Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

COVID-19 collecting employee health information

Things employers need to consider when collecting employee health information, to prevent the spread of COVID-19.

13 March 2020

Publication

On 11 March 2020, the World Health Organization declared the outbreak of novel coronavirus disease (also known as COVID-19) as a pandemic. As at the date of this article, the global number of confirmed cases of COVID-19 has surpassed 100,000, with concerning epicentres emerging particularly in Iran, South Korea and Italy. As the situation evolves rapidly, employers around the world are asking whether they are permitted to collect health information about their employees to help monitor and prevent the spread of COVID-19.

In this article, we take an in-depth look at the key issues of processing employee health data in the UK, Germany, France, Italy, Mainland China, Hong Kong SAR, Singapore and the United Arab Emirates.

United Kingdom

Are there special rules for health data?

Health data, including body temperature and coronavirus symptoms such as fever and coughing, is “special category data” under the GDPR. Given that special category personal data is likely to be more sensitive, the GDPR sets extra restrictions on the processing of special category personal data.

What are the rules for collecting and processing health data?

There are two layers of lawful bases for the collection and processing of employee health data that must both be met:

  1. In order for the processing of any personal data (including health data) to be lawful, employers must identify a lawful basis for processing under Article 6 of the GDPR. Employers should be able to rely on the basis of legitimate interest to process employee personal data. In the case of the current COVID-19 situation, the legitimate interest is to prevent the spread of infectious diseases and to ensure workplace safety. The collection of employee health data directly relating to the symptoms of coronavirus during the outbreak of the disease should be within the reasonable expectation of employees and well aligned with the employees’ individual interests for their well-being, so there is unlikely to be overriding compelling individual rights that would invalidate the processing.

  2. In order to process any special category personal data (including health data), the activity must also fall into one of the special conditions set out in Article 9 of the GDPR. The special conditions that may be available to employers might be:

  • Consent - for this to apply, the employee must have given explicit consent to the collection and processing of their health data for the purpose of monitoring employee health conditions and preventing the spreading of coronavirus. However, in order to be valid, the consent given by the employee must be freely given – that is, the employee must have the right to refuse to the collection of his/her health data and the refusal will not cause any adverse impact on the employee. Consent is therefore not an ideal justification in the current COVID-19 scenario, as employers would want to collect health data from all employees in the office, rather than give them the option not to provide their health data.

  • Employment law obligations - for this to apply, the processing of health data must be necessary for the purpose of carrying out obligations and exercising specific rights of the data controller in the field of employment, social security and social protection law, in so far as it is authorised by EU or member state law providing for appropriate safeguards for the fundamental rights and interests of the data subject. This condition in Article 9(2)(b) of the GDPR is only satisfied if there is corresponding provision in either EU or member state law and the specific conditions in the relevant EU or member state law is met. This would mean that there may be different specific conditions set at member state level and the local law of the relevant jurisdiction that has to be checked. For example, in the UK, the Data Protection Law 2018 provides that this condition is met if the processing is necessary for the purposes of performing obligations which are imposed or conferred by law on the controller and the controller has in place an appropriate policy document pursuant to which the processing is carried out (including procedures regarding the retention and erasure of personal data processed in reliance on the condition). Additional safeguards are set out in Part 4 of Schedule 1 of the UK Data Protection Law 2018. Employers that rely on this condition should also ensure (among other things) that the scope of health data collected and processed is limited to the minimum necessary and directly linked to any typical symptoms of the coronavirus.

  • Collection being necessary for reasons of public health - for this to apply, the collection has to be required to protect against serious cross-border threats to health, on the basis of EU or member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject. Again, this condition in Article 9(2)(i) of the GDPR must be read in conjunction with any specific conditions set by EU or member state law. For example, in the UK, the Data Protection Law 2018 provides that this condition is met if:

    • the processing is necessary for reasons of public interest in the area of public health; and
    • the processing is carried out by or under the responsibility of a health professional, or another person who owes a duty of confidentiality under the law.

Are there any other considerations?

