In an effort to protect business environment and employees from Coronavirus infection, employers are compelled to implement different measures, and some of them will undoubtedly involve collecting personal information from employees.
The Italian Data Protection Authority published a list of frequently asked questions (“FAQs”) and answers on data protection and COVID-19.
Among other topics, the FAQs below cover data processing by private employers in the context of the COVID-19 health emergency.
1. May an employer take the body temperature of employees, users, suppliers, visitors and customers at the entrance of their premises?
In the current situation linked to the epidemiological emergency, a number of regulatory measures and subsequent guidance documents were adopted at a fast pace by the competent authorities in order to set out urgent measures for the containment and management of the epidemiological emergency. Accordingly, it was determined that an employer whose activities were not suspended was required to comply with the measures for the containment and management of the epidemiological emergency laid down in the MoU to combat and control the spread of COVID-19 in working environments that was adopted jointly by the Government and workers’ representatives on 14 March 2020.
In particular, the said MoU envisages the taking of the body temperature of employees for access to the premises of the organisation as part of the measures to combat the spread of the virus, which also apply to users, visitors and customers as well as to suppliers - where a separate access mode has not been envisaged for the latter.
Similar security protocols applying to non-deferrable public activities or to essential public services were concluded by the Minister for Public Administration with the most representative trade unions in the public administration (such as the MoU on Preventive Measures and for the Safety of Public Employees in connection with the COVID-19 Health Emergency of 3 and 8 April 2020), on the grounds that the safety measures laid down for the private sector were deemed to be consistent with the guidance already provided by the Minister.
Since the taking of the body temperature in real time, when associated with the data subject’s identity, is an instance of processing of personal data (Article 4(1), No (2), of Regulation (EU) 2016/679), it is not permitted to record the data relating to the body temperature found; conversely, it is permitted to record the fact that the threshold set out in the law is exceeded, and recording is also permitted whenever it is necessary to document the reasons for refusing access to the workplace - in compliance with the principle of ‘data minimisation’ (Article 5(1)(c) of the Regulation).
By contrast, where the body temperature is checked in customers (for example, in large department stores) or occasional visitors, it is not, as a rule, necessary to record the information on the reason for refusing access even if the temperature is above the threshold indicated in the emergency legislation.
2. May an administrative body or a company require their employees to provide information, including through a self-declaration, on their possible exposure to the contagion from COVID-19 as a condition for access to the workplace?
Under the legislation on the protection of health and safety at work, the employee has a specific obligation to inform the employer of any situation of danger to health and safety at the workplace (Section 20 of Legislative Decree No 81 of 9 April 2008). In this connection, Directive No 1/2020 of the Minister for the Public Administration specifies that a civil servant and persons who work in whatever capacity in the public administration are bound to report that they come from or have been in contact with persons coming from a risk area. Within this framework, the employer may invite employees to do so, where necessary, through dedicated channels.
Among the measures to prevent and contain contagion employers are required to take based on the existing regulatory framework, there is the prohibition to access the workplace applying to those who have been in contact with COVID-19-positive individuals over the past 14 days or come from risk areas according to WHO indications. To this end, also in the light of the provisions adopted subsequently for the containment of contagion (see the MoU referred to above as concluded on 14 March 2020 between the Government and workers’ representatives), a declaration regarding the above circumstances may also be requested from third parties such as visitors and users.
In any case, only the necessary, adequate and relevant data will have to be collected in relation to the prevention of the contagion from COVID-19 without requesting additional information about the COVID-19-positive person, the specific places visited or other details relating to that person’s private sphere.
3. Is it possible to publish, on the official website, the contact details of the competent officials in order to enable the public to book services or visits at the given administrative body in the current epidemiological emergency?
The regulatory provisions for the containment and management of the epidemiological emergency and the operational guidelines provided by the competent bodies require that the presence of staff in the offices be limited, mainly through smart working arrangements. As regards the tasks which require attendance at the workplace, administrative bodies are to carry out activities that are strictly functional to the management of the emergency and those that are ‘non-deferrable’, also with regard to ‘external users’. Therefore, the reception of visitors or the direct provision of services to the public should take place by electronic means or in any case in such a way as to exclude or limit physical presence in the offices (e.g. via telephone or virtual assistance), or else by arranging timed accesses including by way of the booking of visits.
