any medical examinations should be given by doctors and not office employees.

How should organizations collect personal data?

In terms of data collection method, the least intrusive and disturbing option should be selected. This may require adopting a gradual risk-based approach, such as:

Provide questionnaires with targeted ‘yes or no’ questions to carry out a first screening of individuals’ coronavirus. Review the questionnaires to ensure only required and necessary information is collected. On the basis of the initial screening results, notify individuals presenting high contamination risks of the measures that will need to be taken to limit their interactions with the workplace; and
Request data subjects who provided incomplete or improperly completed questionnaires to confirm information.

Sharing personal health data of individuals

The GDPR allow organizations to outsource the collection and analysis of coronavirus-related personal data, provided this outsourcing does not reduce the level of data protection. In particular, the organization should engage with service providers having the capacity to comply with GDPR obligations and formalize the relationship with an appropriate data protection agreement. If it is absolutely necessary, for example the involvement of a contractor or a group company need to implement sufficient health and safety measures,  or mandatory by sharing information with government bodies, still the processing of personal health data of employees have to be done in compliance with all GDPR requirements (e.g. determination of a legal basis, information of the concerned individuals, data minimization, implementation of security measures, entering into appropriate data protection provisions). For transparency, an organization may inform its employees about the infection of other workers or visitors, without communicating personal information, e.g. names, position of the infected individuals.

The storage of health data of visitors to the organization – regardless of the existence of an effective consent – is inadmissible, as is the detailed publication of sensitive data of an employee or the blanket fever measurement at the organization entrance. Permissible measures involving the processing of data are, especially with regard to the organization’s own employees, the creation of questionnaires and the storage of the resulting health data. Travel data can be collected provided the organization complies with essential principles such as transparency, lawfulness and security. Health data collection is prohibited, but there are exceptions to that rule as explained.

Organizations should only collect information needed to evaluate the risk that an individual carries the coronavirus. #privacy #respectdata Click to Tweet

In view of the infection rate on the one hand, and the intensity of an intrusion into the privacy of the persons concerned when accessing health data on the other, it is difficult to imagine that the collection and evaluation can be regarded as disproportionate. After all, the potential for abuse is great, and from the health data collected, it would be relatively easy to draw further conclusions about, for example, religious and political beliefs or sexual orientation. However, the risk to public health is increasing and is existential.  It is then up to the organization to find a good balance between data protection and health protection of other employees.

[1] Art. 9(1) GDPR
[2] e.g. British Data Protection Act 2018 (UK) or Bundesdatenschutzgesetz (Germany)
[3]    Art. 5(1) lit. f GDPR (“Processed In a manner that ensures appropriate security of the personal data”)
[4]   Art. 24(1), Art. 25(1) and Art. 32(1) GDPR (Responsibility of the Controller, Data Protection by design and by default and Security of processing).
[5]   Art.  5(1) lit. c GDPR (“Adequate, relevant and limited to what is necessary in relation to the purposes for “..)
[6]   Recital 39 GDPR, Art.  5(1) lit. c GDPR (“Adequate, relevant and limited to what is necessary in relation to the purposes for “)
[7]   Art. 35 and Art. 89 GDPR (Data Protection Impact Assessment and Safeguarding and derogations relating to processing for archiving purpose in the public interest, scientific or historical research purposes or statistical purpose)
[8] Art. 28(3) GDPR
[9] Art. 26 GDPR
[10] Art. 6(4) GDPR, Recital 50 GDPR
[11] Art. 24(1), Art. 25(1) and Art. 32(1) GDPR
[12] Art. 5(1) lit. e GDPR
[13] Art. 5(1) lit. b GDPR

 

Data Protection Manager at Aon