Recently, we’re seeing an increased number of questions with regards to employee privacy and the Coronavirus (COVID-19). Employee privacy is not new, and especially in the EU there has been consistent guidance on what is (baseline) possible and what not. What data can you process when an employee calls in sick, and what can you and can’t you ask? A normal everyday question.
But when an epidemic spreads like COVID-19, things may be a little different. As such, with the help of my overall better looking colleagues Nader Henein and Bernard Woo, we have written the following – which we hope will be helpful amidst other Gartner research on the topic.
What information an employer wishes to collect, or require, from employees in relation to COVID-19 (the Corona virus) is firstly governed by employment laws and regulations relating to health, public safety etc.
Employers, though, have been reminded by data protection/privacy regulators that any such collection/request of information should still be balanced against protecting the privacy of (potentially) affected employees, as health-related information remains some of the most sensitive of information about individuals. Where it is not required, employers should record information that does not specifically identify that an employee has COVID-19 or name the country to which said employee has recently travelled. For example, employers can record that an employee has recently visited a “risk area” and/or is home with an illness.
Keep in mind this is not absolute. IF it is necessary to record that an employee has COVID-19 – for example, in order to warn management or other employees in the office, the employer may do so. However, they still need to keep in mind a privacy best practices:
- Record only information that is factual
- Record only the minimum amount of information necessary
- Limit access to that information to only those employees with a “need-to-know”
- Use the information as anonymously as possible (e.g. when informing staff about a temporary office shutdown, there is no need to add ‘who’ might be affected)
- Store the information in a secure manner and only for as long as is necessary
- Only disclose information to external parties where it is required by law (for example, to a local health agency in order to comply with a requirement under health legislation)
- Only use the collected information for specific, limited purposes (do not allow scope creep)
In general, as part of the overall risk analysis and balance, employers need to remind themselves that information that reveals anything about the health of an individual is in many jurisdictions considered a ‘special category’ of personal data (which makes it by definition ‘sensitive’ personal data) and thus they should refrain from processing such data where possible.
In addition, employees are under a certain authority in regards to their employer. As such, consent should never be asked to begin with. But more so; there is a hierarchical dependence that implies a certain ‘moral obligation’ from the employee to proactively share information that does not have to (or should not be) shared. In various countries it is prohibited that the employer asks beyond the direct impact on the workplace. In other words, it may be allowed to ask how long an employee expects to be away, or what the address is the employee stays during the time of care. It’s however not always allowed to ask after the nature or the cause of an illness and when an employee volunteers this information, it’s still not necessary to record it, especially where there is a relation with an occupational physician who records such information instead, under the usually applicable medical secrecy rules.
Note that formal institutions, like the Center for Disease Control (CDC) are officially tasked with matters of national health risks and epidemics or pandemics and have the authority to gather more information than an employer has in the context of a regular employment contract.
(edit: 21 March: The EDPB adjusted its guidance on the topic last week. Other countries’ DPAs have issues guidance as well, and though I won’t update this list with every new emerging guidance, a few include: Austria, Denmark, Estonia, France, Greece, Guernsey, Hungary, Ireland, Italy, Jersey, Latvia, Luxembourg, the Netherlands (incl remote working tips), and Romania.)
(edit 23 March: a central overview of regulatory guidance is kept by the Global Privacy Assembly, here).