FAQ – CORONAVIRUS AND DATA PROTECTION
Summary of frequently asked questions in the context of the coronavirus outbreak
by Brigitte Münch, March 2020
The spread of the virus SARS-CoV-2 (“coronavirus”) in Europe and globally is challenging for governments, media, companies and citizens and is leading to many uncertainties. Given that people all over the world have been infected with the coronavirus in a very short time frame and the infection rate is very high, companies and citizens need to react in a timely fashion and implement measures to reduce the risk of being infected. Despite the extraordinary situation, the principles of data protection should be taken into account by your company when implementing appropriate measures to fight against the spread of the coronavirus. Given that your organization needs to think of steps for the protection of your employees, it may be necessary to process health data for additional purposes (e.g. the identification of possibly infected people). Health data is a special category of data, which is specifically protected by law, thus the fulfillment of specific legal obligations for the processing of such data is required. To support your company in complying with data protection regulations also in the context of handling the coronavirus situation, this document summarizes the most frequently asked questions and answers with regards to data protection.
2. FAQ – EMPLOYERS
2.1 Do I have to report a potential infection of an employee to the authorities?
As of today, only doctors and hospitals need to report identified infected patients to the authorities, following a reporting obligation. Therefore, there is no need for your company as employer to report a “suspicious case” to the authorities, and from a data protection perspective, this may constitute a transfer of health data without legal basis, i.e. a breach of data protection laws. Given the reporting obligation for doctors and hospitals, there is there no compelling reason for you to act.
2.2. Do I have to inform the company staff about an infected employee in the company?
The employer has a duty of care about its own employees. This may result in an obligation to inform the staff of a suspicious case. However, please bear in mind that informing about a possible infection of a colleague with the coronavirus constitutes a disclosure of health data. This is not permitted without a specific legal ground, which can be
- the explicit and informed consent of the affected person, which needs to be voluntary, i.e. without any consequences to the employment relationship;
- a necessity for reasons of substantial public interest in the area of public health;
- the need to protect the vital interests of the data subject.
In any case, you must exhaustively inform the employee about the intended disclosure and further processing. Such information shall include the recipients of the data. We strongly recommend that you obtain documented consent from your employee to allow the processing of health data. Strictly limit the access to the data to colleagues who have a need to know; access to anyone outside the direct reporting line and HR should be restricted. If such access is necessary by way of exception, the de-identification of data should be applied whenever possible. For a transfer of data outside the direct line and HR, you need to collect the consent of the individual, and the individual needs to be informed in a transparent way.
In general, the usually set-up processes for the handling of sickness cases within your company should comply with data privacy requirements and thus be followed. For the protection of colleagues of a coronavirus-infected individual, who have been in contact with him/her, an information on a de-identified basis should be the default.
A disclosure of the name of the infected employee is only possible in an absolutely exceptional case, e.g. when the employee is not able to provide the consent, because he/she is not available or cannot give his/her consent even after repeated attempts of contact, and the protection of the staff cannot be ensured in any other way.
Again, following data protection laws, the name of the person shall not be disclosed, but the de-identification of data should be the default.
2.3. Do I have to identify and inform contacts of an infected employee?
No. If you have made the staff in your company aware of the possibility that a colleague may have contracted the virus, you have fulfilled your employer’s duty towards the employees. A company does not have an obligation to collect further data to identify who has been in contact with whom. If you decide to inform further colleagues, please follow the principles of data minimisation and apply the de-identification as stated above.
2.4. Am I allowed to ask the company staff about a (possible) infection?
Unless your company is subject to a specific legal obligation, you are not allowed to ask this question openly as the health of employees is their private matter. This means that you are violating data privacy laws, if you ask this question to your employee(s), and the employee is not obliged to answer it correctly.
You can, however, appeal to your employees’ social responsibility and ask if the employee has travelled to a high risk area during the last weeks. Of course the answer to this question in itself does not allow to draw any conclusion about the employee’s state of health. However, you as an employer may want to take appropriate safety measures when the employee was staying in a high risk area, such as releasing him/her from work until further notice or ask him/her to work from home, if possible.
2.5. Do I have to inform business partners about a (possible) infection within my company?
Data protection regulations do not oblige you to provide any information to your business partners. A legal obligation to provide such information is only applicable for doctors, hospitals and comparable medical professions. However, if there is a risk of infection, an obligation to inform may arise from the general obligations of care between contractual partners.
If you inform your business partners about a suspicious case, please note that the name of the possibly infected person shall not be mentioned, but the same principles as for the information of company staff need to be followed (see above 2.2).
3. FAQ – EMPLOYEES
3.1 . Do I need to inform my employer about a (possible) infection with the coronavirus and/or answer his questions about a (possible) infection?
You only have to inform your employer truthfully in cases where you or your employer are subject to a corresponding statutory duty (e.g. for doctors/staff of hospitals or in the hospitality/catering sector). Otherwise you do not have to give a pro-active information or answer a question about a (possible) infection. In case you are asked, your employer should inform you of the specific duty.
In case you are sick, it is therefore sufficient for you to inform your employer of your inability to work due to illness, as you would usually do by means of a sick note.
However, in this specific situation about the spread of the coronavirus and for the protection of colleagues and customers, you may want to consider to inform your employer about a (possible) infection. Such information should follow the usual processes, i.e. you should inform your direct line manager and/or responsible HR representative. Any further information of other colleagues is subject to your voluntary consent.
3.2. Do I have to tell my employer that I have been in a high risk area during the last weeks?
You do not have an obligation to inform your employer, however, you are free to give this information to your direct line manager and/or HR in the interest of colleagues, vendors and customers.
3.3. Where do I have to report a (possible) infection?
The information about a possible infection should follow the usual processes in case of sickness, i.e. you should inform your direct line manager and/or responsible HR representative. The information you give to your employer is health data, which is specifically protected by law. This also means that any further information of other colleagues outside your direct reporting line and HR is subject to your – voluntary – consent. Your employer needs to inform you in detail about the use and access of your health data. If you do not consent that your health data is transferred outside your direct reporting line and HR, your employer is not entitled to any negative consequences to your employment relationship, and access to such data needs to be restricted as in any other cases of sickness.