Even before the coronavirus hit, it was difficult for employers to navigate between their obligation to ensure a safe workplace and the obligation to protect the privacy of employees. Privacy legislation in the Netherlands and the privacy watchdog Dutch Data Protection Authority (AP) are very strict when it comes to processing employee health information.
With the advent of coronavirus and measures to be taken according to the government and the National Institute for Public Health and the Environment (RIVM), employers are facing new legal dilemmas. We hear questions such as: Can I take people’s temperatures on entry? Can I pass on the name of an employee infected with coronavirus to his or her colleagues? Below are answers to the most common questions.
Processing employee health data: A recap of the dos and don’ts
Employers are not allowed to process, store, or transfer data that relates to the health of an employee. This is not allowed even if the employee voluntarily provides this information to the employer. In the Netherlands, only a company doctor is entitled to process employee health data, in order to fulfil any legal requirements.
There are exceptions to the general processing limitations, such as when permission has been granted by the employee or when there is a legal obligation. Normally this does not help an employer, because an employer would have no legal reason to process health data, and because an employee’s ‘consent’ in an employment relationship has no valid basis. That is, because an employee is always in a relationship of dependence upon his or her employer, permission cannot be given ‘freely,’ and this a requirement. Therefore, it is not permitted.
Does coronavirus alter these facts?
The current question among many is whether preventing the further spread of coronavirus, thus protecting employees, can be regarded as an exceptional situation, and whether the importance of combatting coronavirus can override privacy obligations. After all, employers have an obligation to ensure a safe and healthy workplace.
Let’s review the relevant grounds for processing employee health data.
Is consent by the employee valid during the coronavirus crisis?
In our opinion, even in the coronavirus situation, an employee’s consent to allow processing of health data (for example, data showing that the employee has a fever, has tested positive for coronavirus, or belongs to a vulnerable group) is not valid. In the present circumstances, an employee will likely feel obliged to agree to the processing of health information to prevent colleagues from getting infected. In this situation, permission cannot be given ‘freely’.
Is combatting epidemics an exception to the processing ban?
The EDPB (the European advisory body to the GDPR) published a statement on 16 March 2020 that specifically deals with the coronavirus. It emphasizes that the GDPR does not hinder measures in the fight against coronavirus because the GDPR provides a legal basis for processing personal data in the context of epidemics without permission being required. This applies, for example, to the processing of personal data when it is necessary for reasons of public health or to protect vital interests.
In the Netherlands, however, these exceptions do not legally benefit us, since they are not included in our GDPR Implementation Act. The protection of vital interests has been included in the Netherlands, but this exception only applies if the employee is physically or legally unable to give permission. This might occur in the case of an incapacitating illness. Therefore, these exceptions are of little use to an employer in the present situation.
What is possible?
In exceptional cases, employers might choose to invoke the general exceptions from the GDPR (to protect the public interest) even though this is, strictly speaking, not legally allowed in the Netherlands. It is possible an employer will be forced to make a choice between combatting coronavirus and protecting the health of employees (which is also a legal obligation) or protecting the privacy of certain employees. Violation of either obligation entails labour law risks such as damage claims by employees, sanctions from the Labour Inspectorate, or fines from the AP. However, in some cases it will not be possible for employers to be completely compliant during the coronavirus situation. If an employer still decides to process personal data concerning the health of employees in connection with coronavirus, they should at least observe the following principles:
Should the AP decide to pursue privacy violations related to coronavirus, by following these principles employers should be able to show that they have done their utmost to limit any privacy violations. And the AP on its website seems to offer some leeway for a relaxation of the rules, albeit without much detail.
We have an employee infected with coronavirus. How do we inform colleagues?
As stated, processing the fact that an employee is infected with coronavirus is, in principle, not permitted. Both registering this information and distributing it to colleagues is a form of processing. However, colleagues have a considerable interest in knowing whether they have possibly been in contact with someone who has (apparently) been infected.
You can inform colleagues about the fact that an employee has coronavirus, as long as it is impossible to identify who that employee is. If this is possible (as with large companies or departments), we recommend sharing the information anonymously. And if, as with a smaller company, it is not possible to provide anonymity, then strictly observe the above three principles. Incidentally, an employee is allowed to inform his or her colleagues of a confirmed infection or potential risk (for example, if the employee’s spouse works with coronavirus patients).
May an employer take an employee’s temperature?
No. An employee’s body temperature constitutes health data, so processing it is prohibited. The AP has confirmed that even in case of coronavirus, employers are not allowed to take the temperatures of employees.
This is different for non-employees who wish access to the business premises; an employer can ask a non-employee for permission. In that case, it is important to immediately delete the information obtained.
Employees could be asked to monitor their own temperatures – for example, if this is done by a third party who is medically authorized to do so and who is limited to reading the temperature without storing information, or by means of a temperature scanner where no physical contact takes place. In that case, one could take the position that no personal data is processed.
May an employer ask an employee to check his or her own health?
On 20 March, the AP confirmed that an employer may request that employees closely monitor their own health during the coronavirus situation, especially if the employee cannot work from home and is present on the shop floor. An employee can, in that case, take his or her own temperature. Employers can also ask employees to contact a company doctor, health services, or a general practitioner for a check-up.
If a doctor suspects that an employee has contracted coronavirus, the doctor will immediately contact the regional GGD. In consultation with the employer, the GGD can implement containment measures for the workplace.
May employers send sick employees home?
Under normal circumstances, an employer is not allowed to ask about an employee’s health, so could not subsequently send the employee home. Given the present extraordinary circumstances, however, it is permitted to send an employee home if an employee is showing signs of illness. This is in line with the advice issued by the AP.
May employers ask employees about their holiday destinations?
Given the current leniency in connection to questions about an employee’s heath, we expect that it will be permissible to ask where an employee has been on vacation. The employer must ensure a safe and healthy working environment; if an employee has been in an area severely affected by coronavirus, the employer will want to prevent this employee from possibly infecting colleagues. Therefore, the employer’s duty of care should prevail. We also recommend that employers follow the guidelines of the RIVM to instruct employees showing symptoms within a two-week period after a vacation, to contact a doctor.
What health data should employers register when an employee becomes ill?
In principle, it is not permitted to process an employee’s medical data. The only data that can normally be recorded in the case of a sick employee is:
In the current pandemic situation, both the employer’s duty of care and the employee’s privacy are important. After all, the employer has a considerable interest in preventing the spread of coronavirus among employees. This situation is so dire and exceptional that the employer’s obligation to ensure a safe and healthy work environment should prevail.
Therefore, should health data be processed, always ensure any data is processed according to the principles mentioned above. Make every reasonable effort not to share the name of the coronavirus-infected employee, handle personal information with highest level of care, and remove all data immediately after the illness has ended.