In the context of the health crisis connected to coronavirus, in particular, in a view of a phase of “lockdown”, private and professional ask themselves about measures that need to be implemented in order to limit the virus diffusion and guarantee the security, recovery of the business, as well as the condition in which can be used personal data, in particular health data. The CNIL recalls some principles.

• The security obligation
• Reminder on the data process about health and on the GDPR application.
• Updating on some practices.
• Temperature reading at the entrance of locales.
• Serological tests and forms on the health status.
• Business continuity plans or BCP.
• The work reorganization, in particular with software solutions (update of the 23 September 2020).
• Requests and recommendations from the health authorities.

The CNIL recibes a lot of requests from professional and subject on the possibility of recollect, out of any kind of medical assistance, data about employees, agents or visitors in order to determine if people have Covid-19 symptoms, or data relative to trips and events that can be connected with the private life.

The security obligation
The security obligation of employers.
Employers are responsible for the health and the security of their employees/agents according to the Labour Code and all the text that rules the public service (in particular the article n. 4121-1 and R. 4422-1 of the Labour Code or the Decree n. 82-453 of the 28 of May 1982 modified).

As that, it is their responsibility to act in order to prevent professional risks, information and training actions, as well as work organization and adequate resources to work conditions.

For this reason, the CNIL invites employers to regularly consult information published online from the Ministry of Work (General Work Directory- DGT), in order to understand their obligations in this crisis period. The employers, in compliance with the GDPR, have the right to process personal data when it is strictly necessary in order to fulfill legal obligations.

In this context, the employer is in particular legitimate to:

• remember to his employees, who work closely with other people, the obligation to report in case of contamination or suspicious contamination, to them or to the Health Authorities, in order to permits to “adapt work conditions;
• Facilitate their transmission by using, if it is necessary, dedicated and safe channels;
• Promote remote work methods and encourage the use of occupational medicine.

The security obligation for employees/agents.
Every employee/agent must take care to protect its health/security but also the security of the other people with whom he could come in contact during its professional activity (article L.4122-1 of the Labour Code).

Usually, when an employee is sick, he needs only to communicate the eventual sick leave that he can benefit, without any other details on its health status or on the nature of the illness. Anyway, in this Coronavirus epidemic period, when an employee, who works in close contact with people and its colleagues, gets sick needs to communicate to its employer in case of contamination or suspicious contamination with the virus.

On the other hand, an employee that works, for example, in smart working or that works in an isolated condition without any contact with the public or its colleagues, is not obliged to contact its employer in case of illness. In fact, without any danger for other people, those events connected to a possible exposition, in a particular work stoppage that would ensue, must be managed with the normal procedure of work stoppage.

How employers process this relationship.
Employers can process data that are strictly necessary for the fulfilment of their legal and contractual obligation for the adoption of organizational measures (smart working, referral to the occupational doctor, and so on…) training and information, as well as some actions in order to prevent professional risks.

For this reason only the elements related to the date, the data subject identity, the idea that he has indicated to be contaminated or a suspect case, as well as organizational measures adopted, can be processed by the employer.

If it is necessary, the employer can communicate them to the health authorities, the necessary elements for an eventual health assistance or medical health of the data subject. In every case, the infected data subject identity must be communicated to other employees.

Reminder on personal health data process and the field of application of the GDPR.
Meanwhile it is up to all adopt measures adapted to situations, as limit trips and meetings or even respect the igenical measures and the “wall actions”, the employers can not adopt measures capable of breaching in a disproportionate way the private life of interested people, in particular by recollecting health data this will go beyond the manage of the suspicious exposition of the virus in order to protect employees and the public. This principle is called also from the article L. 1121-1 of the Labour Code that requires that “no one can impose restrictions to people’s rights and to individual and collective freedoms which are not justified by the nature of the task to be carried out neither proportionate to the sought objective.”

Datas related to the health status of a person, caused by their sensible nature, are objects of a specific juridical protection: as a matter of principle is forbidden the process.

