Tag: Russia

(Update) Processing of COVID-19 immunization data of employees in non-EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. The employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. As LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable measures to ensure the safety and health of all their employees in the workplace. The vaccination may be considered as part of  COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with infection with the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate the risk. In this case, the employer must comply with the Personal Data Protection Regulation (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. According to the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

Russia: Employers must verify which employees have been vaccinated and record this information if such vaccinations are required by law. If a vaccination is not required by law, the employer may require this information, but employees have the right not to provide it. If the information on vaccinations is provided on a voluntary basis, the employer may keep it in the employee’s file, provided that the employee consents in writing to the processing of the personal data. An employer may impose mandatory vaccination if an employee performs an activity involving a high risk of infection (e.g. employees in educational institutions, organizations working with infected patients, laboratories working with live cultures of pathogens of infectious diseases or with human blood and body fluids, etc.) and a corresponding vaccination is listed in the national calendar of protective vaccinations for epidemic indications. All these cases are listed in the Decree of the Government of the Russian Federation dated July 15, 1999 No 825.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

In England, mandatory vaccination is in place for staff in care homes, and from April 2022, this will also apply to staff with patient contact in the National Health Service (NHS). Other parts of the UK have not yet introduced such rules.

USA: The Equal Employment Opportunity Commission (EEOC) published a document proposing that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts with a third party to do so, it must demonstrate that the screening questions are “job-related and consistent with business necessity.”

On November 5th, 2021, the U.S. Occupational Safety and Health Administration (OSHA) released a emergency temporary standard (ETS) urging affected employers to take affirmative action on COVID-19 safety, including adopting a policy requiring full COVID-19 vaccination of employees or giving employees the choice of either being vaccinated against COVID-19 or requiring COVID-19 testing and facial coverage. On November 12th, 2021, the court of appeals suspended enforcement of the ETS pending a decision on a permanent injunction. While this suspension is pending, OSHA cannot take any steps to implement or enforce the ETS.

In the US there are a number of different state and federal workplace safety, employment, and privacy laws that provide diverging requirements on processing COVID-19 related information.

Facebook: private messages from more than 81.000 people for sale

5. November 2018

According to a BBC report, more than 81.000 Facebook profiles were hacked. Private messages and other information was offered for 10 cents per account.

The BBC had the allegations checked by the IT security company Digital Shadows, who confirmed that over 81.000 of the profiles posted online contained private messenger messages. Furthermore, data from more than 176.000 accounts, including e-mail addresses and telephone numbers were available. This information did not necessarily have to come from a hack, as some of it was also open on public Facebook profiles

The BBC Russian Service also emailed the address that offered the data. The respondent – someone called “John Smith”- wrote that the offered data was neither from profiles involved in the Cambridge Analytica scandal nor of the recent security breach revealed in September. He said that his hacker group could offer data from 20 million users, of whom 2.7 million were Russians. But Digital Shadows doubts this because Facebook should have noticed such a big leak.

Facebook reported that its security has not been compromised. The data might be obtained through malicious browser extensions. According to Facebook executive Guy Rosen, they “have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores”.

 

Moscow adds facial recognition to its network of surveillance cameras

2. October 2017

Moscow adds facial recognition to its network of 170.000 surveillance cameras across the city to be able to identify criminals and boost security, Bloomberg reports. The camera surveillance started in 2012. The recordings of the camera surveillance system have been held for five days after they are captured, with an amount of 20 million hours of video material stored at any one time. “We soon found it impossible to process such volumes of data by police officers alone,” Artem Ermolaev, who is Head of the Department of Information Technology in Moscow, said according to Bloomberg. “We needed an artificial intelligence to help find what we are looking for.”, he further said.

A Russian start-up, named N-Tech.Lab Ltd designed the facial recognition technology. The start-up is known for its mobile app FindFace which was released last year. With FindFace it is possible to search for users of the Russian social network VKontakte by making a picture of a person’s face and match it against the user profiles of VKontakte.

However, due to high costs the face recognition technology should not be deployed to every camera and therefore only be installed selectively within specific districts where it is needed the most. To maintain the camera surveillance, the Moscow government already should spend about $ 86 million a year and this amount would triple if every camera would use the new facial recognition technology.

The new technology is used to cross-reference images captured by the cameras with those from the Interior Ministry’s database.

Roskomnadzor publishes privacy guidelines for data operator

17. August 2017

The Russian data protection authority Roskomnadzor published guidelines for data operators on the drafting of privacy policies on July 31.

Russian data operators must adopt a privacy policy to comply with Russian data protection law. The policy must describe how they process of personal data. This policy shall be published online if personal data is collected online. In case of collecting personal data offline an unrestricted access to the policy has to be guaranteed.

The policy shall be detailed so that data subjects are aware of all potential actions.

According to the guidance the policy must contain in general the following information:

  • main purpose of the policy and definitions used in the policy
  • main rights and obligations of the data operator and data subjects,
  • purposes for personal data processing,
  • legal grounds for personal data processing
  • volume and categories of personal data processed. For each category of data subjects, Roskomnadzor recommends that a company list all the personal data it collects and processes tied to specific purposes and indicate all cases of processing special categories of personal data or biometric data,
  • procedures and conditions for personal data processing,
  • procedures for updating, correcting, deleting, or destroying personal data and
  • procedures for responding to data subjects’ requests.

In addition the guideline regulates the case of sharing personal data with third parties. The data operator has to explain the taken measures to protect personal data and beside the purpose of sharing, the volume of personal data to be transferred, the data use restrictions and security measures. Furthermore the name and the address of the the third party need to be published in the policy.

Finally it shall be mentioned that the guidance is recommendatory nature and non-binding. Nonetheless data operators should strongly take these recommendations into account if they develop new privacy policies to be compliant with the Personal Data Law.

LinkedIn was banned in Russia

27. January 2017

The Russian data protection authority “Roskomnadzor” sent on November, 17 2016 an order to the telecommunication companies to block access to LinkedIn within Russia. The reason for this step was, according to Roskomnadzor, that LinkedIn does not protect subjects’ data rights in a way that complies with the Russian data protection law.

The order of Roskomnadzor refers to a Moscow District court decision from August, 4 2016.

The case of LinkedIn is the first major test of the Russian law, which is on effect since September, 1 2015.

Roskomnadzor judges, that LinkedIn not only violates against the data localization requirement furthermore LinkedIn also violates a number of other requirements such as collecting personal data from non-users without their consent before they complete the registration process.

Now LinkedIn can take action against this decision within the six-month period to the Moscow Court and then appeal to the Russian Supreme Court. However, LinkedIn has not announced its intentions yet.