Series on Data Protection and Corona – Part 4: Processing of health data in context of preventive measures against corona infections

24. March 2020

Stopping the spread of the corona virus as far as possible, or at least slowing it down, is the top priority these days. For this reason, as far as possible many employers instruct their employees to work remote from home in order to reduce the risk of infection. However, this approach does not work for all businesses, such as the pharma industries, utilities (e.g. power plants) or grocery stores, food retailer and supplier. Therefore, there is a strong interest of such businesses that neither the present employees nor visitors (or customer) are infected with the virus.

In terms of infection prevention purposes, information on the state of health of individuals are an important means to help preventing people from getting infected with the virus and thus “flatten the curve”. Such health information fall under the so-called special categories of personal data according to Art. 9 of the EU General Data Protection Regulation (GDPR) and hence are subject to a particularly high level of protection. Therefore, when requesting information about an employee’s or visitor’s health, there are a number of things to be considered.

What are health data?

First, it needs some more clarification on the term ‘health data’: According to Art. 4 No. 15 GDPR, health data are personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The term health data thus not only covers disease-specific information about the data subject, such as a viral infection or drug consumption, but already the general statement as to whether someone is healthy or not. Information that may not directly indicate an individual’s state of health in the first place is also to be considered health data if, in fact, the context in which the information is to be used leads to a conclusion about an individual’s health condition.

When can health data be processed?

It remains to be clarified when health data can be processed for infection prevention purposes under the GDPR. First of all, it is very likely that consent to the processing of health data for infection prevention purposes cannot be obtained freely given and would thus be invalid in nearly all practically relevant cases. However, without the consent of the data subject the processing of health data is only permissible in the exceptional cases according to Art. 9 para. 2 GDPR.  In the following this blog post therefore rather focuses on the options that are available without consent regarding the group of employees and visitors.

When is the employer allowed to collect and process health data of employees with regard to the corona virus, according to the GDPR?

Health data can be processed in the context of employment in the non-public sector to the extent that it is necessary for reasons of public interest in the area of public health (Art. 9 para. 2 lit. i) GDPR and local EU member state law, such as section 53 of the Irish Data Protection Act 2018 or § 22 para,. 1 lit. c) of the German Federal Data Protection Act) and/or to the extent that it is necessary for the fulfillment of rights and obligations in the context of the employment (Art. 9 para. 2 lit. b) GDPR together with a local EU member state law, such as the Irish Safety, Health and Welfare at Work Act 2005) as, e.g., the Irish and Hungarian Data Protection Authorities both stated (for the list of authority statements see our previous blog post part 1).

However, the employer has a duty of care, particularly with regard to the protection against the corona virus, which applies not only to the individual employee, but also to all employees as a whole. Accordingly, the employer is obliged to take proportionate measures to protect the health of its employees during working hours. In particular, this also includes measures against diseases such as the corona virus that are  notifiable under the local infection protection laws of EU member states.

Please note that, in accordance with the principle of data minimization, only the information that consists the strictly necessary health data is to be collected and processed. Therefore, it is recommend that employers should make use of other preventive measures (e.g. by teaching employees on infection prevention or providing them with hand disinfection or protective clothing) before considering means of data processing. Moreover, such health data is to be treated strictly confidential, both for the protection of the individual employee and to maintain the industrial peace and the operation of the company. If the employer should process personal data which are not health data, he can – after careful examination – also rely on Art. 6 Para. 1 lit. f) GDPR.

Does the employee have to report an infection?

The employee is also obliged to inform the employer of a corona infection, because of his fiduciary duty to the employer. This principle of loyalty also authorizes the employee to disclose personal data of other individuals in the business environment with whom he has had contact. This disclosure to the employer and the following assessment and storage of such information by the employer can be based on a legitimate interest of the employer under Art. 6 para. 1 lit. f) GDPR as well as on Art. 6 para. 1 lit. c) GDPR.

When is a company allowed to collect and process health data of visitors of its premises?

Since companies regularly welcome visitors and guests, there is also a strong interest of companies in taking precautionary measures to contain the virus. If health data would need to be processed for this purpose, this can be done after careful examination on the basis of Art. 9 para. 2 lit. i) GDPR and, if any, local EU member state law (such as mentioned above). In the case of other measures in which personal data other than health data are processed, the employer may rely on his legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR (cf. BfDI).

What measures are permitted with regard to the containment of the corona virus?

Examples of permissible measures “against” employees:

  • measures without data protection reference, such as hygiene regulations, general instructions (e.g., to stay at home if symptoms occur), cancellation/postponement of business trips, instruction to work remote from home, regularly inform about relevant news about the virus,
  • request for information on infection in case of justified suspicion,
  • requesting infected employees for information about contacted persons in the company environment,
  • request for information about whether they have been to a risk area after vacation or business trips,
  • processing of such information that have been proactively communicated by the employee, e.g. that there has been contact with a (potentially) infected individual,
  • obtain consent to store emergency contacts and private contact details for notification purposes, in case of emergencies and operational changes due to the corona virus.

Examples of non-acceptable measures “against” employees:

  • mandatory comprehensive questionnaires to the entire workforce (e.g. series of unreasonable surveys),
  • interviewing other workers to see if anyone of the staff has symptoms.

Examples of permissible measures for visitors or guests of the company:

  • measures without data protection reference, such as hygiene regulations, restriction of visiting possibilities, a notice to postpone the visit if having symptoms,
  • request for information on infection in case of justified suspicion,
  • requesting infected visitors or guests for information regarding contacted persons in the company.

Examples of unacceptable actions towards visitors or guests of the company:

  • general (comprehensive) request for health information without justified suspicion.

The series on Data Protection and Corona will be continued tomorrow with a blog post on Data Protection compliant remote work.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.