Employers can carry out temperature screenings of employees and conduct health surveys regarding their most recent instances of “close contact” as preventive measures against the COVID-19 outbreak. Such measures entail the processing of personal data and are therefore subject to data protection regulation. The recent health and safety protocol executed by the Italian government and the main trade unions and business associations provides useful guidelines in this respect.
To combat the COVID-19 outbreak, among other urgent measures designed to contain the risks of contagion, the Decree of the Ministries’ Council of March 11, 2020 (the “11 March Decree”) delegated to employers the task of establishing appropriate health and safety plans for personnel who are still working in factories and offices (and cannot work from home due to the specific nature of their work duties).
This type of health and safety plan may include temperature screening of employees and surveys on their most recent “close contact” in risky zones and any potential COVID-19 symptoms.
Such measures entail processing a large amount of personal data, including health data belonging to special categories of personal data, and consequently shall be carried out in compliance with the data protection regulation (i.e., GDPR, national implementing law, and any other local requirements).
How to lawfully carry out temperature screening and surveys
The “privacy emergency” potentially triggered by autonomous “off-hand” initiatives already pushed the Italian Data Protection Authority to publish a general statement on March 2, 2020 (therefore before the 11 March Decree), whereby it invited employers to refrain from collecting information on the health and travel of their employees in the form of impromptu initiative not authorized by law.
Pursuant to the 11 March Decree, the Italian government and the main trade unions and business associations signed a protocol containing provisions to ensure workers’ health and safety during the COVID-19 emergency (the “H&S Protocol”). It identified temperature screenings and surveys, among the others, as preventive measures.
The H&S Protocol provides useful guidelines to be considered when processing the personal data of employees during the COVID-19 emergency.
Which personal data to process
In compliance with the data minimization principle, employers shall process only adequate and relevant data limited to what is necessary in relation to the purpose of preventing COVID-19 infection.
This means that employers shall be allowed to record employees’ temperatures when those temperatures exceed the critical temperature threshold (also in order to document reasons why an employee was not allowed to enter the workplace). They shall not register the personal data of employees whose temperatures are not critical.
As to the surveys, employers shall only collect information about the most recent “close contact” with COVID-19 infected persons or travel to risky areas without requesting additional information about the infected persons (their names) or other information about the contact (location and/or type of contact).
How to process health data
Employers shall either involve an H&S physician (known as the medico competente) or appoint a service provider to carry out temperature screenings and surveys on the health status of workers (e.g., symptoms).
Employers are not allowed to directly process information on symptoms and pathologies of their employees: as with any other illness, they shall receive only medical certificates reporting the length of any sick leave periods.
Purposes and legal bases
The purpose of the processing is the prevention of COVID-19 contagion and the relevant legal basis is the implementation of the health and safety protocols pursuant to Article 1(7)(d) of the 11 March Decree.
Indeed, employers shall rely on legal grounds for fulfillment of legal obligations under Articles 6(1)(c) and 9(2)(b) GDPR, to the extent that the relevant data processing is part of a coordinated and broader health and safety plan that shall be drafted in compliance with the law.
Such grounds also represent feasible options in light of the general contractual obligation of employers to preserve the psychological and physical wellbeing of employees under Article 2087 of the Italian Civil Code and Legislative Decree No. 81 of 2008. The latter identifies biological risk—which includes viruses, contagion, and epidemics—among the potential health and safety risks to be mitigated under a risk assessment strategy, in turn duly reported in the risk assessment document (known as the Documento di Valutazione dei Rischi).
Communication of data and anonymity of (potentially) sick employees
Data controllers shall ensure the anonymity and the personal dignity of (potentially) infected employees, regardless of the place where infection may have occurred.
Personal data shall not be disseminated or communicated to third parties, unless required by law or public orders (e.g., a request from the Health Authority to reconstruct “close contact” of employee who test positive for COVID-19).
According to the H&S Protocol, employers shall not store (nor even collect) the personal data of employees that does not indicate critical information with regard to the COVID-19 outbreak (e.g., temperature is below 37.5°C and surveys do not report information that needs to be investigated further).
All other personal data shall be stored until the end of the state of emergency (currently scheduled for July 31, 2020, but that term may be extended).
However, it is advisable to delete the personal data of potentially infected people once they do not test positive for COVID-19 (e.g., fever was not due to COVID-19, or they have not been infected though they have encountered people who tested positive).
Data protection fulfillments
Employers shall notify employees of all the mandatory information on data processing under Article 13 GDPR; they may do so orally and may omit information already known by them.
They shall execute service contracts with the companies providing temperature screening and survey services, as well as data processing agreements under Article 28(3) GDPR.
Lastly, a data protection impact assessment may be relevant, considering the new technologies used in data processing operations and taking into account the nature of the processed personal data and the type of data subjects involved.
Employers must do their best to preserve the wellbeing of employees: as part of a coordinated health and safety strategy, they shall duly handle all relevant data processing, appointing the involved service provider as data processor and fulfilling all relevant data protection obligations.