Collecting health data through questionnaires

Collecting health data through questionnaires

The issue of implementing questionnaires which gather health data and other information about the existence of risk factors, to both employees, collaborators and visitors, does not have a unified approach by the European Data Protection Authorities.

Collecting health data through questionnaires

While some authorities expressly prohibit such methods of systematic and general data collection, others allow organizations to make their own assessment and to decide whether imposing on staff and visitors to fill in questionnaires or to sign statements about risk factors (including symptoms) is necessary and proportional.

EDPB

The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, adopts an open perspective, expressing the following view:

“Can an employer require visitors or employees to provide specific health information in the context of COVID-19?

The application of the principle of proportionality and data minimisation is particularly relevant here. The employer should only require health information to the extent that national law allows it.”

Ireland

The Irish DPC has analyzed this issue in great detail. The PDC says that “employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”, considering the legal obligations to ensure workplace safety. However, if organizations wish to implement these checks through the means of questionnaires, the Irish authority indicates the following:

“Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.”

In addition, considering health and safety duties, employers would also be justified to ask employees to inform them if they have a medical diagnosis of COVID-19.

Hungary

NAIH has a permissive approach to using risk factor questionnaires, with some caveats. Employers must, first of all, decide if this method is necessary and proportionate and ensure that questionnaires do not include questions relating to medical history or requirements to attach medical documents.

France, Belgium and Luxembourg

In this case, the authorities are more conservative. The CNIL states that “employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee / agent and their relatives”. CNIL prohibits to implement the collection of medical sheets or questionnaires from all employees / agents.

The Belgian APD prohibits the application of medical questionnaires, stating:

“The employer cannot compel workers to complete such questionnaires. It is recommended to encourage workers to spontaneously report risky travel or symptoms. In this case too, the role of the occupational physician must be emphasized.”

In Luxembourg, the authority also included questionnaires on the “What not to do” list. Employers should not require employees to fill in medical forms or questionnaires and should not require visitors to provide standardized statements about the absence of symptoms and travels to risk areas.

Romania

The Romanian authority (ANSPDCP) is silent on this specific matter and indicates certain possible legal grounds and exemptions which allow processing of health data.

What to consider

In any case, the collection of health data must be legal under the GDPR, which means that it must be allowed under an Art. 9(2) exemption -> read more on this topic.

If an organization decides to implement questionnaires and statements (provided that their national DPA did not explicitly prohibit it), this should be done with the observance of the data protection legal framework, including he essential GDPR principles – fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and, of course, accountability.

Disclosing COVID-19 diagnosis

Disclosing COVID-19 diagnosis

Companies explore whether they can disclose that someone has been diagnosed with COVID-19, in their efforts to protect staff and the general public. This article describes recent opinions published by EU Data Protection Authorities on the issue.

Disclosing COVID-19 diagnosis

Statement of the European Data Protection Board

The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, specifically tackles the question of disclosing that an employee has been diagnosed:

“Can an employer disclose that an employee is infected withCOVID-19 to his colleagues or to externals?

Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context)and the national law allows it,the concerned employees shall be informed in advance and their dignity and integrity shall be protected.”

What are the EU national DPAs saying?

The Irish DPC does not institute a general prohibition, but states that “any communications to staff about the possible presence of Coronavirus in the workplace should not generally identify any individual employees” and that the “identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification“. Moreover, the authority’s FAQ section provides a concrete example:

“Can an employer disclose that an employee has the virus to their colleagues?

This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID-19 in the organization and requesting them to work from home. This communication should not name the affected individual.

Disclosure of this information may be required by the public health authorities in order to carry out their functions.”

Italy’s Garante only mentions that, in the context of specific and detailed legislation passed at the national level:

“Where an employee performing duties that entail contact with the public (e.g. at a front office, at a service desk) encounters a suspected Coronavirus case in the course of their work, that employee will ensure that the competent health services are informed – including through the employer – and will follow the preventive instructions provided by the healthcare professionals consulted.”

The Hungarian Data Protection Authority (NAIH) indicated that organizations should inform employees that they must report any suspected contact with the virus, and that such information can be recorded by the employer. Specifically, the NAIH mentioned that the Police are authorised to use CCTV footage to investigate those who do not observe the legislation for preventing the spread of COVID-19.