The GDPR requires that a data protection impact assessment (DPIA) must be carried out for any type of processing which is likely to result in a high risk to individuals. In particular, a company must carry out a DPIA if it plans to process special category data on a large scale. There are also other obligations under the GDPR applicable for the intended processing activity, such as security obligations.

Germany

Are there special rules for health data?

The provisions in the GDPR concerning the processing of personal health data set out above in relation to the UK also apply in Germany. In addition, the German Federal Data Protection Act (FDPA) sets additional rules for the processing of employee (health) data.

What are the rules for collecting and processing health data?

There are two layers of lawful bases for the collection and processing of employee health data that must both be met:

  1. In order for the processing of any personal data (including health data) to be lawful, employers must identify a lawful basis for processing. The FDPA somewhat differs from legal rights under the GDPR. Personal data of employees may be processed for employment-related purposes only. In the case of the current COVID-19 situation, the employment-related purpose is to prevent the spread of infectious diseases and to ensure workplace safety. The collection of employee health data directly relating to the symptoms of coronavirus during the outbreak of the disease should be within the reasonable expectation of employees and well aligned with the employees’ individual interests for their well-being, so there is unlikely to be overriding compelling individual rights that would invalidate the processing.

  2. In order to process any special category personal data (including health data), the activity must also fall into one of the special conditions set out in Article 9 of the GDPR. The special conditions that may be available to employers might be:

  • Consent - the rules for this condition to apply are similar to those set out above in relation to the UK.

  • Employment law obligations - for this to apply in Germany, the processing of special categories of personal data for employment-related purposes must be necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there must be no reason to believe that the data subject has an overriding legitimate interest in not processing the data. By processing employees’ health data to prevent the spread of infectious diseases and to ensure workplace safety, the employer complies with its legal duty to care for employees under German labour law. Employers may rely on this condition (i.e. employment law obligations), provided that:

    • the scope of health data collected and processed is limited to the minimum necessary and directly linked to any typical symptoms of the coronavirus;
    • employers put in place a policy document which explains the procedures for the collection and processing of employee health data, the retention period and erasure of the health data collected; and
    • employers keep a detailed record of the processing of employee health data, including the justifications of the processing (under Article 6 and Article 9), the policy document for such activity, and confirmation that the employee health data is retained and erased according to the policy document.

However, the fact that employers may rely on employment law obligations as a grounds for processing personal data should not be misunderstood as an obligation on employees to answer questions from employers about their health condition without cause. That said, employees may, under their general duty of loyalty to the employer, be required to answer questions about their health (and do so truthfully) if there are specific (COVID-19-related) symptoms of illness.

  • Collection being necessary for reasons of public health - That is, where collection is required to protect against serious cross-border threats to health. Again, this condition must be read in conjunction with the German FDPA, which provides that this condition is met if:

    • the processing is necessary for reasons of public interest in the area of public health; and
    • appropriate and specific measures are taken to safeguard the interests of the data subject.

Are there any other considerations?

As in the UK, the GDPR requires that a DPIA must be carried out for any type of processing which is likely to result in a high risk to individuals and in particular, if a company plans to process special category data on a large scale. There are also other obligations under the GDPR applicable for the intended processing activity, such as security obligations.

France

Are there special rules for health data?

The provisions in the GDPR concerning the processing of personal health data set out above in relation to the UK also apply in France. In addition, the French Data Protection Act requires the processing of this special category of data must first be authorised by the French Data Protection Authority (CNIL), subject to certain limited exceptions which are unlikely to apply to the processing of health data for the purpose of preventing or monitoring the spread of COVID-19.

What are the rules for collecting and processing health data ?

As is the case for the UK, it will be necessary to have lawful basis for the processing. To assist in determining the legal bases, the CNIL issued a statement on 6 March 2020 on the subject of the processing of personal data for the purpose of prevention of COVID-19.

The CNIL underlined that an employer is under an obligation to ensure the health and safety of its employees under the French Labour Code.

The employer is therefore entitled to raise the awareness of its employees regarding the existence of the COVID-19, and invite them to declare any suspicion of exposure to the virus.

