Coronavirus: data protection should shape employee monitoring

Ultimately, a balance must be struck between the public health and safety interests in being able to monitor individuals' health and the spread of the virus with the rights people enjoy to liberty and the protection of their personal data.

Co-authored by Annabelle Richard and Pauline Binelli, who are both experts in data privacy at Pinsent Masons, the law firm behind Out-Law.

Employers using data to implement monitoring tools

The CNIL, the French data protection authority, was very active with regard to the coronavirus even before the beginning of the lockdown and reported having to respond to "numerous questions by professionals and individuals concerning the possibility, outside of any medical care, of collecting data concerning employees/ personnel or visitors in order to determine if persons are presenting symptoms of coronavirus, or data concerning movements or events that may relate to personal privacy".

The Labour Code in France requires employers to take measures necessary to ensure the safety of workers and to protect their physical and mental health. On this basis, the temptation to put in place very intrusive measures because of the health crisis may be great.

However, CNIL has said that "measures that may harm the privacy of the data subjects, particularly by collecting heath data that may go beyond the management of suspicions of exposure to the virus are prohibited".

Other actions that employers may consider to ensure the safety of their employees include implementing awareness-raising actions, by making it possible under strict conditions for an employee to notify his or her employer on a personal and individual basis if he or she may have been exposed to the virus, and by facilitating teleworking, for example.

These actions most frequently involve processing of personal data that must be implemented in compliance with data protection rules.

Observing principles of the protection of personal data

The fundamental principles of data protection set out in Article 5 of the General Data Protection Regulation (GDPR) form a framework for asking the right questions before implementing any data processing. Considering the following questions will allow employers to correctly calibrate their plans to implement processing of personal data and to evaluate potential discrepancies from the aims.

• Are the data that I have collected being processed in a legal, fair and transparent manner with regard to the data subject? 

In the context of the coronavirus, the legal basis for processing may in certain cases be to comply with a legal obligation. For the processing of health data by an employer, this must be authorised by a special text and not by a general provision, such as that ensuring the safety of the employee under Article L4121-1 of the Labour Code.

To meet the requirements for fairness and transparency, employees must also have been provided with access to specific information relating to the processing.

• Are the purposes for which I collect and process the data well-defined, explicit and legitimate? Will they be re-used for another purpose later?

It is not possible under data protection law to select a wider purpose for collecting personal data in order to justify several potential types of processing at a later date. One type of processing corresponds to one purpose. It is necessary to be all the more attentive since certain processing implemented in connection with the pandemic may involve sensitive data. The purpose of the processing must be as precise as possible.

Processing that should only be carried out by a health professional cannot be undertaken by an employer instead, as this would represent an illegitimate purpose for processing and be illegal.

If the data must be re-used for a later purpose that is different from the initial purpose, then the employees must be informed of this later purpose.

• Is my data collection limited strictly to the data necessary with regard to the purposes for which they are processed?

Not all personal data that can be collected may be collected.

Once the purpose of the collection is defined, explicit and legitimate, employers must ask themselves what data are absolutely necessary in order to fulfil the initial purpose.

• Are the data accurate? Can I update them if necessary?

The data must be accurate. For this reason it is best to collect the data directly from the data subjects; here, the employees. Data subjects possess a right to rectification, so it is advisable to allow them to be able to directly update their data themselves.

• Is the retention period for the data strictly limited to what is necessary with regard to the purposes for which the data are processed?

The GDPR sets a general principle of limitation of retention of the data which provides employers with flexibility to determine the duration. However, data retention policies must be justified. In the current circumstances, for instance, it is likely to be justified to retain data until the official end of the health crisis. The subsequent archiving of the data, under certain conditions, may also be justified to avoid its definitive erasure.

• Are the data processed in such a way as to guarantee appropriate security?

The more the data present a high degree of sensitivity, the more the data controller must apply significant security measures. Data potentially connected with a person's health is considered special category data for which particular attention must be given, particularly in relation to data security.

Transparency by providing information to employees

The obligations on transparency still apply in a crisis, and perhaps take on even greater importance in such circumstances. Employers must not be tempted to disregard their duty to provide data subjects with an information notice about intended data processing before the processing is implemented. The more the employer is transparent, the more the employee will be in a situation to understand and comply.

A list of the information to be provided to the employees is set out in Articles 13 and 14 of the GDPR, which respectively concern cases where data is collected directly from employees and cases where it is indirectly collected.

This transparency principle is also present in the Labour Code, which states that "no information concerning an employee personally may be collected by a mechanism that was not previously brought to his/her attention". The Code also provides that the Economic and Social Committee must be informed and consulted particularly concerning issues relating to the introduction of new technologies or any significant change in the health and safety conditions or the labour conditions.

The rules mean that no processing may be planned if the Personnel Representative Bodies (IRP) have not been consulted in advance.

To accord with the principle of accountability, employers should ensure that they can prove they have provided this information to employees.

Proportionality and data protection impact assessments

As with any implementation of personal data processing, the principle of proportionality must apply and the theory of the least harm must prevail.

To get to the heart of this, employers should also ask themselves what the goal is that they are seeking to achieve, and by what means they can achieve that goal by least affecting individual liberties.

This principle is distilled in many French legislative texts, including Article 1121-1 of the Labour Code, which provides: "No one may apply restrictions on the rights of persons and individual and collective liberties which are not justified by the character of the task to be accomplished or proportionate with the goal being sought."

If the employer is not sure of the proportionality of the planned processing, they can undertake a data protection impact assessment (DPIA).

The study is mandatory when the planned processing may create heightened risks for the privacy of the data subjects. The CNIL has published a list of processing activities for which a DPIA is required, and further criteria has been established by the European Data Protection Board, but other examples include where the processing involves:

• evaluation/ scoring, including profiling;
• automatic decisions with legal or similar effects;
• systematic monitoring;
• collection of sensitive data or highly personal data;
• wide scale collection of personal data;
• cross-referencing of data;
• ·vulnerable persons, such as patients, elderly persons, and children;
• innovative use – the use of a new technology;
• exclusion of the benefit of a right or contract.

Focus on health data

Any data relating to the past, present, or future physical or mental health of a person are considered to be health data.

The GDPR considers health data to be "a special category of data" to which a reinforced level of security must be applied.

In this case, a special regime applies which is found in part in the GDPR and the French Data Protection Act and in part in the Public Health Code, specifically the provisions concerning secrecy, references for security and interoperability of health data, and concerning the hosting of health data, for example.

Co-authored by Annabelle Richard and Pauline Binelli, who are both experts in data privacy at Pinsent Masons, the law firm behind Out-Law.