In these unprecedented times, COVID-19 has forced organisations to quickly put in place measures that seek to ensure both business continuity and the protection of employees. In many instances, this has involved increased processing of health data, in ways that were not envisaged a short time ago. This increase, combined with the timeframes involved in processing health data, and the speed at which government advice and directions are changing, has presented a number of challenges. Even if data protection regulators are recognising these challenges, it is important to remember that a global pandemic is not a general waiver for privacy compliance.
Potential individual measures to stop or prevent the spread of COVID-19 within the company
The question as to how the spread within a company can be stopped or prevented is highly relevant for employers. From our experience, many employers have been asking employees to fill out questionnaires on whether they have travelled to a designated high-risk area, whether they are experiencing any symptoms associated with COVID-19 and/or have had any contact with persons who have or had contracted the virus. However, some employers have introduced stricter measures such as scanning body temperatures prior to entering the workplace or other medical measures such as assessing the state of health of individuals and whether for example they have been showing signs of sweating or coughing.
The data protection authorities of the Rhineland-Palatinate and Saxony states published statements on their websites stating that requiring employees to fill out a health questionnaire, to report information about their health (with the exemption of information on any recent holidays to risk zones and any contact with suspected persons) and requiring employees to undergo a medical examination such as measuring body temperatures are not justified according to German data protection law. However, other authorities seem to have taken a different view. For example, the Federal Commissioner of Data Protection and Freedom of Information has published a statement that it is permissible to query the health status of all employees in order to ensure the safety of their own employees and prevent the spread of the virus (the statement is available here). According to statements of the data protection authority of the state Hamburg and North Rhine-Westphalia, measuring the temperature of employees prior to entering the premises can be justified on a case-by-case basis. The authority of the state North Rhine-Westphalia recommends reaching a desired solution having considered the views of the employees, the works council and the data protection officer. Entering into a works council agreement as legal basis for processing of employees’ data should in our view help employers to reduce the risk of potential non-compliance with data protection law.
Please note that all other relevant principles and obligations of the General Data Protection Regulation will be need to be kept in mind and complied with when implementing new measures – for example, the data minimisation principle, the information obligation under Article 13, the requirement to document processing activities under Article 30 and to put in place appropriate retention periods.
Key steps when allowing employees to work from home
Employers across the globe are also asking employees to work from home. We have set out five key steps employers should consider when doing so, from a data protection perspective:
implement or ensure that company policies on working from home are up to date. This can include ensuring that there are restrictions on access rights, informing employees to lock devices when unattended, making sure any phone calls or online meetings are carried out somewhere where they cannot be overheard, (particularly if what is being discussed is confidential or sensitive information), ensuring employees know not to forward emails to private addresses, and will destroy any hardcopies when back in the office;
necessary IT security measures must be in place, e.g. the system must be kept up-to-date, all devices should have virus and firewall protection, and that there are contact persons in case of any technical problems;
remind employees to be alert to security issues (e.g. phishing emails);
consider ad-hoc training for those employees who typically do not work from home; and
remind employees that existing rules on the prohibition of private use of the IT and the email system remain in place.
In this context, the Federal Office for Information Security provides a four-page leaflet that employers can share with their employees. The leaflet is available here.
If these topics are of interest to you or one of your colleagues, please feel free to contact us.
For more information on the German Government's response click here.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2021