menu
back

Newsletters

COVID-19 and health data protection

Frédéric Sardain , Claire Allavena

1. THE EMPLOYER MAY NOT, IN PRINCIPLE, COLLECT HEALTH DATA RELATING TO COVID-19

In principle, the employer may not take measures likely to infringe on the privacy of its employees, in particular by collecting health data or information relating to the search for possible symptoms (art. 9 of the GDPR and art. 6 of the Data Protection Act).

In this regard, the National Commission for Data Protection and Liberties (CNIL-France) has just specified, in its recommendations on Covid-19 published on March 6, 2020, that it is impossible for the employer to implement, for example:

  • body temperature readings of its employees;
  • the collection of medical information via forms or questionnaires.

These bans also apply to visitors.

2. THE COLLECTION OF HEALTH DATA BY THE EMPLOYER REMAINS HOWEVER POSSIBLE IN THE FOLLOWING CASES

     a) When the data are voluntarily provided by the employee

As the person responsible for the health and safety of its employees (art. L. 4121-1 of the Labour Code), the employer may raise awareness among its employees and invite them to communicate, if necessary via dedicated communication channels, personal information related to possible exposure to Covid-19. In this case, it is recommended that the employer collects the express consent of the employee, in order to legitimize the collection of his health data (Art. 9.2 (a) of the GDPR).

In any event, insofar as it is the employee’s responsibility to safeguard the health and safety of others and of himself in the workplace (art. L. 4122-1 of the Labour Code), the employee is required to inform his employer spontaneously in the event of suspicion of contact with Covid-19.

The processing of this information must then be limited to the sole management of suspected exposure to the virus.

     b) When collection is requested by the health authorities

If health authorities were to request the collection of employees’ health data from employers, those could then base the lawfulness of their collection on “processing necessary on grounds of public interest in the field of public health, such as protection against serious cross-border threats to health” (cf. art. 9.2, i of the GDPR and its recitals 46 and 52).

3. RECOMMENDATIONS

In the event of a report of possible exposure to Covid-19 by an employee, it is recommended to the employer:

  • to record (1.) the data provided by the employee (such as the date of exposure to Covid-19 or the identity of the person suspected of having been exposed) as well as (2.) the organisational measures taken (e.g. containment, teleworking, contact with occupational medicine specialist);
  • to store such data for a period not exceeding the duration of the purpose for which they are processed (Article 5 of the RGPD);
  • to amend the Employee Privacy Policy accordingly;
  • to take into account this treatment in the Treatment Registry ;
  • to adopt all measures to ensure appropriate security of such health data.