Belgium’s APD takes a restrictive stand and states that:

“Under the principle of confidentiality (Article 5.1, f) of the GDPR) and the principle of data minimization (Article 5.1, c) of the GDPR), an employer cannot reveal the names of the persons concerned. The employer can only inform other workers of the situation without mentioning the identity of the person (s) concerned.”

The Danish DPA indicated that, within the framework of data protection law, an employer can, to a large extent, disclose non-specific information (even health information) when the necessity of the situation would thus require, for example: that an employee has returned from a so-called “risk area”; that an employee is in the home quarantine (without stating the reason); that an employee is ill (without stating the reason). The authority recognised that in some situations (e.g. to allow management and colleagues to take precautions) it might become necessary to disclose that an employee has been diagnosed with the Coronavirus. Even if information is disclosed, it should be factual and kept to the minimum necessary (including by avoiding to name the person infected).

The DPA from Luxembourg does not institute a strict prohibition, but it does state that “The identity of the data subjects can therefore not be disclosed to third parties or the data subjects’ colleagues without clear justification.

The UK’s ICO expressly answered that an organization can tell their staff that a colleague may have potentially contracted COVID-19, but they should assess whether they can name individuals and should not provide more information than necessary.

Lastly, neither DPA sees any impediment to report cases to health authorities or other public bodies who have legal competences to manage the epidemic.

Romanian DPA’s point of view

The Romanian DPA issued a press statement about the legal conditions of processing data in the current health crisis. The authority expressly stated the following:

“As regards the disclosure in the public sphere of the name and health status of a physical person, we underline that the processing (the disclosure) of such data can only be done based on the consent of the concerned person.”

The specific point of view is welcome – however it does raise questions about the theoretical applicability of other exemptions allowed by Art. 9(2) of the GDPR. Moreover, this opinion should not prejudice journalistic activities which fall under the journalistic exemption provided by the Romanian GDPR Application Law (no. 190/2018), as long as these activities observe human rights privacy standards and ethical guidelines.

Legal basis for processing health data

Legal basis for processing health data

Because health data represents a special category of data, the GDPR allows processing only in exceptional situations indicated in Art. 9(2).

In the context of measures aimed at containing the spread of COVID-19, organizations are asking which is the correct basis (the exemption) which would allow them to collect data about the health situation of employees. This article sums up certain opinions published by Data Protection Authorities from the EU on this issue.

Legal basis for processing health data

Processing necessary for complying with employment law

GDPR Art. 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Several EU authorities have validated Art. 9(2)(b) as a basis for employers who need to process health information about their employees and people who visit their premises, as long as there are obligations in employment and occupational safety laws which apply to organisations. See, for example, the opinions from Ireland, Spain and Hungary.

For instance, national employment or occupational safety law might provide that the employer has obligations to protect employees from  health risks. Some laws also indicate the obligations of employees to report any health risk factors identified at the workplace and to protect their colleagues (for example, to report immediately if they believe that certain COVID-19 risk factors apply to them).

Even if this provision is invoked for processing health data for managing COVID-19 risks at the workplace, the processing activities must be accompanied by the implementation of all other GDPR principles – fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and, of course, accountability.

Depending on the case, there might be other Art. 9(2) exemptions applicable.

GDPR Art. 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

This basis applies, for example, when an occupational health physician would ascertain the conditions of the employees. However, it is important to point out that relying on this exemption to process health data must be accompanied by suitable safeguards applied to the data processing – e.g. security, restricted access, strict retention periods, staff training.

GDPR Art. 9(2)(c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

GDPR Art. 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

GDPR Art. 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

The Irish DPC indicated that Art. 9(2)(i) might be applicable where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities. The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, validates the possibility to rely on art. 9(2)(c) and 9(2)(i).

Although some might be quick to rely on the provision in letter (c), please note that the exemption only applies when the data subject is physically or legally incapable of giving consent.

Could explicit consent be relied on?

GDPR Art. 9(2)(a) – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Although, theoretically, obtaining the explicit consent of the data subject allows the processing of health data, remember that in the context of employment consent is rarely an appropriate basis for data processing.

Data Protection Newsletter – no.22020 February

Data Protection Newsletter – no.2/2020 February

This month in data protection news: ● See guidance from EU data protection authorities on how to process personal data in the context of COVID-19 ● Read about recent GDPR sanctions, including in the filed of telecoms ● Find out the recent guidelines from data protection authorities ● More GDPR news and further readings.