In the light of COVID-19, what should employers consider in relation to the GDPR?
Information, which reveals that an employee has been infected with the coronavirus, is personal data related to health. As such, it belongs to a special category of personal data that must be handled with specific care under the GDPR.
As a main rule, processing of personal data related to health is prohibited, but there are exceptions in relation to employee data. This exception means that an employer can process health data to the extent required to fulfill its obligations under applicable employment law. Thus, an employer can process information about a corona-infected person to e.g. administer sick leave and fulfill other obligations in the same manner as in relation to other deceases.
As an employer is under an obligation to keep its employees safe to the extent possible, information that someone has been infected can also be used if required to ensure the safety of other employees. In this respect it should, however, as for all types of personal data be carefully considered, which other employees actually need to know the identity of infected persons, and processes for handling the information should be implemented in advance. If an employee is diagnosed with coronavirus, the employer is not as a rule entitled to reveal the name of such employee. However, the employer may on a general level inform other employees of the (suspected) infection and guide them to work from home.
Moreover, information directly or indirectly identifying specific persons should not be sent by (unencrypted) e-mail and also other safety measures applicable to sensitive personal data should be considered. The infected person should at all times also be informed (if possible) and his or her wishes as to how data is processed should be catered for to the extent doable.
The Swedish and Finnish data protection authorities have issued brief guidelines on the processing of employee data in relation to the coronavirus. In these guidelines the data protection authorities confirm that:
- Information that a specific employee has been infected by the Corona virus is considered health data.
- Information that an employee has returned from so-called risk areas, is not considered health data.
- Information that an employee is in quarantine is not health data (if the reason for the quarantine is not disclosed).
Also other provisions under the GDPR must of course still be complied with, and national data protection authorities may issue different guidelines. Thus, the Finnish data protection authority also highlights that employee health data may only be processed by such persons within the organization, whose work tasks require processing of health data, that the employer must name such persons in advance or define positions in which health data needs to be processed, and that all persons who process employee health data are bound by a confidentiality obligation.