COVID-19: Privacy Laws. Implications

Article by Mihaela Ion and Luana Dragomirescu, Popovici Nitu Stoica & Asociatii

 With an increasing spread of COVID-19, companies are facing complex challenges in their businesses‘ day-to-day operation. For avoiding the risk of infection within their workforce, protecting employees and their business, companies have considered several approaches, including an active monitoring of employees (their state of health, travel or meeting plans in or outside of work and their possible contact with infected persons outside the workplace) but also of contractors or visitors entering their premises.  Implications of such monitoring and a dissemination of sensitive data from data privacy perspective are shortly addressed below. This privacy section should be read in conjunction with the employment section of this tool kit, which contains complementary information.

In these hard times, when states are closing their borders and declaring a state of emergency, when certain activities are limited or closed by law, actions that might have been rejected under other circumstances may become the best choice. Therefore, we advocate taking into consideration the greater good, consider legal obligations to comply with measures for the prevention or control of infectious diseases (failure of such, by legal or natural persons alike, being incriminated under the Romanian Criminal Code), purposes that supersede the interests or fundamental rights and freedoms of the individuals whose data are processed.

Relevant questions & answers from a data privacy perspective

1. Am I allowed to actively monitor the state of health of the employees and visitors entering the premises?

Yes. Any active collection of data (such as body temperature and information on travel patterns and possible encounters with infected persons) from employees/ visitors entering the premises is permitted, provided that such collection of data relies on a valid condition under GDPR (art. 6 letter d. and art. 9 (2) letters b., h. and i.) and is limited to what is necessary (e.g. employer must not request information about the medical history of the data subject or any medical documentation).

Please note that (a) employees are under a general obligation to immediately inform the employer about any circumstances which they believe to be a danger for health and safety at the workplace (risk of/ confirmed infection with COVID-19) and (b) employers are required to notify the medical authorities, namely the Public Health Directorate (DSP) in case of a confirmed infection with COVID-19 among its workforce [see also the employment section of this tool kit].

2. Is there any derogation from processing health data recommended by the GDPR?

YES. 

Preamble (52) in the GDPR states that “Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.”

Article 23 (1) letter e) in the GDPR states that “Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard […] other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security.”

3. How can I monitor the state of health from a practical point of view?

For employees:

• temperature screening at the entrance in the premises, 
• medical checks conducted or supervised by medical professionals (medicul de medicina muncii);

• provide remote working options;

• insure full disinfection of all areas if becoming aware of any suspicions or confirmed COVID-19 infected individuals that entered the premises and request all members of the workforce in contact (directly or indirectly) with the infected individual to enter into self-isolation;

• implement procedures and policies to reduce the risk of infection at work (e.g. an emergency response plan that outlines the steps to be taken by company’s personnel to ensure prevention and control of possible COVID-19 cases among employees, contractors, visitors and their families, clear procedures on self-isolation in case of contagion etc.); if such procedure is implemented, we recommend formal notification of such to the health and safety committee (comitetul de securitate si sanatate in munca) in line with art. 71 of the Norms for the application of Law no. 319/2006 regarding safety and health at work;

For visitors entering the premises: 

• temperature screening at the entrance in the premises, 
• questionnaire/ self-assessment checklist to evaluate potential exposure to the virus and therefore the potential risk of the access to the premises.

4. Can I disclose any health data and to whom?

As a general rule, as we are envisaging sensitive data (health data), avoid any public disclosures or making the identity of the infected person accessible to persons other than:

• the staff, on a need-to-know basis; a general statement in case of a confirmed infection with COVID-19 among the workforce (avoiding the disclosure of the employee’s identity) can be considered at the workplace, if not susceptible of preventing the fight against diseases/spread of the disease. However, prevention and fight against the disease/its spread implies a obligation to investigate and identify all individuals who were in direct or indirect contact with the employee who is or may be infected with COVID-19;
• processors authorized for and instructed by the company to the processing of personal data (e.g. security company managing the access to the premises) on the basis of pursuing the specific purpose;
• affiliated companies and shareholders (sharing information within the same group of undertaking), only if justified by a legitimate interest superseding the interest and rights of the concerned individuals (balancing test to be taken in this particular case of disclosure);
• reporting obligations under local laws and regulations to public authorities acting in their institutional capacity;

5. What should I consider when implementing any monitoring measures?

Privacy authorities generally recommend companies to consider:

• whether there is a good reason to collect or disclose the personal data in question;
• whether the specific personal data is necessary, including whether the employer’s purpose can be achieved by collecting less;
• whether it is necessary to name names – e.g. the name of the person infected or quarantined.

6. What should I take into consideration from a data privacy perspective?

The following recommendations can be made in the context:

• insure proper information of the data subjects (as per art. 13 in the GDPR) – for both employees and visitors entering the facilities in respect of any assessment questionnaires or health checks (e.g. temperature screening of employees and visitors entering the premises) the company plans to implement;
• avoid collecting or keeping excessive data, especially health data (e.g. no records from the thermal scanner reading should be stored or archived) 
• consider the potential involvement of a health care professional (medicul de medicina muncii) in carrying the health checks;
• consider updating the company’s prevention and protection plan (planul de preveniresiprotectie) [see the employment section for further details]

7. Is there a retention term for any visitors/ employees’ questionnaires or records in the COVID-19 context?

NO. Retention period for questionnaires or other related records shall be set on a case by case basis, by each data controller, provided data shall not be kept for longer than necessary considering the processing purpose for which the data was collected. We recommend setting short retention periods (up to 60 days), to be extended in all cases where the data could be required for epidemiological investigations/communication with the Public Health Inspectorate (DSP).

8. Has the Romanian Data Protection Authority (ANSPDCP) issued any guidance in the COVID-19 context?

YES. Specific data protection guidance on COVID-19 situation was issued on March 18th, 2020, by Romanian Data Protection Authority (ANSPDCP) available here. 

Seeing the developments, official position should be further checked constantly, here.

9. Are any exemptions from the privacy rules and obligations in the COVID-19 context?

NO. All obligations under privacy regulations should be complied with by controllers and processors alike (notification of data breaches, exercise of data subjects rights and implementing adequate technical and organizational measures for all processing activities in the COVID-19 context).In respect of investigations, Romanian Data Protection Authority (ANSPDCP) has not issued any statements related to suspension of its activities, therefore, we shall assume that investigation activities will continue, with certain limitations (limiting the presence of the investigation teams at the companies’ premises, with an accent on requesting documents and information in electronic format, method that was otherwise previously used by the authority). 

Note: This analysis is based on the legal provisions in force as of 19 March 2020, being subject to any amendments that future enactments may require. 

This document is intended for informational purposes only, does not represent legal advice and does not focus on particular cases.