Data protection and Covid test results

Data has become a key factor for any organisation. The ability to process it to build value is fundamental to increase the effectiveness and efficiency of decision making.

Facing the severe public health emergency, the coronavirus pandemic, EU companies prepared and implemented immediate measures in order to mitigate the social and economic impact of the outbreak. One of the measures were PCR tests to identify the presence of the virus, and the so-called “rapid tests” to identify the immune response, i.e. the presence of antibodies in the blood.

Other measures followed such as requesting information from workers about their professional and personal movements and trips in the past days, making enquiries about place of residence and domicile, and even analysing this information in order to take specific measures in relation to particular individuals.

“For our sake”, though, these measures may raise doubts regarding the balance between people’s privacy and the fight against this pandemic.

It is true that the existing situation falls squarely within the realm of exceptionality or emergency, and that public health and the general interest take precedence over individual rights in this type of more extreme situations. However, the legitimacy of the loss of citizens’ right to data protection cannot be categorically and absolutely justified.

‘Data protection regulation cannot be an obstacle to the management of an emergency, but basic principles must be respected in the processing of sensitive data’, as the Spanish Data Protection Agency (hereinafter, SDPA) has pointed out.

It should be noted that personal data concerning an individual’s state of health is considered as special category (Article 9 of Regulation (EU) 2016/679, hereinafter GDPR) however, their processing may be legitimate in certain circumstances such as the need to fulfil obligations for the prevention and protection of health in the field of employment relations (Article 9.2.b of the GDPR), the protection of vital interests of the data subject or other persons (Article 9.2.c of the GDPR) or the protection of essential public interests (Article 9.2.g and i of the GDPR).

Notwithstanding the above, it will always be necessary to comply with the basic principles of proportionality, purpose limitation and, above all, minimisation.

Consequently, companies have the right to carry out health tests on their workers as a preventive measure. Moreover, according to, for example, Spanish law, they are obliged to do so according to Article 14 of the Spanish Law on the Prevention of Occupational Risks whereby the employer must guarantee the safety and health of workers, as well as article 22 where it is also required to ‘verify whether the employee’s state of health may constitute a danger to himself, to other colleagues or to other persons connected with the company’.

On this basis, employees’ non-compliance with Occupational risk prevention matters are legally considered as a labour infringement which could ultimately be sanctioned by the employer.

But once the test has been conducted, what happens to that data?

As stated by the European Data Protection Supervisor (hereinafter, EDPS), as well as national data protection agencies, including the SDPA, the personal data of any infected employee must be processed in accordance with the principles and guarantees set out in the applicable data protection regulations, and in particular guaranteeing the security, integrity and confidentiality of the information processed, and limiting the processing to the strict pursuit of the above mentioned purpose.

In practice, this can be done by limiting the disclosure of such data to the areas involved in business continuity (head of department, key HR staff); deleting such information once it is no longer useful or when possible, anonymised the data. Moreover, such data should only be limited to the required purpose, i.e. to know whether the employee is affected or not.

Secondly, how long should the company keep this data?

Regarding the retention periods to be observed by the Company, it is necessary to comply with the principles of data minimization and accuracy, i.e., to ensure, as far as possible, that the data are limited to what is necessary in relation to the purposes for which they are processed, accurate and, if necessary, updated. In accordance with the SDPA’s pronouncement, taking into consideration that personal health information collected from employees is mutable over time, nothing justifies its retention beyond the period during which the Employer must conduct relevant research to mitigate the effects of the spread of the virus within its company.

There is no doubt that even in this sphere of uncertainty and health emergency, it is necessary to carefully analyse how the measures adopted affect the privacy of individuals and in no case justify the loss of these rights.