As the coronavirus pandemic has spread throughout Europe, data protection authorities (DPAs) have faced questions about how far employers and other organizations—including schools, apartment blocks, and shopping centers—can go in terms of asking people personal and medical-related information to protect the rest of the public at large.
And despite the fact the European Union has one single, overarching piece of stringent data privacy legislation—the General Data Protection Regulation (GDPR)—several of the 28 EU member states have taken views that are not wholly consistent with the rest of the pack.
While all DPAs agree that only “essential” information should be collected and shared, there appear to have been varying levels of tolerance as to what “essential” might cover.
DPAs in France and Italy, for example, made clear signals very early on that employers should not actively collect information about their employees’ state of health or ask questions about where they had traveled to, or the health and wellbeing of their family and friends.
Other DPAs, such as those in Denmark and Ireland, said that while sensitive personal data could legally be collected and disclosed under the GDPR, they also stressed the importance of assessing whether such processing is legitimate and limited to what is necessary. The U.K.’s Information Commissioner’s Office, meanwhile, said data protection didn’t prohibit employers from asking questions, or from notifying colleagues, but warned that organizations shouldn’t ask for more information than necessary and reminded them to apply typically “appropriate safeguards.”
Lawyers have said the lack of consistency might have led to greater confusion among companies about how they could legitimately ask pertinent health-related questions to employers and third parties without breaching the GDPR and other privacy legislation.
As a result, the European Data Protection Board (EDPB), the body that ensures privacy legislation is applied evenly across the European Union, released a statement Friday to clarify how personal data could be processed by companies during the ongoing global emergency.
First of all, says the EDPB, the GDPR allows “competent public health authorities and employers” to process personal data in the context of an epidemic, so “there is no need to rely on consent of individuals.” Where employers may have a legal duty to report health concerns to a public health authority, companies would not be bound by the GDPR when they need to pass on relevant or requested information.
However, the EDPB makes it clear the type of information being sought needs to be “explicit” and specific rather than general, and that employers cannot make undue demands. For example, companies that want to ask employees and visitors questions about whether they pose a risk to others can do so, but they should only require health information “to the extent that national law allows it.” The same goes for performing medical check-ups on workers—if national law permits it, employers are free to try it out.
Additionally, says the EDPB, employers should inform staff that colleagues may be infected, but they should only reveal their names if national law allows it; if they can justify that such a step is necessary; and only after the affected workers have been informed/consulted beforehand.
Some may feel the EDPB has been slow to react, and its guidance may still leave some organizations and compliance officers scratching their heads about what the limits of questioning workers over their health might be—as well as what the legal repercussions could be if they overstep the mark.
Others may feel the EDPB’s statement may be moot anyway. In many EU countries, companies are already laying workers off in droves or asking them to take unpaid leave for up to three months, so there is no need for them to worry about asking health-related questions anymore.
Coronavirus: Tips for risk management
- Currently reading
Confusion around GDPR during coronavirus prompts EDPB response