In these exceptional times, many companies are being forced to close or operate on an almost exclusively teleworking basis. However, in some cases, particularly in critical areas, employees are still allowed to visit their workplace.
Faced with this situation, the employers concerned will have to achieve a delicate balancing act between their legal obligation to safeguard the health of their employees and the applicable rules on the protection of privacy.
The employer’s obligation to take care of the health and safety of its workers is based on Article 20 (2) of the Belgian law of 3 July 1978. Under this provision, the employer must “ensure, as a good father, that the work is carried out under conditions suitable from the point of view of the safety and health of the worker”. A similar obligation is established by Article L.312-1 of the Luxembourg Labour Code (“The employer is obliged to ensure the safety and health of employees in all work-related aspects”).
The measures envisaged or necessary in this respect could involve the processing or even sharing of personal data relating to employees. Various questions may arise in this regard.
First of all, it should be recalled that data relating to the health of an individual constitute particularly sensitive data and that the General Data Protection Regulations (“GDPR”) prohibit in principle the processing of such data, while allowing for certain exceptions, such as:
Being able to rely on one of these exceptions will not exempt the employer from complying with the rest of the rules contained in the GDPR, such as the principles of purpose limitation, data minimisation, prior information of data subjects or confidentiality.
With these principles in mind, let’s look at some of the practical questions that employers may have to ask themselves.
1. As an employer, can I systematically monitor the health of my employees?
Can the employer monitor the temperature of all employees on a daily basis or require them to complete a medical questionnaire?
Although the Belgian Data Protection Authority (“DPA”) has taken the position that “the mere taking of temperature [if] not accompanied by the recording or processing of personal data” does not constitute a processing of personal data, caution is called for. Indeed, it is likely to be difficult to set up such controls in a useful way without recording/collecting personal data (even if such recording would be limited to employees with fever): otherwise, how can one justify any distancing measures that would be taken against an employee on this basis?
In this respect, it therefore seems more reasonable to us to endorse the recommendations of the French (Commission Nationale de l’Informatique et des Libertés (“CNIL”)) and Luxembourg (Commission Nationale pour la Protection des Données (“CNPD”)) data protection authorities, which do not envisage monitoring without data processing/collection and are more categorical in their view that “employers must refrain from collecting in a systematic and generalised manner […] information relating to the search for possible symptoms presented by an employee” .
Such treatment is indeed problematic in terms of the principles of necessity and proportionality: it appears that many carriers of Covid-19 are in fact asymptomatic , so that this particularly invasive measure in terms of privacy is not particularly effective in identifying cases of contamination.
It is therefore recommended that priority be given to awareness-raising measures for employees, inviting them to report any relevant information (travel abroad, symptoms, contact with an infected person) to their employer and/or their doctor.
2. Do employees have an obligation to inform their employer of potential contamination?
Article 17 (4) of the Belgian law of 3 July 1978 on employment contracts emphasises that the employee has the obligation “to refrain from doing anything that could be detrimental either to his own safety or to that of his companions, the employer or third parties“. A similar provision is contained in Article L.313-1 of the Luxembourg Labour Code, according to which it is incumbent on each employee to “take care, according to the possibilities open to him, of his own safety and health and that of the other persons concerned” and to “immediately report to the employer […] any work situation of which he [has] reasonable grounds for believing that it presents a serious and immediate danger to safety and health”.
In the light of this provision, it may be considered that employees have an obligation to inform their employer of any situation that may lead to a suspicion of contact with the virus and/or contamination, in order to enable their employer to take the necessary measures to protect other employees.
3. Can I share the identity of an employee (suspected of being) contaminated?
Under normal circumstances, data relating to an employee’s health is strictly confidential. Thus, for example, the employer will never know the reason why a medical certificate is granted to one of its employees.
The confidentiality of personal data in general and medical data in particular is also enshrined in Articles 5.1 f) and 32.1 b) of the GDPR, according to which the processing manager must put in place security measures appropriate to the risk represented by the data processed.
In the particular case of a highly contagious disease, the principles set out above must, however, be reassessed taking into account the purpose of the treatment and the employer’s obligations in terms of prevention. The disclosure of data will have to take into account the principles of necessity and proportionality in relation to the purpose pursued.
Thus, the employer will have to consider whether, in relation to the specific context of its company, it is imperative to disclose to other workers the identity of a person (suspected of being) contaminated, or whether the information of a case of contamination is sufficient. The employer will therefore have to assess the necessity and proportionality of such a measure in relation to the objective of protecting other workers: is it possible to identify and warn workers who have been in contact with that person without disclosing their name? Is it possible to take the necessary disinfection measures?
Data protection authorities (among others the Belgian and UK autorithies) are of the opinion that in most cases it will not be necessary to disclose the precise identity of the data subject. In practice, however, it must also be borne in mind that it will not always be possible to avoid indirectly revealing such information, for example in a small business where only one employee would be absent and disinfection measures would have to be taken.