In case of such notification, the employer will be entitled to collect:

  • the date and identity of the individual suspected of having been exposed to the virus; and
  • the organisational measures taken by the employer (containment, remote working etc) to deal with the situation.

The employer is also invited to redirect the relevant individual to the works’ doctor.

The CNIL adds that health data can be collected by health authorities which are empowered to collect this information and to take appropriate measures.

Are there any other considerations?

It is clear from the CNIL’s statement of 6 March 2020 that it considers that limited amounts of data can be collected for the purposes of preventing the spread of COVID-19 and putting in place the necessary organisational measures to ensure business continuity.

It considers that the systematic collection of data to identify whether staff or visitors to the workplace have a temperature would not be justified, nor would it be acceptable to require staff to complete questionnaires regarding their health. In light of this published position, it is likely that the CNIL would consider the collection of any information other than the date and identity of a person suspected of having contracted COVID-19, to be disproportionate.

In addition, as indicated above, processing of health data by an employer for the purpose of preventing or monitoring the spread of COVID-19 is likely to require the prior authorisation of the CNIL. It can take up to four months to obtain such approval, which as a practical matter, is incompatible with the urgency of the current situation.

A thorough assessment under GDPR and French Data Protection is therefore recommended before collecting health data of employees potentially exposed to coronavirus.

Italy

Are there special rules for health data?

The provisions in the GDPR concerning the processing of personal health data set out above in relation to the UK also apply in Italy. In addition, the Italian Data Protection Code provides that employers may process health data of the employees if necessary for the execution of their employment agreements and employment law obligations. In all the other cases, consent is generally the basis on which health data is processed.

What are the rules for collecting and processing health data?

To assist employers in determining the appropriate legal bases for processing health data during this epidemic, the Italian Data Protection Authority (Garante) recently issued a statement for the purpose of prevention of COVID-19.

On 2 March 2020, the Garante stated that employers must not collect information from employees, clients or suppliers or conduct investigations regarding coronavirus symptoms that these persons or their close contacts may experience. As a matter of fact, the Garante has prohibited employers from taking any measure within the workplace which could impact the protection of employees’ personal data. This, of course, must be balanced with the obligation of employers to safeguard the health of employees within the workplace and to provide a safe work environment under employment laws. Therefore, employers may collect health data of employees only if such data is necessary to ensure a safe and healthy workplace.

In addition, only authorised institutional parties (for example, health workers and civil defence authorities) can collect personal information to help prevent the spread of COVID-19. The Garante has welcomed the emergency measures provided by the Civil Protection Department to ensure the most effective management of flows and exchange of personal data.

The Garante has stated that until 30 June 2020, only authorised institutional parties may carry out processing activities necessary for the performance of civil protection, including the communication between such institutional parties of personal data falling under the scope of Article 9 (processing of special categories of personal data) and Article 10 (processing of personal data relating to criminal convictions and offences) of the GDPR. The public interest is therefore considered to be of overriding importance in the context of the current COVID-19 situation.

Are there any other considerations?

Employees have a general obligation to inform their employers of any situations that could affect health in the workplace – which naturally includes communicating coronavirus symptoms – but employers also have an obligation to safeguard health in the workplace and this is not easily done in light of the applicable data protection rules.

As a practical measure, we suggest employers could provide a privacy notice at the entrance of their offices, which:

  • informs employees about the current health emergency and encourages remote working;
  • prohibits access to those who arrive from areas designated as red-zone territories by the Italian government or those who have been in contact with people resident in those territories;
  • informs employees about the need for employers to notify competent authorities about any changes to "biological risk" in a workplace, together with other mandatory requirements imposed on employers regarding the health of employees.

Another practical precaution that employers could take is providing a thermometer to employees to allow them to (of their own volition) check their temperature and self-evaluate the need to leave the office and work from home. Of course, in such a scenario, employers could not record or access such data or use this data to force employees to stay home.

Mainland China

Are there special rules for health data?

