COVID-19 – Data protection: practical implementation guide

The current coronavirus health crisis forces employers to conduct new data processing activities in order to limit the spread of the virus. These processing activities can involve various types of personal data, including health data.

Even in such an unusual context, the employer, acting as data controller, must continue to ensure the protection of its employees’ personal data and comply with the principles laid down by the GDPR and the French Data Protection Act. However, these legislations contemplate such circumstances, thus enabling employers to find the right balance between public health protection and the right to privacy.

Step-by-step guide to conducting a COVID-19 data processing activity

Only collect strictly necessary information

In accordance with the principle of data minimisation, personal data collected by employers should be limited to what is necessary in relation to the purposes for which they are processed. It is recommended to ask employees to disclose adequate information on a voluntary basis, while insisting on the rationale behind such information request i.e. the protection of employees’ health.

In addition, data collected and processed as part of these processing activities shall be kept for no longer than is necessary for the purposes for which they are processed.

Ensure that the data processing activities are described in the privacy policy provided to data subjects and, if necessary, update such privacy policy or supplement it with an additional information notice

Data subjects should be provided with exhaustive, specific and transparent information regarding the data processing activities concerning them and their main characteristics, in order to be able to understand how their personal data are processed.

When the employer wishes to conduct coronavirus-related data processing activities and when such activities are not already described in a privacy policy or other information notice, it will be necessary to draft an additional information notice dedicated to these new processing activities and/or update the existing privacy policy accordingly and ensure that the relevant document is provided to data subjects.

Ensure the lawfulness of the processing

Any processing activity must be based on one of the legal bases listed in article 6 GDPR.

In this respect, if a processing activity can be lawfully based on the data subject’s consent, it must be noted that such consent will only be valid if the data subject has been provided with an actual choice, which – according to the EDPB – is not the case in an employer-employee relationship, due to the employee being answerable to the employer.

In addition, use of the controller’s legitimate interest as a legal basis for a processing can only be envisaged when no other article 6 GDPR legal basis is relevant and subject to a balancing test between the employer’s legitimate interest, on the one hand, and the rights and freedoms of data subjects, on the other hand.

Finally, in addition to having a valid legal basis, any data processing involving sensitive data (such as health data) must fall within one of the exceptions of article 9 GDPR.

Possible legal bases and article 9 exceptions are further analysed in the next section.

Carry out a data protection impact assessment, where necessary

A data protection impact assessment (DPIA) is required when the processing is likely to result in a high risk to the rights and freedoms of data subjects. Whether such a risk exists can be determined in two ways:

• Either the envisaged data processing is one of the processing activities which the CNIL has expressly identified as always requiring a DPIA[1]. In this respect, it must be noted that this list provides that “processing activities for the purposes of managing social and health alerts and reports” always require a DPIA, which could be relevant in the context of the management of the coronavirus pandemic.
• Alternatively, the data processing falls within at least two of the nine criteria identified by the EDPB in its DPIA guidelines[2]. These criteria include processing of sensitive data or data of a highly personal nature, such as health data, and processing of data concerning vulnerable data subjects, such as employees. In this context, a DPIA should always be carried out before any processing of employees’ health data.

Record the processing activity into the company’s records of processing activities

Like any other processing activity conducted by the employer, new coronavirus-related data processing activities, as well as their characteristics, should be recorded in the company’s records of processing activities.

COVID-19 data processing activities which can be conducted by employers

On 6 March 2020, the CNIL published a note describing the measures an employer can or cannot take in the context of a public health crisis, when such measures are likely to result in the processing of employees’ personal data.

Hazard prevention and protection of employees in the workplace

The employer is responsible for the health and safety of its employees and, in this respect, must implement occupational risk prevention actions, information and training actions, as well as appropriate organisations and means.

The CNIL more specifically indicates that the employer can:

• raise awareness and invite its employees to individually provide information regarding a potential exposure to the virus, whether directly to the employer or to appropriate public health authorities, and
• facilitate the transmission of information by setting up dedicated channels, where necessary.
  
  

However, only information which is strictly necessary for the protection of employees in the workplace should be provided to the employer, in particular the following: whether the employee has recently visited a region considered to pose a risk, been in contact with an infected person, suffers from symptoms of the virus or has been tested positive for the virus.

When reported to him, the employer can keep the following information:

• date of the report and identity of the person suspected of having been exposed to the virus
• type of organisational measures put in place (quarantine, home office, referral to the occupational health medical practitioner etc).
  
  

Management of requests for medical examination and work absence

Both employee and employer can require a medical examination by the occupational health medical practitioner. In the context of a public health crisis, the CNIL points out that the employer can encourage going to the occupational health medical practitioner.

Reporting to public health authorities

The CNIL specifies that, if public health authorities require so, the employer can provide them with information regarding the nature of an employee’s exposure to the virus, when such information is necessary to determine potential sanitary or medical measures.

Our understanding is that such a data processing activity would constitute a sub-purpose of the processing activity n°1 “Hazard prevention and protection of employees in the workplace” and should therefore be referenced in the information notice describing such new data processing activities.

The same article 9 exception and legal basis as those indicated above could therefore apply to this sub-purpose, considering that the employer is also complying with the safety obligation it is subject to.

Implementing a business continuity plan

Companies and public entities can decide to implement a business continuity plan in order to maintain activities which are essential to the organisation. This plan must include measures to protect employees’ safety, identify essential activities of the company which should be maintained, as well as the persons necessary for business continuity.

It must be noted that in order to complete their records of processing activities, data controllers can refer to the CNIL’s former declaration exemption for data processing activities carried out as part of business continuity plans put in place in the context of a flu pandemic[3].

COVID-19 data processing activities which cannot be conducted by employers

Systematic and generalised collection of information relating to the search for possible symptoms

The CNIL specifies in its guidelines that employers cannot take measures likely to violate data subjects’ right to privacy, including by collecting health data beyond the management of suspicions of exposure to the virus.

Employers must therefore refrain from collecting in a systematic or generalised manner or through inquiries and individual requests information relating to the search for possible symptoms from which an employee/agent or one of their relatives could suffer.

It is therefore not possible, for instance, to:

• put in place compulsory body temperature scans for every employee/agent/visitor to be reported daily to management, or
• collect medical notes or questionnaires from all employees, agents or visitors.
  
  

Disclosing the identity of an employee tested positive for coronavirus to other employees

The employer cannot disclose the identity of an employee tested positive for coronavirus to their colleagues or to the rest of the company as this would amount to disclosing sensitive data.

In addition, the disclosure of the infected person’s identity is generally not necessary, since the employer can take appropriate measure to isolate persons at high risk of contamination without having to reveal the infected employee’s identity.

However, in some limited cases, including for reasons relating to the nature of the work or the employer’s incapacity to evaluate whether a high risk of contamination exists, confirmation of the infected person’s identity could be justified due to the high risk of further contamination. In this case, the disclosure would take place as part of the processing activities relating to hazard prevention and protection of employees in the workplace.

[1] https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-requise.pdf (available in French only)

[2] https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236

[3] https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000021091156&fastReqId=166426898&fastPos=1 (available in French only)