The global outbreak of the coronavirus has brought challenges on several levels. Organisations need to take actions in order to comply with government measures and to protect their workforce. Such action often entails privacy intrusive measures such as keeping health records and information about the possible contact with infected individuals outside the workplace.

Due to the current situation with the coronavirus, this processing of personal data is in many ways necessary and the GDPR does not prohibit such necessary data processing. However, data controllers need to ensure that such processing is done in accordance with the principles in the GDPR and that the rights and freedoms of individuals are not compromised.

National guidance

The Swedish Data Protection Authority (the “DPA”) has provided some guidance on The Corona virus and personal data. In short, the DPA concludes that:

• Information that someone is infected with coronavirus is personal data concerning health.
• Information that an employee has returned from a so-called risk area is not considered as personal data concerning health.
• Information that someone is in ”quarantine” (meaning that for reasons of precaution they are staying home) is not considered personal data concerning health, unless it contains more detailed information about the cause.
• Information that someone has been quarantined according to the Communicable Diseases Act (Sw. smittskyddslagen) is on the other hand probably to be considered as personal data concerning health.

What is personal data concerning health

Personal data concerning health refers to all personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status. In this regard, for example information that someone has been infected by the coronavirus, general information that someone is ill, that their children are ill or any similar information will be considered personal data concerning health.

There are special rules regarding the processing of personal data concerning health

Personal data concerning health is a special category of personal data (so-called “sensitive personal data”) under the GDPR. Processing of sensitive personal data is prohibited unless an exemption applies. There are a number of exemptions under Article 9 of the GDPR, for example if an individual has provided its explicit consent to the processing, if the processing is necessary to protect vital interests of the individual or other individuals or if the processing is necessary for reasons of a substantial public interest.

Under the GDPR, Member States may introduce further conditions, including limitations, with regard to the processing of data concerning health. Such further conditions have been issued in Sweden under the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (Sw. dataskyddslagen), which allows for the processing of sensitive data if it is necessary for the organisation in order to be able to fulfil its obligations and exercise its special rights under labour law.

Specific aspects to consider when processing personal data concerning health

Below we have listed a number of aspects that should be considered in relation to processing of personal data based on the coronavirus situation, for example in the perspective of an employer as a data controller.

• Protect the privacy of infected employees – As an employer, you must take all measures necessary to prevent employees being exposed to illness. Normally, it should be possible to inform the employees who need the information without mentioning the name of the colleague who may have been infected. Only in exceptional cases should it be necessary to talk about who the infected is. If the employer deems it necessary, due to for example obligations in labour law, to reveal who is infected, the employee in question must be informed in advance. In addition to the data protection rules, there are rules on confidentiality that can affect what information about employee illness an employer may disclose.
• Ensure that you have a legal basis under the GDPR for the processing – All processing of personal data must have a legal basis, whether it is personal health data or not. For example, employers have several legal obligations related to contagion under the Swedish Communicable Diseases Act and work environment regulations (see for example AFS 2001:1 and AFS 2018:4) and personal data may need to be processed to fulfil these legal obligations. Further, the processing of personal data may be necessary for compliance with the employment contract, for example to keep records of absence/sick leave for salary calculations and social security matters. No matter which legal basis is applicable, it is important to make sure that personal data processed for a specific purpose
  is processed solely for this purpose and not used for any other secondary purposes.
• Keep track of your purposes – As always, the personal data should not be used or further processed for purposes that are incompatible with those purposes the data was originally collected for. Hence, it is important to identify for which specified, explicit and legitimate purposes the personal data was originally collected.
• Be transparent – The data subjects whose personal data is being processed must be provided with information about the processing. If you are an employer, you must ensure that information about the processing in question is included in the privacy notice to the employees. Due to the unusualness of this situation, it is not unlikely that your privacy notice doesn’t cover this processing of personal health data. In such case, specific information needs to be provided to the data subjects. Make sure to specify all required aspects such as the purpose with the processing, legal basis, recipients and retention period. This information should be provided to the individuals prior to commencing the data processing activity. Don’t forget to check also what categories of data subjects that are actually involved, as this unusual situation may entail that you start processing information relating to other data subjects than usual.
• Do not ask for more information than needed – To ensure that you comply with the principle of data minimisation, meaning that no more personal data than what is necessary to achieve the purpose should be processed. If the purpose is for example compliance with your legal obligations as an employer in relation to the coronavirus, you may only process personal data that is necessary for this purpose. Ensure that you do not process excess information about for example someone’s symptoms, how long they have been ill, if their family is ill and similar unless this information for some reason would be necessary.
• Perform a DPIA – Due to the sensitive character of the personal data and the fact that it in many cases covers a large number of data subjects (for example the employees), it is likely that a data protection impact assessment
  is required. In the case you assess that it is not required under Article 35 of the GDPR, we still recommend that you conduct an impact assessment anyway to get a clear overview of the risks and if the mitigating measures you have in place are sufficient to minimise the risks or if you need to take further steps in order to mitigate the risk.
• Protect the information – Make sure that the personal data is protected by sufficient technical and organizational security measures. This aspect is crucial, especially in relation to special categories of personal data such as health data. For example, documents where health data is processed should be protected by passwords, the information should be stored on secure servers, there should be secure routines for sharing of documents (no sharing through e-mails etc.), pseudonymisation and encryption of the information and physical access restrictions.
• Limit which individuals that have access to the data – Another important aspect is access limitation. Make sure that the group of individuals that have access to documentation about for example infected employees is limited to what is absolutely necessary.
• Make sure to delete the information as soon as you do not need it anymore – The retention period for this kind of information, for example information about employees infected by the coronavirus, should naturally be very limited. If the purpose with the processing is for example fulfilment of your legal obligations under the Swedish Communicable Diseases Act, you may only process the information during the time it is necessary for such fulfilment, also to make sure the information is deleted promptly afterwards.

Q&A’s from the DPA

As an employer, can I inform employees that a colleague may have been infected by the corona virus?

As an employer, you must take all measures necessary to prevent employees being exposed to illness. Normally, it should be possible to inform the employees who need the information without mentioning the name of the colleague who may have been infected. Only in exceptional cases should it be necessary to talk about who the infected is.

If the employer deems it necessary, due to for example obligations in labour law, to reveal who is infected, the employee in question must be informed in advance. The employer should also take measures to protect the employee’s integrity. As always, you should not register or disclose more information than is necessary to achieve the purpose. In addition to the data protection rules, there are rules on confidentiality and confidentiality that can affect what information about employee illness an employer may disclose.

Can we spread the information that an employee works from home after being abroad or in a risk area?

It is permissible to inform internally that an employee is working from home and how the employee can be reached. However, the DPA recommends that you as an employer do not state the cause. When it comes to informing people outside the organization, the employer should carefully consider who needs to get the information and not indicate the reason.

If an employee works from home, the employer should, in consultation with the employee, decide how contact information can be communicated to outsiders in a privacy-friendly manner.

What should we respond to someone external looking for an employee who is not in service because of the corona virus?

The message to externals who want to contact an employee who is infected and quarantined should in principle be that the employee in question is absent or unavailable.

Can we collect contact information about ICE contacts from our employees?

Both employers and employees often have an interest in allowing the employer to contact a someone close to the employee in the event of an accident or illness during working hours. The DPA considers that for this purpose the employer may process information about ICE-contacts based on a legitimate interest.

Keep an eye on our website where we will post more comments on the topic.

———————————-

This information should neither be considered exhaustive nor advisory. Please do not hesitate to contact us if you have further questions or concerns regarding the processing of personal data and the coronavirus.