“Public health is paramount: prevention and the right to privacy are not incompatible”, says the Belgian Data Protection Authority (DPA) in its guidelines as regards the processing of health data in the workplace during the current pandemic. However, the leitmotiv of the DPA is clear : we must stick to the general rules!
Any personal data processing activity must be based on one of the grounds of legitimacy provided by article 6 of the GDPR. For the DPA, there is no justification for a more extensive or systematic application of the basis of legitimacy set out in Article 6(1)(d) of the GDPR (“processing necessary to safeguard the vital interests of the data subject or of another natural person”) in the context of the taking of preventive health measures by undertakings and employers. The processing of health data remains prohibited, unless employers act pursuant to explicit instructions imposed by the authorities (Article 9(2)(i) of the GDPR).
The general principles fully apply as well (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability).
The DPA stresses also that the assessment of health risks should only be carried out by the occupational physician (médecin du travail/bedrijfsarts) who is competent to detect infections and to inform the employer and the persons who have been in contact with the infected person.
In general, an employer may not take measures that go beyond the scope of existing labour law or instructions from the competent authorities.
The DPA clarifies also what follows:
- The simple taking of temperature is not a personal data processing activity, if such temperature taking is not accompanied by the recording or processing of personal data. However, it is the responsibility of the occupational physician to follow up on persons who are suspected by the employer to have been exposed to COVID 19 and/or to show symptoms. (As explained in a previous news, a medical action taken within the frame of employment can indeed only be performed by an occupational doctor : the law prohibits an employer to perform such examination.)
- Employers cannot force their workers to fill in medical questionnaires or questionnaires relating to their recent travels. Employers can however encourage their employees to report spontaneously any symptoms.
- An employer cannot freely reveal the names of infected employees. However, with a view to preventing the spread of the virus, the employer may inform other workers of a contamination, without mentioning the identity of the data subject. (Applying the proportionality test, the DPA deems that in most cases, it is not necessary to reveal the name of the person concerned, and this is not desirable as this could result in the stigmatization of the person). Furthermore, the name of the infected person may be communicated to the occupational physician or the competent authorities.