Even in a crisis situation, any data controller should consider and ensure the lawfulness of the processing of personal data that it wishes to carry out.
The data controller may only process personal data based on one of the lawful grounds provided for by the General Data Protection Regulation ("GDPR" - Article 6) and, in case of sensitive data (such as health data), if it can rely on one of the exceptions to the prohibition on processing sensitive data provided for by the GDPR (Article 9).
Many data controllers, such as employers, wish to collect (e.g. by means of a questionnaire) personal data of any person accessing their premises (including employees, visitors, consultants, etc.) and, in particular, data relating to the dates and destinations of business and personal trips since the beginning of the epidemic, any symptoms possibly experienced by the persons concerned or their relatives (e.g. fever) or other health information.
On March 2, 2020, the Italian data protection authority ("Garante per la protezione dei dati personali") gave its opinion on this subject. It states that employers must refrain from carrying out systematic and generalised processing of health or private data (preventive measures against coronavirus fall within the responsibility of relevant authorities). However, Italian employees are required to report to their employers any situation of danger regarding health in the workplace. In this respect, the Italian data protection authority specifies that employers may encourage their employees to report such events by providing them with dedicated means. The Italian data protection authority also mentions the possibility that the most exposed employees consult qualified doctors on an exceptional basis.
Caution is therefore required on this subject and the systematic and generalised collection of health data by private entities open to the public (including employees) should be prohibited. This may be confusing for employers who, under Article L4121-1 of the French Labour Code, are required to take the necessary measures to ensure the safety and protect the health of workers.
However, it seems to us possible for an employer, when one of its employees is infected by the coronavirus (the French Ministry of Labour has recommended that employees inform their employers of any trips to high-risk areas), to inform the other employees of the existence of a detected case of contamination. With regard to the disclosure of the identity of the sick person to the other employees, the issue is more complex and sensitive: is the employer allowed to disclose the name of the relevant person provided that it has obtained his/her explicit consent, knowing that a consent given by an employee to his/her employer is, by definition, not “freely given”
The French data protection authority (CNIL) is expected to publish recommendations on the subject on its website within the next few hours.
The French data protection authority (CNIL) has just published its recommendations concerning the processing of personal data in connection with the coronavirus health crisis.
The CNIL confirms that “employers should refrain from collecting information relating to the research and detection of possible symptoms experienced by an employee/agent and his/her relatives, in a systematic and generalized manner, or through individual investigations and requests”. The CNIL indicates that the employee is nevertheless required to inform his/her employer in case of a suspected contact with the virus. The CNIL also specifies that the employer may encourage its employees to provide individual feedback about them regarding a possible exposure to the virus, and facilitate their transmission by establishing, if necessary, dedicated channels.
The CNIL and the Italian personal data protection authority have thus adopted similar approaches.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117 (in Italian)