EU DPAs Issue Green and Red Lights for Processing Health Data During the COVID-19 Epidemic


As Europe is grappling with an exponential increase in COVID-19 cases, some European Data Protection Authorities issued public interest guidance on the limits of collecting, sharing and using personal data relating to health in these exceptional circumstances. Particular areas of concern are related to the breadth of measures that employers can legally take to monitor the health of their employees, as well as the collection of health data by government agencies. Overall, regulators highlight that data protection law is by no means a barrier to public health, but advise organizations against “systematic and generalized” monitoring and collection of data related to health of their employees outside official requests and measures of public health authorities.

Background: the GDPR refers to “monitoring epidemics and their spread”

The GDPR individualizes several avenues to process personal data when the vital interests of individuals are concerned or for important grounds of public interest. Recital 46 specifically refers to the lawfulness of some types of processing that serve these two goals, “including for monitoring epidemics and their spread”. There are provisions in both Article 6 GDPR (the general lawful grounds for processing personal data), and Article 9 (the prohibition to process sensitive data and the exceptional circumstances in which they can be processed) that allow for collection, use and necessary sharing of personal data related to health in the context of an epidemic. 

For example, “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” are specifically mentioned as a permissible use of sensitive data, including data related to health, under Article 9(2)(i) GDPR, if provided by Union or Member State law. At the same time, Recital 52 specifically refers to derogations from the prohibition on processing sensitive data justified for “monitoring and alert purposes” and “the prevention or control of communicable diseases and other serious threats to health”.

Garante: Systematic and generalized collection of health data by employers, discouraged

Italy has been by far the most impacted country by the COVID-19 epidemic in Europe to date, with the government taking yesterday the unprecedented measure of closing the entire country. The Italian data protection supervisory authority – the Garante, highlighted in early guidance issued last week that public health authorities are the organizations mandated to collect and manage data about health related to the virus’ spread. 

“Preventing the spread of Coronavirus is an objective to be pursued by entities that are tasked with discharging this mission in a professional manner. The investigation into and collection of information on the symptoms typical of Coronavirus and on the recent movements of each individual are the responsibility of healthcare professionals and the civil protection system, which are the entities tasked with ensuring compliance with the public health rules that were recently adopted”, wrote the Garante. 

Therefore, the key recommendation made by the Italian DPA was for employers to “refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to individual workers or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside of the work environment”. The Garante recalled that employees are under an obligation to inform their employer of any danger to health and safety at the workplace and encouraged employers to set up specific channels of communication related to this type of information.

The Garante called on all controllers to “comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the Coronavirus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers”.

The Italian Government published yesterday evening a Decree in the Official Journal (No 14/2020) to create a special legal framework for collecting and sharing personal data related to health by public health authorities and by private companies that are part of the national health system for the duration of the state of emergency related to COVID-19. 

Irish DPC: Requesting information about recent travel and symptoms of employees and visitors, potentially justified 

The Irish Data Protection Commissioner clarified from the outset in her guidance that “data protection law does not stand in the way of the provision of healthcare and the management of public health issues”. But at the same time “there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data”. Not only that the processing needs to be necessary and proportionate, but it also “needs to be informed by the guidance and/or directions of public health authorities, or other relevant  authorities.” 

The DPC highlights particularly relevant aspects for compliance, such as transparency about the measures taken, in house confidentiality in handling information about possible infestations with COVID-19 of specific employees, ensuring appropriate data security, processing the minimum amount of personal data to achieve the purpose of implementing measures to prevent or contain the spread of the virus, as well as keeping track of all decisions made with regard to collection of such data and safeguards implemented, as part of accountability obligations.

The Guidance also has a Q&A section that addresses specific scenarios brought up by organizations in their communication with the DPC. For example, can an employer require all staff and visitors to the building to fill out a questionnaire requesting information on their recent travel history concerning countries affected by the virus, and medical information such as temperature? Considering that under Irish law employers also have a legal obligation to protect the health of their employees and maintain a safe place of work, on top of the justifications specific to data protection law mentioned above, “employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”. If such information would be gathered via questionnaires, this would need to have a justification based on necessity and proportionality, taking into account any directions and guidance of public health authorities. 

The CNIL: Collection of medical files or questionnaires from all employees, likely not justified

The French supervisory authority – the CNIL, reminded organizations that personal data related to health enjoys stronger protections under the GDPR due to its sensitivity. The brief guidance issued on March 6 focused on what employers can do and what they cannot do in relation to data about the health status of their employees. As a rule, any exceptional processing of personal data caused by the epidemic should not go beyond what is necessary for the management of suspected exposure to the virus, especially considering that the Code of Public Health is also applicable to this situation.

On the blacklist of processing activities, the CNIL specifies that “employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee and their relatives”. The CNIL gives examples of unlawful processing:

  • Mandatory measurement of temperature of each employee and visitor to be sent daily to their hierarchy;
  • The collection of medical files or questionnaires from all employees.

Admittedly, the questionnaires in this recommendation may refer strictly to the collection of information related to employee’s overall health and not to their recent travel, but this would need to be further clarified.

The CNIL also offers examples of actions that employers can implement lawfully:

  • Training employees to individually disclose information related to possible exposure to the virus to the employer or to the competent health authorities;
  • Setting up dedicated channels to receive this type of information;
  • Promoting work from home solutions;
  • In the event of a report about possible exposure, “the employer can record the date and identity of the person suspected of having been exposed; the organizational measures taken (confinement, teleworking, orientation and contact with the occupational doctor, etc.).”
  • Health authorities can collect data related to health in the context of COVID-19’s spread, given that “the assessment and collection of information relating to the symptoms of coronavirus and information on the recent movements of certain persons is the responsibility of these public authorities”.

Importantly, the CNIL also mentions that employees have an obligation under the Labor Code by all means possible to preserve the health and safety of others and of themselves, which means that “they must inform their employer in the event of suspected contact with the virus”.