Personal health data (including, for example, personal information about coronavirus symptoms, diagnosis and treatment) is sensitive personal information under the Personal Information Security Specification and therefore the processing of this information is subject to stricter requirements (for example, requiring the data subject’s explicit consent and stricter requirements regarding encrypted storage and transmission). The Personal Information Security Specification is a recommended guideline under Chinese law. While compliance is not mandatory, regulators and judicial bodies will have regard to whether a company has complied with the Personal Information Security Specification in relevant legal proceedings.

Even if such health data is anonymised such that individuals can no longer be identified (either based on the data by itself or together with other pieces of data), it may nonetheless be deemed as “important data” under Chinese law. “Important data” is subject to a higher standard of protection than other non-personal data; for example, a transfer of “important data” from within Mainland China to a location outside Mainland China will be, in principle, subject to a security assessment by the transferor or a competent Chinese regulator (depending on the circumstances).

What are the rules for collecting and processing health data?

The two key bases on which an employer can collect or use personal health data in the context of COVID-19 are:

  • Regulator’s requirement - every individual must provide their relevant data (which potentially includes information related to their personal health) if requested by a competent branch of the Chinese Centre for Disease Control and Prevention (Chinese CDC) or medical institutions designated by the Chinese CDC for the purpose of prevention and control of COVID-19 according to relevant Chinese law. If the Chinese CDC or such designated medical institutions request an employer to collect this data from its employees for the purpose of COVID-19 control and prevention purposes, the employee is obliged to provide such data to their employer. In addition, if an employer (or any third party) becomes aware or suspects that a person has been infected with COVID-19, they are required under Chinese law to report this to the nearest Chinese CDC branch or medical institution.

  • Employee consent - if an employer would like to collect employees’ personal health data for the purpose of ensuring the health and safety of the workplace or the purpose of prevention and control of COVID-19, it must obtain explicit consent from employees. However, it is debatable whether an employee can give consent freely in the context of an employment relationship. Therefore, unless the employer has been required by the Chinese CDC or a designated medical institution to collect such data, we recommend that employers make it clear to employees that they have the option not to provide their personal health data to the employer. In addition, an employer should not treat an employee negatively because he/she has refused to consent to their health data being collected.

Are there any other considerations?

Chinese law requires that collecting and using personal information must abide by the principles of lawfulness, legitimacy and necessity. Obtaining a data subject’s consent may satisfy the principles of lawfulness and legitimacy. The principle of necessity means that the collection, use and retention of personal data should be limited to the extent strictly necessary for the relevant purpose for which consent has been obtained or other legal grounds are applied.

In addition, the Cyberspace Administration of China has issued further specific rules in response to COVID-19 which set out that:

  • the principles of necessity and minimum collection should be followed in collection and/or use of personal data. For example, personal data should only be collected from those individuals who are confirmed or are suspected to be carrying the COVID-19 virus and those who have had close contact with confirmed or suspected virus carriers;
  • personal data collected for the purpose of preventing or treating epidemic diseases cannot be used for any other purpose; and
  • no personal data that has been collected for the purpose of preventing or treating epidemic diseases can be made public without the consent of the relevant data subject, unless this is necessary for the prevention of an epidemic disease and the information is anonymised.

Employers should also develop a data management and protection mechanism, encrypt health data, restrict and manage access to the collected health data appropriately and delete the relevant data after the purpose of epidemic prevention and control has been achieved.

Hong Kong SAR

Are there special rules for health data?

In Hong Kong SAR, there is no concept of “special category” data, such as health information. Collection and processing of health-related personal data is governed by the same rules that apply generally to personal data protection under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO).

What are the rules for collecting and processing health data?

Collection of all personal data (including personal data in the nature of health data) must be in compliance with the Data Protection Principles contained in Schedule 1 of the PDPO. In particular, personal data must be collected:

  • on an informed basis and employers should take steps to notify employees of the purposes for which it is collecting, using and disclosing such data (as described further below);
  • with due consideration towards minimising the amount of personal data collected; and
  • only for a lawful purpose directly related to a function or activity of the data user. In the context of COVID-19, the lawful purpose of an employer would be to fulfil an employer’s duty of care to provide a safe workplace for employees.

