Coronavirus at the workplace – pandemic plan and GDPR
The special legal order, state of emergency, has been declared in Hungary because of the coronavirus. The state of emergency does not affect the employment relationships directly, however, that does not mean that employers have no responsibility in the protection against the coronavirus and its impacts.
In the followings we would like to summarize in general the most important aspects of the preparation to be made by the employers and its data protection relations (the latter has been prepared in accordance with the informative published by the Hungarian Data Protection Authority (NAIH) on 10 March, 2020).
A pandemic occurs over a wide geographic area (for example in a country or in a whole continent).
The essence of the plan is to ensure that the employer/ the company can operate during the pandemic, in the given circumstances, undisturbed and continuously, it also aims to reduce the effects of the epidemic as effectively as possible. The advantages of the preparation are that the management of the company sees the challenging tasks clearly and can concentrate on the solutions.
The most important elements of a pandemic plan are the followings:
– to appoint a person that is responsible for the epidemiological tasks;
– to assess the relevant circumstances of the business partners and to take care of alternative sources of supply if necessary;
– to assess the possible impacts of the epidemic on the demand of the company’s products and services and on the financial processes;
– to prepare a specific plan to ensure the continuity of the business;
– to facilitate telework and flexible work schedule as much as it is possible;
– the holiday scheduling policy (and the sick-leave policy) need to be reviewed (with regard the possible illnesses, traffic restrictions, school closures etc.);
– the company needs to determine those persons whose work is essential for the operation of the organization and cannot remain without a substitute;
– the business and the business events (client meetings, business trips) need to be rescheduled;
– the employees need to be informed about the pandemic plan in due time, and the plan should be based on the consensus of the affected;
– hygiene rules must be complied with and enforced;
– the employees need to be informed about the most important information on the epidemic (transmission, incubation time, symptoms, contact person),
the hygiene rules and the measures taken;
– to prepare a specific plan for crisis communication.
Data protection relations – employees
It is inevitable for the employers to collect, process, and therefore manage personal data (moreover personal data concerning health which qualifies as a special personal data) of the employees during the protective measures taken against the coronavirus.
Such data management shall be also in line with the data management principles (especially in line with the principle of accountability).
The first question to be considered is that whether there is an option that does not require management of personal data and consequently requires less risk of interference to the private sphere of the data subjects. There is such an option for example more thorough cleaning of the work tools, offices, providing sanitizers, and enforcing the use of them, however, it is questionable whether it is enough.
As the employer is obliged to provide the conditions of safe and healthy work (which also requires personal data management) therefor it is certain that the aforementioned measures are not sufficient without further measures which means the management of personal data seems inevitable. (Most certainly, the employer shall take into consideration the principle of data minimisation, which means that the personal data management shall be adequate relevant limited to what is necessary in relation to the purposes of the management.)
Accordingly, the purpose and the legal basis of the data processing shall be determined (which can be in such case the ‘legitimate interest’) and a data management informative shall be published in accordance with the provisions of GDPR. If the legitimate interest is the legal basis for the management of personal data, the interest balancing test shall be performed.
If the employer learns that an employee is under the risk of being infected (either from such employer’s notice or from the data requested from such employee) the employer shall be entitled to record for example the date when such information come to light, data necessary to establish identity of such employee, the place and date of the travels (even private travels) on which such employee participated.
The data protection authority considers that getting the employees to fill in questionnaires is an acceptable practice if the employer considers this as necessary and proportionally on the basis of a preliminary risk assessment. However, such questionnaires shall not contain questions concerning medical history of the data subject, and employers shall not request the data subjects to provide their health documentation to the employer.
The NAIH does not considers that the application of medical tests by means of any device (for example thermometer) as a proportional measure taking into consideration that collecting and assessing information on the symptoms of coronavirus and drawing conclusions from such information falls within the authority of health professionals and authorities. Therefore, if the employer considers such tests as necessary, then these need to be performed by health professionals in line with the applicable professional standards and the employer may only be entitled to receive information exclusively about the outcome of such tests.
Data management relations – third persons beside employees
The preliminary assessment of the data protection risks of the applied measures and the establishment of the communication channels providing information to the data subjects are to be completed with special care. Furthermore, the increased entry control and applied restrictions are to be enhanced.
The employer shall provide detailed informative to third persons that contains the most important information concerning the coronavirus (transmission, incubation time, symptoms, prevention), furthermore, a call for third persons to inform the company about any suspected exposure to the coronavirus and any other relevant circumstances referred in the informative upon entering the company’s area without delay.
In this regard the principles and the necessity of the lawful data management referred to above shall apply.