Employee health data: how to manage it during COVID-19?

Employee health data: how to manage it during COVID-19? Among the challenges our societies are facing in the context of the health crisis, the one facing employers is not the least.

In addition to the working conditions that must be adapted, there is the question of the data that can or even must be collected and processed within the framework of the employment relationship.

The employer finds himself, on the one hand, subject to the legal obligation to preserve health of its employees, while on the other hand health data is considered by law as sensitive data, the processing conditions of which are strictly regulated.

The recent reminder from the CNIL on the framework to be respected and on the concrete measures which can be implemented in the workplace is therefore welcome.

The following elements are retained:

Although the processing of health data is in principle prohibited, it remains possible under certain conditions depending on the purposes pursued.

Thus, in the context of the pandemic, the employer can validly:

• Inform your employees of the barrier measures, provide them with all necessary protective equipment, and remind them of the obligation to inform them or to inform the competent health authorities in the event of contamination or suspicion of contamination, for the sole purpose of enabling them to adapt working conditions (teleworking for example).

• Facilitate the transmission of information by setting up, where necessary, dedicated and secure channels

• Promote remote working methods and encourage the use of occupational medicine.

• As part of the implementation of a Business Continuity Plan to protect the safety of employees and identify essential activities that must be maintained, create a nominative file for the development and maintenance of the plan, limited to the data necessary to achieve this objective.

The employer can only access certain restricted information in order to take the required organizational measures, while data more directly concerning health must be processed by a health professional.

(For example, to extend a quarantine and justify teleworking) and within the framework of occupational health services:

The employer is not authorized to carry out a diagnosis of the state of health of each of its employees or to manage itself a system for assessing their vulnerability (for example via a color code).

Under the current law, the collection of temperatures electronically or via a thermal camera with data retention, serological tests, and health questionnaires cannot be implemented by the employer. The situation would be different from manual temperature taking without data retention: such a practice does not fall within the scope of the GDPR but may raise other questions of effectiveness.

Finally, still due to the sensitive nature of the data processed, the greatest attention must be paid to security measures guaranteeing the confidentiality of the data processed.

In summary, the main measures that the employer is authorized to take concern the organization of work, based on data limited to the risks of employee exposure, while the management of data more directly concerning the disease is the direct responsibility of health professionals. Any other requests to employers to report information to the health authorities, or to take specific measures, can be consulted on the Ministry of Labor website.

• And also

France:

• On October 1, the CNIL published the final version of its guidelines regarding the use of cookies and other trackers.

It specifies in particular that continuing to browse a website cannot be considered as valid consent to the use of tracers.

It also recommends that data controllers include in the consent collection interface not only an "accept all" button but also a "refuse all" button.

• October is Cyber Security Month.

In this context, the CNIL and the ANNSSI are publishing a series of recommendations.

Cyberattacks in recent months have particularly affected the healthcare sector, the industrial sector and local authorities.

Individuals are particularly targeted by webcam blackmail, and the CNIL provides advice on how to protect yourself on its website.

Europe:

• The Council of Europe has published a report on the resilience of data protection principles in the 57 countries that have ratified Convention 108, in light of the measures taken to contain the pandemic.

• The Hamburg supervisory authority fined H&M €35 million on October 1 for violating the privacy of its employees.

The company collected information about its employees' vacations, health status and religion.

Numerous measures are currently being implemented by the company to ensure that processing complies with the law.

• Two draft guidelines are available for public consultation on the website of the European Data Protection Board (EDPB).

These documents concern, on the one hand, the concepts of data controller and subcontractor, and on the other hand, the targeting of social network users.

• Following the Schrems II ruling of the European Court of Justice, which puts a brake on transatlantic data transfers (see the September editorial on this subject), the European Commission has announced new standard contractual clauses for the end of the year.

International :

• The development of facial recognition is sparking debate in different parts of the world.

In Singapore, the use of facial recognition to access public services is considered by the organization "Privacy International" as an unprecedented intrusion into the privacy of citizens, while in Russia it is its use in public spaces and the entrance halls of private buildings that is causing concern.

• Ethics and artificial intelligence are the subject of an article in the latest newsletter from the Global Privacy Assembly, which brings together CNILs at the international level.

It specifically addresses issues related to digital tools used in the health sector, including COVID-19 tracking apps.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.