Because of the coronavirus, several questions related to processing of personal data must be raised – in particular within the context of work life. In this article, we touch on some of the most important aspects employers should consider when processing employees’ personal data.
A few days ago, the Swedish Data Protection Authority also published its guidance on the coronavirus and personal data. The guidance is available here (only in Swedish).
Employers have significant leeway when informing staff about the coronavirus and when processing personal data due to the virus. This is because the processing of personal data is related to the employer’s obligations in the field of employment. Personal data – including special categories of personal data – may therefore in many cases be processed because it is necessary in order for the employer to exercise its rights within the managerial prerogative. Personal data (including special categories of personal data) may also be processes in order to exercise the employer’s other rights and obligations in the field of employment – not least in order to fulfil the employer’s work environment obligations.
It is, as always, important that more personal data than necessary is not processed. Depending on the circumstances, it may be necessary to provide general information, without identifying specific employees. In such cases, you should choose to only provide general information.
Bear in mind that specific information that an employee is or has been infected by the corona virus, may be processed for a shorter period of time than less specific information about sick leave. When information about a person’s confirmed or suspected coronavirus infection is no longer necessary in order to fulfil the employer’s work environment obligations it should normally be deleted.
To ensure that personal data related to employees infected by the coronavirus, or information that may belong to other special categories of personal data, is not spread to too many people, with the consequence that it may become hard to control how the personal data is processed, it is inappropriate to include such information in emails. It is better to keep all such information in one place, for example on your company’s intranet. Further, special categories of personal data must be encrypted before being sent over public networks.
Processing must comply with the principles relating to processing of personal data
Article 5 of the GDPR sets out the key principles relating to processing of personal data. Employers must comply with all these principles when processing personal data related to the coronavirus. Below, we touch on some of the principles that have practical importance in this case.
Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
In practice, an employer may collect personal data for the purpose of preventing the spread of the virus at work (work environment obligations), administration and for communication related to the coronavirus. As we explain below in the section on the obligation to inform, employers must inform employees whose personal data is being processed about the purposes of the processing. An appropriate time to provide this information is when the information is being collected, or at the latest when it is communicated to others.
Employers may further process the information for other purposes, but these purposes may not be incompatible with the original purpose. To illustrate this principle, it can be articulated as follows: if a data subject could reasonably have expected that the personal data could also be processed for the new purpose, then the new purpose is not incompatible with the original purpose. If, for example, the employer was to use the personal data that has been collected to perform a performance review, the new purpose would be incompatible with the original purpose and the processing would be prohibited.
The personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The principle could be interpreted to require a proportionality assessment.
In practice, an employer should try to avoid processing personal data in its communication about the coronavirus. It may be adequate to simply provide general information instead. If it is necessary to process personal data, as little personal data as possible should be processed.
The storage limitation principle is very broad, and its key point is that employers must not keep personal data for longer than they need to keep it to fulfil the purposes for which the data was collected.
The GDPR does not provide additional guidance, but in practice, the meaning of the principle is that employers may keep different types of personal data for different periods of time. Personal data that is necessary for book keeping purposes – for example salary related information – may be kept for seven years. Normally, it is enough to keep only information about sick leave to fulfil this purpose. Information on an intranet that pinpoints a specific employee as having been infected by the coronavirus may of course not be stored as long. The employer must delete such information as soon as it is no longer necessary to fulfil the employer’s work environment obligations.
In conclusion, information that pinpoints a person as having been, or potentially having been, infected by the coronavirus has a relatively short expiration date and should normally be deleted when the person no longer risks infecting others.
Integrity and confidentiality
This principle expresses the need for personal data to be processed in a manner that ensures appropriate security of the personal data. Employers must also ensure that only those members of staff who need access to such information are granted access to personal data concerning employees and the coronavirus. Such employees could for example be the HR-department who have been given the task of preventing the spread of the coronavirus at work.
Information related to an employee’s health – such as information that an employee has been infected with the coronavirus – should not be sent via email. If the information is being sent to recipients outside the organisation, it should be encrypted. Avoid saving special categories of personal data locally. It is much harder to ensure GDPR compliance if personal data is too spread out. Instead, ensure that the information is collected in one place, for example on the intranet.
Legal grounds for processing personal data
In order for processing of personal data to be permitted, at least one of the legal grounds in article 6 of the GDPR must be applicable. Several of the legal grounds are applicable in regard to employers’ processing of personal related to the coronavirus. Personal data that concerns a data subject’s health – regardless of whether it is a question of confirmed or suspected infection or other health related information – may however not be processed based solely on the legal grounds in article 6 of the GDPR. In order for processing of health-related personal data to be permitted, one of the exceptions in article 9 of the GDPR must be applicable (see further under the section on health-related personal data below).
Consent is not a suitable legal ground as consent must be given freely by the data subject, which is rarely considered to be the case in employer-employee situations due to the position of dependency in which an employee finds him- or herself in relation to the employer.
Necessary for the performance of a contract (article 6.1 b) of the GDPR)
This legal ground can be applied in relation to, inter alia, the employer’s obligation to pay salaries.
Necessary for compliance with a legal obligation (article 6.1 c) of the GDPR)
This legal ground can be applied for an employer’s obligations in the field of employment. It may, for example, be relevant to process personal data in connection with assessing which employees may have been exposed to risk of being infected – in other words, a step in fulfilling the employer’s work environment obligations.
Necessary for the purpose of legitimate interests (article 6.1 f) GDPR)
This legal ground can be applied when exercising the employer’s rights within the managerial prerogative.
Processing of health-related personal data
If so called special categories of personal data, inter alia health related information, are processed, the processing must – in addition to a legal ground under article 6 of the GDPR – also be permitted by one of the exceptions to the prohibition on processing special categories of personal data under article 9 of the GDPR.
As the Swedish Data Protection Authority states in its guidance on the coronavirus and personal data, not all information related to the virus is health related personal data and accordingly does not belong to any special category of personal data:
- Information that an employee has been infected by the coronavirus is health-related personal data
- Information that an employee has been put in preventive quarantine is not health-related personal data
- Information that an employee has returned from a risk area is not health-related personal data
- Information that a person has been in contact with a specific person or has visited a certain travel destination is not health-related personal data.
Employers may typically be permitted to process health-related personal data due to the coronavirus because it is necessary to fulfil their obligations and exercising specific rights in the field of employment, social security and social protection law, in accordance with article 9.2 b) of the GDPR and chapter 3 section 2 of the Swedish Data Protection Act. In the case of processing health-related personal data related to the coronavirus, the exception from the prohibition on processing special categories of personal data is primarily motivated by the employer’s need to fulfil its work environment obligations and exercising its rights within the managerial prerogative. Employers’ processing of health-related personal data may also be permitted if it is necessary for the establishment, exercising or defence of legal claims, in accordance with article 9.2 f) of the GDPR.