In connection with the spread of the corona virus (COVID-19), many employers have communicated internal guidelines on how employees should act in relation to customers, suppliers and visitors. Many employers have also imposed restrictions on business and private travels, imposed quarantine or encouraged employees to work from home. In these situations, certain data protection related issues arise, especially related to the potential processing of personal data regarding health, for which there are specific restrictions in the General Data Protection Regulation (GDPR). Please see below some issues to consider.
Personal data concerning health is all data pertaining to an individual’s health status, which may reveal information relating to the past, current or future physical or mental health status of an individual. Pursuant to Article 9 of the GDPR, personal data concerning health constitutes a special category of personal data, i.e. sensitive data, which merits specific protection and is thereby subject to restrictions regarding its processing.
Pursuant to the GDPR, all processing of personal data requires a legal basis. A fundamental prerequisite for processing is therefore that at least one of the legal bases under Article 6 of the GDPR is applicable. As regards processing of an employees’ personal data, the employment contract is in general the legal basis for processing, pursuant to Article 6.1 (b).
As regards sensitive data, the main rule in Article 9 of the GDPR is that the processing of personal data concerning inter alia health is prohibited. However, there are certain exceptions from the prohibition. Pursuant to Article 9.2 (b) of the GDPR, sensitive data may be processed if the processing is necessary for the purpose of carrying out the obligations of the data controller in the field of employment. According to the GDPR, it is also permissible to issue national conditions for processing of certain types of sensitive data, which has been expressed in Swedish law regarding obligations related to employment law in inter alia Chapter3 Section 2 of the Act (2018:218) containing supplementary provisions to the EU General Data Protection Regulation (Sw.Lag med kompletterande bestämmelser till EU:s dataskyddsförordning).
The information that someone is infected with the corona virus is regarded as personal data concerning health. The GDPR contains provisions allowing the employers to process sensitive data when it is necessary for the purpose of carrying out its obligations as an employer. Therefore, the information that an employee may be infected with the corona virus may be processed by the employer. Since the employer is responsible for the health and safety at the workplace, the employee is obliged to inform its employer of any infection, but the employer should consider not to process more data than it usually does in case of regular sick-leave.
According to recently published guidance from the Swedish Data Protection Authority (Sw. Datainspektionen), the information that an employee has returned from a so-called risk area, as well as the information that an employee is quarantined, is not considered as data concerning health.
An employer is obliged to guarantee its employees’ health and safety. As part of this duty, the employees should be kept informed regarding the spread of the infection at the workplace. However, individuals should not be named and it should normally be enough to communicate that a case has been identified at the workplace.
It is important to be clear when communicating with the employees regarding how the organization is working to prevent the spread of the infection, what data that may be collected and for what purposes, as well as where the employee can find out more about the data that is being processed about him or her. This means that the employer must take active measures to provide information to its employees or actively refer to the place where the information is available (e.g. a website). This should be done in connection with the collection of the personal data.
In order not to violate the GDPR, it is important to make sure not to collect or process too much information about the employees, and most of all, not to share the information too widely within the organization. Therefore, make sure that the circle of employees authorized to process the information is strictly limited. As regards the opportunities for the employees to work from home, the employer needs to consider and maintain the same level of security that would apply at the workplace under normal circumstances.
You can provide general information about guidelines applicable to visitors at your workplace. However, it is not relevant or adequate to process visitors’ health data regarding any infection or to identify visitors’ visits to risk areas.
The GDPR does not prevent an employer to request information, to a certain extent, about its employees’ travels and health status. For example, there may be a reason to document which employees having visited a risk area and whether it was a business or private trip, but not to document details of what activities the employee did during the holiday.
A fundamental principle of the GDPR is that no more personal data than necessary may be collected. Further, the personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. If an employee has been quarantined due to the fact that relatives of the employee have been reported infected, it is not relevant for the employer to process information on the identity of the infected person (i.e. the family member).
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means that the data must be erased as soon as there is no purpose for processing data about for example sick leave. Employers are obliged to keep personal data with regard to other legislation, e.g. the Sick Pay Act (Sw. Sjuklönelagen) and the Work Environment Act (Sw. Arbetsmiljölagen). According to Preamble 39 of the GDPR, the data controller should establish time limits for erasure as well as conducting regular reviews in order to ensure that erasure takes place accordingly.