In the fight against the coronavirus (COVID-19) employers around the world are doing their best to reduce the spread of COVID-19. In most countries, employees are ordered to work from home, and those who have recently travelled to certain countries are required to self-quarantine.
While implementing these measures employers likely process data that could qualify as health data. Health data is considered a special category of data under the GDPR. As a general rule, processing health data is prohibited unless an exception applies, such as explicit consent.
A lot of businesses across Europe have raised questions about the permissibility of processing health data during these exceptional times. Regulators across Member States have issued a variety of guidance notes, some more restrictive than others.
Guidance from Data Protection Authorities
In its initial guidance the AP provided employers with little room for manoeuvre, and went as far as to state that asking employees what countries they had visited constituted processing health data. This guidance contradicted a statement issued on 16 March 2020 by the European Data Protection Board (EDPB) which stated that the GDPR does not hinder employers from taking measures to fight the coronavirus.
On 20 March 2020, the AP issued new and more lenient guidance on the processing of health data during the coronavirus crisis. The AP announced that it will provide organisations with more freedom to process data to fight the coronavirus and more time to respond to queries, and would encourage initiatives that benefit the public health. Although the GDPR does not directly provide a legal ground for processing health data, organisations will have more leeway to process such data. However, this does not mean that in times of crises organisations should ignore entirely their compliance obligations. The AP emphasized that serious privacy violations will still be enforced, and the crisis should not be abused to create a “big brother society”.
The AP also urges employers to follow the advice of Dutch local health service (GDD) and National Institute of Public Health and Environment (RIVM), and inform their employees of the measures recommended by the GGD and RIVM.
Unfortunately, the AP did not provide guidance on response terms for responding to subject access requests. Many companies will have to reallocate resources, and will require more than the typical 30 days to respond to subject access requests. Hopefully, the AP will issue new guidance soon that will provide more clarity on this point: for example, by providing businesses with an automatic 30-60 day extension to respond to subject access requests, which would help reduce the workload support teams are facing.
I’m a Dutch employer, how should I handle employee health data during the corona crisis?
- You may discuss coronavirus infections with your employees, but you may not record this data for your own purposes;
- You may take precautionary measures, such as requiring employees to wash their hands and work from home;
- You may demand your employees visit the company’s doctor’s consulting hours;
- If you have an employee showing symptoms of illness, you can send them home; and
- You may require employees to keep close eye to their health, for example by requiring them to check their temperature.