In collecting health information, employers need to comply with notification requirements, which require the employer to take all practicable steps to communicate at or before the time of collection the purpose of collection, whether the collection is obligatory or voluntary (and if obligatory, the consequences of refusal), the persons or entities to whom the information may be transferred and the data subject’s right of access and correction.

Use of the data should also be limited to or related to the original collection purpose, and Data Protection Principle 3 prohibits the use of personal data for any new purpose unless the data subject has given express and voluntary consent.

Are there any other considerations?

Many employers have started to implement temperature checks (often using a non-contact infrared forehead thermometer) as a condition of building access. Many employees readily submit to these tests, as the purpose of these checks is generally and readily understood. However, the collection of this information nonetheless constitutes the collection and use of personal data under the PDPO and employers should ensure that they continue to comply with the relevant employee notification requirements. Many employers are choosing to do this by sending an “all employee” email prior to implementing routine checks.

Singapore

Are there special rules for health data?

There are no special rules relating to health data in Singapore. Health data will fall within the ambit of being “personal data” for the purposes of the Personal Data Protection Act 2012 (PDPA), and employers collecting such data from their employees will need to comply with the obligations contained in the PDPA.

What are the rules for collecting and processing health data?

Under the PDPA, unless a statutory exemption applies, an employer is required to:

  • notify its employees of the purposes for which it is collecting, using and disclosing employee health data; and
  • obtain the employees’ consent to such purposes.

In light of the current situation, the Personal Data Protection Commission has released an Advisory on Collection of Personal Data for COVID-19 Contact Tracing, which provides that relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health and safety of other individuals. Given this, employers can collect the health data of its employees without consent on the basis that a statutory exemption applies.

While consent is not required, employers should still notify employees of the purposes of the collection of their health data. In addition, employers should ensure that they continue to comply with the other data protection obligations applicable to such data, including:

  • ensuring that the employee health data is not used for any other purposes;
  • making reasonable security arrangements to protect personal data in their possession from unauthorised access or disclosure; and
  • not retaining the employee health data for longer than is necessary for permitted business or legal purposes.

Are there any other considerations?

If the employer intends to transfer employee health data outside of Singapore to, for example, its headquarters located overseas, the employer will need to ensure that the personal data being transferred is accorded a standard of protection in that overseas location that is similar to that in the PDPA.

United Arab Emirates

Are there special rules for health data?

Whilst there is no single federal data protection law in the UAE, Federal Law No. 2/2019 “On the Use of the Information and Communication Technology (ICT) in Health Fields” (the Federal Health Data Law) regulates the processing of electronic health data.

The Federal Health Data Law applies to all businesses that handle health data and information in the UAE (whether onshore or in one of the “free zones”). Some free zones also designate health data as a special category of data.

One of the Federal Health Data Law’s primary aims is to ensure the security and safety of health data and information and in this respect, it introduces familiar data privacy and protection concepts.

What are the rules for collecting and processing health data?

The relevant rules are as follows:

  • Purpose limitation – except with the prior consent of the individual, health data should not be used other for than for the purpose of the provision of health services (Article 16).

  • Consent to disclosure – without the prior consent of the individual, or as permitted by law, health data must be kept confidential and should not be disclosed to any third party (Article 4).

  • Data localisation – health data cannot be stored, processed, generated or transferred outside the UAE unless the activity has been approved by any federal or local governmental health authority in coordination with the Ministry of Health and Prevention (Article 13).

There are certain exceptions to the disclosure restrictions outlined above. For instance, under Article 16, businesses may use or disclose health data without the consent of the individual “taking preventative and curative measures related to the public health or protecting the health and safety of the patient or any other person related to him”.

Are there any other considerations?

It is important to note that the Federal Health Data Law is just a basic framework and is not yet fully supplemented by the implementing regulations. Therefore, the full extent of the requirements remains to be seen until the implementing regulations provide much needed clarity (particularly in relation to any exceptions to the data disclosure and localisation requirements).

The UAE also includes many free zones, some of which administer their own sets of laws, such as the Dubai International Financial Centre (DIFC) (which has its own data protection regulation). For the purposes of this note, we have referred to federal UAE law only.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.