In order to limit the spread of COVID-19 and mitigate its effects, on 12 March 2020, the Government of the Republic of Estonia declared an emergency situation until 1 May 2020 and the Health Board recommends avoiding human contact. In this situation, implementing effective safety measures at the workplace often requires asking additional personal data, including health data from the employees. When is it justifiable to request employee’s health data?
Lawfulness of the processing of employee’s health data
In Estonia, the processing of personal data is governed by the European Union General Data Protection Regulation (“GDPR”) and to a limited extent by the Personal Data Protection Act. According to the GDPR, health data is deemed as a special category of personal data, and due to its sensitive nature is regulated with additional processing requirements.
Special categories of personal data may only be processed if such processing is based on a legal basis deriving from Article 6 of the GDPR and at least one of the specific conditions laid down in Article 9 (2) of the GDPR is fulfilled.
Considering the current rate of COVID-19 spreading, the employer may rely on Article 9 (2) (b) of the GDPR, which permits the processing of special categories of personal data when it is necessary for the purposes of carrying out the obligations of the employer in the field of employment, in conjunction with the obligation to ensure a safe working environment stipulated in the Occupational Health and Safety Act. Based on the foregoing, it can be affirmed that the employer has the right to process employee’s health data to a limited extent.
In addition, it is important to emphasize that, under the Occupational Health and Safety Act, the employer and the employee are required to cooperate in order to achieve a safe working environment, which means that the collection of infection-related data is inevitably dependent on the employee. Although the employer cannot compel the employee to disclose the relevant health data, the employee’s refusal can be considered as a breach of his occupational health and safety obligations.
Obligations arising from the processing of health data
Irrespective of the lawfulness of the processing of the employee's health data, the employer must not overlook other obligations of the employer arising from the main principles of personal data processing: minimisation, confidentiality, transparency, storage limitation and accountability. Breach of these principles renders any data processing activity unlawful, even if the processing may seem of high importance.
Minimisation means that the employer shall only ask the employee for the information necessary to decide on the measures to be taken to limit the spread of COVID-19 and mitigate its effects. For example, it may be worth considering whether it is necessary to collect personalized health and travel information in order to decide whether to close down the office and introduce home office regime, or if an anonymous survey of which a suspicion of infection occurs is sufficient to make the decision. Furthermore, it is not justified to require the employees to fill in extensive questionnaires regarding recent travels and general health situation as a precaution. Using thermal cameras and based on that, taking action against certain individual employee, certainly cannot be considered minimal and proportionate health data processing at the workplace.
The employer must ensure the confidentiality of the personal data collected and protect them against unauthorized or unlawful processing, disclosure or damage. Meaning that the employer must impose restrictions on access to the employees’ personal data, especially in view of the need for greater protection of health data. It is prohibited to disclose, without a legitimate cause, any diagnosis or suspicion of COVID-19 infection to personnel or to third parties. Therefore, it is important that the employer provides access to health data only for those employees for whom is essential to ensure the safety of the work environment and work-related reorganizing.
Data processing must be transparent - on the one hand, due to the obligation under the GDPR, but also to assure the employees’ trust in the employer to avoid subsequent disputes and claims. The employer has an obligation to inform the employees about the purpose of the data collection and their rights regarding their personal data in an easily accessible and legible way. This is particularly the case where additional data is collected extraordinarily, i.e. it results in changes in the regular data processing processes and such processes are not covered with the privacy notices previously provided to the employees. The employer must also set a periodic storage limitation for the retention of personal data and ensure that the storage media containing the personal data collected are destroyed after that time.
To comply with the accountability principle, the employer must document all decision-making processes regarding the measures implemented to manage COVID-19, which include the processing of personal data. The importance of documentation lies in the employer's ability to ex-post demonstrate compliance with the above principles, while also providing protection against any claims.
The employer has the right to ask employee’s health data, if it follows the principles of personal data processing
Both the GDPR and Estonian laws allow the employer to take the necessary measures to process the employees' personal data in the event of a crisis in order to effectively ensure a safe working environment and protect the health of the personnel. As the right to the protection of personal data is one of the fundamental rights under the European Union laws, the employer should bear in mind the principles set out in the GDPR when implementing measures – this way the employer ensures its performance of its obligations as well as the trust of the employees during the difficult period.