In compliance with data protection principles (Article 5 of Regulation (EU) 2016/679), the purpose of providing users with contact details for assistance or for reception at the offices can be pursued by publishing only the contact details of the relevant organisational units (telephone number and certified email address), and not those of the individual officials in charge. This is also in line with the publication requirements concerning the organisation of public administrations.
4. What processing of personal data in the workplace involves the appointed doctor?
The appointed doctor continues to be prohibited from informing the employer about the specific diseases affecting employees, including under emergency circumstances.
In the
context of the emergency, the tasks related to the health surveillance
of workers by the appointed doctor, including the possibility of
subjecting workers to special visits on account of the increased
exposure to the risk of infection, are considered to be a general
preventive measure and must be discharged in compliance with data
protection principles and by respecting the hygiene measures set out in
the guidance by the Ministry of Health (see also the MoU of 14 March
2020)
In the context of the emergency, the appointed doctor cooperates with the employer and the workers’ representatives in order to propose COVID-19 governance measures and alerts the employer to ‘situations of particular fragility and current or past medical conditions of the employees’ as part of the relevant health surveillance tasks (see paragraph 12 of the said MoU).
In compliance with the provisions in the field of health surveillance and on personal data protection, the appointed doctor notifies the employer of those specific cases where an employee’s particular condition of fragility as also related to that employee’s health makes it advisable to assign him or her to tasks in areas less exposed to the risk of infection. To that end, it is not, however, necessary to inform the employer of the specific pathology affecting that employee.
In this context, the employer may, in compliance with data protection principles (see Article 5 of Regulation (EU) 2016/679), process the employees’ personal data only if it is legally prescribed or ordered by the competent bodies or else on specific notification by the appointed doctor in the performance of his or her health surveillance tasks.
5. May an employer inform the workers’ representative for safety on the identity of the affected employees?
Employers may not, in the context of the adoption of protective measures and of their duties relating to the safety of workplaces, communicate the name(s) of the employee(s) infected by the virus, unless national law so permits.
Under the national legal framework, the employer has to inform the competent health authorities of the names of the personnel infected and to cooperate with them in identifying ‘close contacts’ in order to allow timely implementation of disease prevention measures.
On the other hand, such an information requirement is not provided for with regard to the workers’ representative for safety, nor do the tasks described above fall within that representative’s specific remit based on sector-specific legislation.
In the current epidemiological emergency, the workers’ representative for safety will have to continue to carry out his/her consultative, control and coordination tasks and cooperate with the appointed doctor and the employer - for example, by helping in the identification of the most appropriate prevention measures to protect workers’ health in the specific working environment; updating the risk assessment document; and verifying compliance with internal protocols.
Where the workers’ representative for safety becomes aware of information in discharging the relevant duties — which information the representative usually processes in aggregate form, e.g., the information included in the risk assessment document — , he or she complies with data protection provisions if it is possible, even indirectly, to identify certain data subjects.
6. May an employer disclose the identity of an employee affected by COVID-19 to other workers?
No. With a view to the protection of the health of other workers, it is for the competent health authorities to inform the ‘close contacts’ of the diseased employee in order to implement the required prevention measures.
Conversely, the employer is required to provide the competent institutions and health authorities with the necessary information so that they can carry out the tasks and duties set out also in the emergency legislation adopted in connection with the current outbreak (see paragraph 12 of the MoU mentioned above).
Data concerning health may only be disclosed, whether externally or within the organization an employee or collaborator pertains to, if this is provided for in the law or ordered by the competent authorities on the basis of statutory powers - for example, solely for the prevention of contagion from COVID-19 and upon a request by the health authority for tracing back the ‘close contacts’ of a worker who tested positive for COVID-19.
In all cases the employer must take specific measures if persons affected by COVID-19 are present within the premises of the organization, relating to the cleaning and sanitising of the premises in accordance with the instructions given by the Ministry of Health (see point 4 of the MoU mentioned above).
7. May an employer require serological tests to be carried out by its staff?
Yes, but only if ordered by the appointed doctor and in compliance with the information provided by the health authorities, including reliability and appropriateness of those tests.
