COVID data protection in the UK, Denmark, Italy and Mexico

Due to the outbreak of COVID-19, organisations are taking various preventive measures to prevent the spread of the virus. In the second of a series of articles, member firms of Ius Laboris, give a view from Sweden, the United Kingdom, Denmark, Italy and Mexico on the data protection implications for these measures

Sweden

The Swedish Data Protection Authority has published a recommendation and Q&As on its website. Any information regarding sickness or employee’s health should not be processed, unless necessary. If someone is infected, this should not be communicated to the employee’s colleagues, unless necessary according to employment law. The employee must be informed about any such communication beforehand. Any processing of personal data regarding temperature measurement, i.e. keeping records, is not, as a main rule, allowed.

United Kingdom

Given the intended ‘one-stop-shop’ nature of the GDPR, the principles underlying British advice are the same as EU jurisdictions. British employers can, therefore, rely on the fact that it is in their legitimate interests to process such data, and that processing of such data is necessary to comply with health and safety legislation. There is much less of a tradition of collectivisation in Britain, and so the need to consult with representative bodies is unlikely. The other difference is the pragmatism of the British supervisory authority:  the Information Commissioner’s Office has issued guidance setting out the importance of ensuring health and safety and reiterates that data protection will not prevent employers from taking proportionate matters to prevent the spread of COVID-19.

Italy

Lockdown just finished in Italy and employers are very preoccupied with taking all the possible measures to protect their business and employees. Measuring body temperature, forbidden at the beginning of the emergency, is now not only possible but also advisable. According to the Italian DPA, the temperature can only be recorded where it exceeds the limits. Many other measures are now being debated: medical tests on employees, surveys and tracking apps.

If the possibility for employers to impose medical tests on employees is the most controversial measure, surveys are certainly possible but only if the information requested is relevant: for example, an employee can be asked if (s)he has been in a risky area but not in which one.

The use of tracking app must be carefully evaluated, including in light of specific Italian legislation on remote monitoring, and depends on the kind of technology used.

Denmark

The Danish Data Protection Agency has stated that the question of what an employer can ask and what the employee is required to disclose must be answered under employment law and public/administrative law. The Danish DPA has stated that processing of information received from any permitted questioning may comply with data protection legislation. For example:

• If an employee is quarantined, the employer can take protective measures and inform the workforce/department of this (it should as far as possible refrain from mentioning names or other identifiable characteristics of the employee concerned).
• If an employee is off sick, the employer can disclose this (but should not disclose the cause of the sickness).

The general consensus on whether employers can require employees to be tested seems to be that this must be on a voluntary basis. This also applies to any use of tracing apps. If the employer needs to take protective measures, disclosure of information should be based on what is relevant and necessary. Employers should always restrict processing of actual personal data as far as possible, i.e. anonymise and not mention names or other information that can identify the employee (data minimisation).

Mexico

Under Mexican data protection regulations, individuals’ health data is sensitive data requiring enhanced protection. Generally, it is necessary to obtain the data subject’s explicit written consent before collection. However, in emergency situations that could harm an individual or his/her property or where personal data is necessary for the prevention, diagnosis and provision of medical care as in the COVID-19 context the requirement for consent may be lifted.

Obligations arising from collection of personal data during the COVID-19 pandemic:

• Process personal data relating to health from symptom detection or to take preventive or control measures only to the extent necessary and in a manner proportionate to the purpose.
• Provide a privacy notice, in compliance with Mexican law.
• Only collect information from those highly likely to have been infected.
• Safeguard personal data only for the time necessary to fulfill its purpose.
• Implement a compliant retention/deletion policy.
• Used trained personnel to collect personal health data, such as qualified health professionals.
• Adopt appropriate security measures taking into account the level of sensitivity of the information, against theft, unauthorised access and/or misuse.

Contributing authors and member firms to this article include Sofia Lysen of Swedish law firm, Elmzell Sean Illing of UK law firm, Lewis Silkin, Mauro Gallo of Italian law firm, Toffoletto De Luca Tamajo e Soci, Søren Terp Kristophersen of Danish law firm, Norrbom Vinding and Renata Bueron of Mexican law firm, Basham, Ringe y Correa, S.C.