On 23 September 2020, the CNIL published an article reminding employers of the conditions under which they can implement personal data processing for the purpose of fighting the spread of the COVID-19 virus.
The CNIL reminds employers and employees/agents of (i)their security obligations; (ii) the principles applicable to the processing of health data; (iii) recalls the principles applicable to the most common practices (e.g., temperature readings, serological tests, questionnaires, business continuity plans, work reorganisation); and (iv) the recommendations of the health authorities.
The main points of these recommendations are as follows:
- Employees/public agents must report any contamination or suspected contamination if they are in contact with other people as part of their work (e.g., other employees, customers, etc.);
- Employers should only take general preventive measures and deal with employees’ contamination reports (without disseminating the information within the company);
- Except when dealing with employees’ reports and their consequences, the employer may not implement systematic processing of employees’ health data or take specific individual measures. In this case, it must rely on competent health services, which alone can decide on a work interruption or specific work conditions.
1. The employees/agents’ obligation to report to their employer
Each employee/agent must take care to preserve his health and safety but also those of the people with whom he may come into contact during their professional activity (article L.4122-1 of the French Labour Code).
In the context of the COVID-19 pandemic, an employee working in contact with other persons (e.g., colleagues and the public) must, whenever he may have exposed part of his colleagues or the public to the virus, inform his employer in the event of contamination or suspected contamination.
On the other hand, an employee who works in isolation without contact with colleagues or the public (e.g., remote working) does not have to pass on this information to his employer.
Thus, in the absence of endangerment of other persons, any resulting sick leave should be dealt with in accordance with the usual procedure for sick leave (i.e., no mention of the details of the illness).
2. The rights and obligations of employers
The obligation of security for their employees
Employers are responsible for the health and safety of their employees/agents.
This obligation entails the implementation of occupational risk prevention, information and training actions, as well as work organisation and resources adapted to work conditions (for more information, see the information notice as posted online by the Ministry of Labour (Directorate General of Labour – DGT)).
Conditions for processing health data
Employers must not carry out data processing operations that would disproportionately infringe on the privacy of the data subject. In particular, they should not collect health data that would not be necessary to the management of suspicions of exposure to the virus aimed at ensuring the protection of employees and the public (cf. RGPD and Article 4121-1 of the Labour Code).
The CNIL recalls that the processing of health data may, in the context of work, take place on the following legal grounds:
- the necessity for the employer to process these data to meet its obligations in terms of labour law, social security, and social protection: this is the case for the processing of employee’s reports ;
- the necessity for the health professional to process health data for preventive or occupational medicine, assessment of the worker’s working capacity, medical diagnostics, etc.
When processed, these data must be subject to strong security and confidentiality measures.
The obligation of information/transparency
Notifying people and social dialogue (also an obligation under labour law) is an essential component of health crisis management and helps to reassure those concerned. It is also a GDPR obligation to inform data subjects.
3. The data processing operations an employer can implement to combat the COVID-19
In the context of the COVID-19 pandemic, the employer is legitimate :
- to ask employees working in contact with other people to report whether they are or suspect that they have been contaminated to the employer or the competent health authorities, for the sole purpose of enabling the employer to adapt working conditions;
- to promote modes of remote working and encourage the use of occupational medicine.
The only situation that requires the employer to take individual measures is when the employee themselves reports a potential exposition or may have exposed some of their colleagues or the public to the virus.
In this situation, the employer must take the first individual measures (e.g., remote working) while the concerned employee contacts a health professional, who is the only person competent for taking action and prescribing or renewing a sick leave (as mentioned above).
It is not up to the employer alone to systematically assess the level of individual risk of exposure to the COVID-19 virus.
If the employer wishes to go beyond their obligations, they must rely on competent health services, which alone are empowered to take individual measures specific to each employee (occupational medicine).
4. CNIL’s position on certain practices
Employers who would like to ensure the health status of their employees must rely on competent occupational health services.
Thus, employers may not themselves hold files relating to the body temperature of their employees or to some pathologies (“co-morbidities”) likely to constitute aggravating disorders in the event of a COVID-19 infection.
Processing employee reports
The employer may only collect the following information:
- the date;
- the identity of the person;
- the fact that the person has indicated that they are contaminated or suspect thereof; and
- the organisational measures implemented.
If necessary, the employer may communicate the information to the competent health authorities if the health or medical care of the exposed person is required.
Employers should keep the identity of the potentially infected person confidential and not communicate the information to the other employees. In practice, especially in small services/organisations, it will be difficult to hide the information. However, the employer or the person in charge of receiving this information must not disseminate it. In principle, the health organisation will help identify the potentially exposed contacts and invite them to take a test in priority.
Temperature readings at the entrance of the premises
Unless otherwise expressly provided for by specific law, employers are prohibited from creating files containing their employees’ body temperature data or from setting up automatic temperature capture tools (thermal cameras).
However, manual body temperature measurements at the entrance of a site that is not recorded in a file or transmitted to a third party are not subject to the GDPR provisions.
Nonetheless, the CNIL points out that the French High Council for Public Health recommends not to implement the body’s temperature measurements as a general measure as it should only take place in specific cases.
The CNIL also recalls that in the event of a suspected infection, the person concerned must contact a health professional (e.g., occupational health services, attending physician, emergency services, etc.), who alone can assess a person’s ability to work or to decide on their care.
Carrying out serological tests and questionnaires on health status
According to the french DGT, “employees’ screening campaigns organised by companies are not allowed”.
Only competent health personnel may collect, implement and access any medical forms or questionnaires containing employees’ health data or information relating, in particular, to their family situation, living conditions, or even their possible movements or vulnerabilities.
The same applies to medical, serological, or COVID-19 screening tests, the results of which are subject to medical secrecy.
Business Continuity Plans
Business Continuity Plans aims to maintain the organisation’s core business in times of crisis. It consists of deciding on all measures to protect the safety of employees, identify essential activities, and also the people needed for service continuity.
In this context, it is possible to hold a file containing personal data necessary for drawing up and implementing the plan, provided the employer must still ensure the security of the data.
