Exiting lockdown | How to remain privacy-compliant when carrying out medical monitoring and testing

Written on 16 Jun 2020

Medical monitoring and testing plays a vital role in combatting Covid-19, but it is important to remain compliant with privacy regulation and understand the local variations across Europe.

As lockdowns ease across Europe and people return to offices, shops and restaurants, businesses need to ensure they are complying with laws and government guidelines on operating in a Covid-19 world. One of the most pressing considerations for most business will be the extent to which they undertake any medical monitoring and testing on employees, visitors, customers and other people entering their premises.

Medical monitoring and testing raises a number of legal issues, particularly in the field of employment and privacy. In this guide, we focus exclusively on the complex privacy issues which arise in relation to medical monitoring and testing and how those vary from one country to another (even within Europe).

The two fundamental questions businesses need to ask themselves when considering medical monitoring and testing are: what exactly do you want to do, and where do you want to do it?

What do you want to do?

In the last few weeks, we have seen a whole host of measures being discussed by businesses. These range from the not-at-all privacy intrusive (because no personal data is processed) to the significantly more privacy intrusive (though still potentially compliant, in certain circumstances These include:

  • Policies requiring staff to not come into the office if they have any symptoms of Covid-19, or have come into close contact with someone who has.
  • Taking the temperature of personnel (and others) entering premises, using a handheld device.
  • Referring personnel for viral and/or antibody testing, either by the employer itself or a third party medical provider.
  • Daily screening questionnaires or statements completed by staff to confirm that they do not have symptoms of Covid-19, and have not come into close contact with someone who has.
  • Installing a thermal imaging device at the entrance to premises and recording and storing the body temperature of every individual who walks past it.

There is no one-size-fits-all solution; what is appropriate for one business won't necessarily be appropriate (or compliant) for another. Whether or not a particular measure is low, medium or high risk from a privacy perspective will depend on:

  • The particular circumstances in which it is used (for example, whether the premises it is used on are private or public; whether it is used in all business premises or only in those where social distancing is more difficult because of the nature of the work being undertaken).
  • Who is going to be monitored or tested (for example, employees, other personnel or customers).
  • What personal data is processed in relation to those individuals, by whom and how.
  • The country in which the measure is intended to be used.

It is not possible to say, absolutely, that a certain measure will always be compliant (or will always be non-compliant) from a privacy perspective – the context and detail of a measure really is important to the analysis. For example, are the results of temperature checks recorded and retained, or simply used to identify people with high temperatures, without being recorded? Is an antibody test administered by a third party medical provider or the company nurse? Will the business obtain the results of all such tests, or only in certain circumstances? When completing the questionnaire, is an employee also providing information about the health of another family member or flatmate?

Where do you want to do it?

Even though data protection and privacy laws are largely harmonised across the UK and the EU in the form of the General Data Protection Regulation (GDPR), there is still some variation across individual Member States (and the national regulators enforcing the rules), particularly when it comes to the processing of special category data (such as health-related data).

The extent of that differentiation between EU Member States has become abundantly clear in the context of workplace testing. There are two emerging approaches on the matter of testing employees, in particular:

  • Regulators in the UK and, perhaps surprisingly, Spain and Germany appear to be erring on the more business-friendly side, which is to indicate that employee testing may well be lawful – depending on the specifics of the measure being adopted, of course.
  • The approach taken by regulators is more restrictive in Belgium, France, Italy and the Netherlands. By way of example, in the Netherlands, the regulator has opined that where testing for Covid-19 purposes involves the processing of health-data (which will likely be the case), then such testing is effectively prohibited.

For international businesses wanting to take a single approach across all of the countries in which they operate, this poses quite a challenge and some local variations in approach may instead be needed.

The privacy principles to bear in mind

Having identified the measures you'd like to take and in which countries, you need to consider:

  • The extent to which those measures involve the processing of personal data (including special category data).
  • Whether you can achieve the same purpose by processing less personal data (particularly, less special category data); for example, by adjusting the settings on a thermal imaging device so that body temperatures are only shown, and recorded, if they exceed a specified threshold.
  • The legal basis you are relying on to be able to process personal data in this way, and, in relation to special category data, which condition you can satisfy (under Article 9 of the GDPR and under local privacy laws). Necessity and proportionality are central to the application of all of the relevant lawful bases and conditions.
  • Whether you are required to carry out a data protection impact assessment. Even if not mandatory in some circumstances, it is best practice to do so and will help with working through the issues and ways of mitigating risks.
  • Whether you need to update your existing privacy notices or create bespoke notices, or other, more creative ways of informing people about the monitoring / testing.
  • Where and for how long you are going to be processing personal data for this purpose.
  • Whether personal data will be shared with any third parties (for example, any third parties providing testing facilities).
  • The individual's rights in relation to your processing of personal data in this way. In particular, if you rely on legitimate interests as your legal basis (and you are permitted to do so in the relevant jurisdiction), how will you deal with an individual exercising their right to object?

What should you do next?

  • If you haven't already, consider the extent to which you, as a business, want to undertake medical monitoring or testing as people return to your premises (whether as employees or visitors).
  • Think about what measures, specifically, you would like to take and where.
  • Comprehensively assess those measures from a privacy perspective, and take specialist advice where needed.
  • Maintain an open dialogue with your employees, employee forums and works councils where possible (in some countries and in some circumstances, consultation will be mandatory).
  • Implement the practical steps required to be able to adopt those measures in a way that complies with applicable privacy laws. For example, consider drafting specific notices or creating graphics and videos explaining what you are doing and why, and putting compliant contracts in place with any third parties involved in implementing those measures.

Last, but by no means least, keep any measures under regular review. Pre-Covid-19, the kind of medical monitoring and testing that most businesses are now considering would have been unheard of, and almost certainly not compliant with the GDPR (except in limited circumstances).

However, the landscape and guidelines have changed, and continue to change on a monthly, if not weekly, basis. As such, measures which may be considered to be appropriate now may no longer be appropriate in a few weeks or months; equally, measures which we consider to be unacceptably privacy-intrusive now may become far more common-place over the next few months.

If you'd like to discuss any of the issues raised in this guide in more detail, please get in touch with one of our experts or your usual Osborne Clarke contact.