Only the appointed doctor, as a health professional, taking account of the general risk posed by COVID-19 and the specific health conditions of workers subject to health surveillance, may determine the need for particular clinical and biological tests and suggest specific diagnostic methods if this is considered useful to contain the spread of the virus and protect workers’ health (see paragraph 12 of the MoU between the Government and social partners updated on 24 April 2020).
The information relating to the worker’s diagnosis or family history may not be processed by the employer (for example, by consulting reports or test results), except in the cases expressly provided for by law. By contrast, the employer may process data relating to the assessment of suitability for the specific task and any requirements or restrictions the appointed doctor may lay down in terms of working conditions.
Visits and inspections, including for the purposes of assessing the employee’s return to work, must be carried out by the appointed doctor or other health personnel; in any case, the overarching prohibition against the employer’s carrying out diagnostic tests on employees will have to be complied with.
Workers are free to participate in the screening campaigns launched by the competent regional health authorities for COVID-19 serological tests, of which they may happen to be informed by their employer as involved by the local preventive medicine department in conveying, to its own employees, the invitation to join the campaig.
Employers may offer serological tests in public and private health facilities to their employees and also cover the relevant costs in whole or in part – for instance, through ad-hoc or expanded health insurance policies or through ad-hoc agreements with those facilities; however, they are not permitted to know the outcome of such tests.
8. May the employer process the personal data of an employee affected by or presenting symptoms from COVID-19?
Although, as a general rule, personal data relating to the specific conditions affecting workers may only be processed by health professionals (e.g. family doctors, specialists, appointed doctors) and not by the employer, the latter may, in some cases and in the context of the current epidemiological emergency, lawfully become aware of the identity of an employee affected by or presenting symptoms compatible with COVID-19.
This may be the case, in particular, when an employer is notified directly by the employee, who is obliged to inform the employer of any situation of danger to health and safety at the workplace. By the same token, the MoU between the Government and social partners updated on 24 April 2020 – to be complied with as required by the emergency legislation - lays down specific obligations for the employee to inform the employer when there are any conditions of danger such as signs of influenza (see also similar MoUs drawn up in the public domain and those relating to specific sectors, such as construction sites, transport and logistics). This also applies if the symptoms are detected upon entering the workplace or during the course of work (see MoU, e.g. paragraphs 1, 2 and 11). To that end, the employer may call on its employees to make such communications by facilitating the way they are conveyed, including through dedicated channels, taking account of its general obligation to protect workers’ bodily integrity in accordance with Section 2087 of the Civil Code and Legislative Decree No 81/2008
Additionally, an employer might become aware of a COVID-19 positivity situation that is established by the health authorities on the basis of a buccal/nasopharyngeal swab, as part of the cooperation the employer is required to provide to those authorities - also with the involvement of the appointed doctor - in order to track down any close contacts with other individuals in the employment context (see paragraph 11 of the MoU of 24 April 2020).
The employer may also be informed of a negative buccal/nasopharyngeal swab with a view to readmission to the workplace of any employee previously found to be COVID-19 positive - in accordance with the procedures laid down and the documentation issued by the competent preventive medicine department (see paragraphs 2 and 12 of the MoU of 24 April 2020). (1)
In the above cases the employer may accordingly process data relating to an employee’s COVID-19 symptoms or positivity for the purposes of ensuring health and safety at the workplace or fulfilling the obligations of cooperation with public health workers.
Conversely, an employer may not process data on a worker’s health and communicate the data to third parties in cases other than those set out in the law (see FAQs 5 and 6).
Pursuant to the legislation on health surveillance, which is not derogated from by the emergency legislation, an employer may not be informed of the outcome of the diagnostic tests ordered by the appointed doctor including serological tests, which anyhow do not allow diagnosing the infection.
When a swab test is ordered following the serological test in order to establish virus positivity, the employer will still be able to know the identity of the employee concerned in addition to the assessment by the appointed doctor regarding that employee’s unsuitability for work (see the MoU, paragraphs 1, 2, 11 and 12) in the aforementioned cases, of which a summary is provided below.
In the light of the current legal framework, an employer may accordingly process the personal data of an employee affected by or presenting symptoms from COVID-19 and may be informed of a COVID-19 positivity situation in the following cases:
- if the employer is informed directly by the employee;
- in so far as it is necessary in order to cooperate with health authorities; or
- with a view to readmission to the workplace of an employee who had been found to be COVID-19 positive.
Comments