In order to be processed, their use must be part of one of the GDPR exceptions, by guaranteeing the balance between the desire to guarantee the people’s security and the respect of their rights and fundamental freedoms.
In addition, their sensibility justifies that they have been processed under strong security and confidentiality conditions and by who is authorized to do it.

The exceptions that can be mobilized in the work contest are limited and can generally regard:

• the need for the employer to process this data in order to fulfill obligations in terms of work rights, social security and social protection:
• it is the case of the process of reports by the employees;
• the need for a health professional to process those data for preventive medicine or work medicine, the health assessment of work abilities, medical diagnosis.

For these reasons, employers who desire to start initiative in order to guarantee the health of their employees must rely on the health services for which is the responsibility and that are the main focus of the health crisi. They can not set up files with the temperature of each employee or some pathologies (“comorbidities”) susceptible to construct special circumstances in case of coronavirus infection.

It is with this spirit that has been adopted an ordinance “which adapts conditions for the operation of occupational health services’ emergency missions and modifies the preliminary partial activities authorization request system”.
Council of the Ministers the 1 of April 2020, in accordance with the article 11 of the emergency law of the 23 of March 2020 in order to face with the covid-19, published into the Official Journal the 2 of April 2020.

The CNIL remembers that the data process legislation is applicable only to the automated process (in particular IT) or the no automated process, with permits to construct files.
So, the only temperature detection with a manual thermometer (like for example the infrared ones without contact) at the entrance of a site, without keeping track, neither any other operation is done (like the read of this temperature, feedback, and so on…) is not part of the data protection legislation.

Updating on some practices.
Anyone is the device used or the data process implemented, the CNIL reaffirms the importance to guarantee complete transparency to data subjects. Informing people and the social dialogue, besides being an obligation from both the work legislation and the data protection legislation, is an essential component of the health crisis management and it ensures data subject.

The CNIL offers examples of informative bans on its website.

Read of the temperature at the entrance of clubs.
To the rule of the law, and except where a text provides the possibility, it is forbidden to employers to build storage which permits to store temperature data of its employees. It is also forbidden setting up instruments for the automatic acquisition of the temperature (like thermal cameras). Anyway, the manual measurements of the temperature at the entrance of locals and without creating any files or report information which are not subjected to personal data protection legislation. The CNIL makes reference on this point with the Work General Direction recommendations.

In a contamination prevention process aimed at the expulsion from the workplace of employees that could have fever, some employers aspire to insert a systematic control of the temperature of employees and visitors at the entrance of their workplaces. Even if it is not a task of the CNIL assess the legality, in accordance with the social right, about what a employers can impose to their employes or what is a possible discrimination, observes that the effectiveness and the suitability of the temperature mesurament is not considered as a systematical symptom of covid-19, or can show another infection. It detects for this reason that the High Council of Public Health recommends to not establish the covid-19 screening by measuring the population temperature.

The CNIL remembers that, when it is the object of the process, the body temperature of a subject is a sensible data relating its health, by justifying that it is object of special protection.

The current state of the legislation (in particular article 9 of the GDPR), except where a text requires the possibility, are forbidden to employers:

• the temperature detection of employees and visitors as soon as you register them in a automated process or in a paper register;
• automated operation of temperature detection or the use of thermo camera systems.

As above mentioned, the only temperature detection with a manual thermometer (like for example the infrared contactless) at the entrance of a local, without keeping track, neither that any other operation (like the direction of these temperature, internal or external information feedback and so on…) is not part of the data protection legislation. The CNIL refers to this point to the instruction given by DGT, which does not recommend these controls, which must be reserved to specific cases.

The CNIL remembers that in each case of suspicious infection, the data subject must ask a health operator (work medicine services, your doctor, emergency dep), by itself be able to assess the ability of a person to work or decide about its cure.

Serological texts and forms about the health state.
Some employers express the desire, in order to protect their employees or their agents, to assess their virus exposition or their health state when they come back to work. The CNIL detects that, according to the General Work Direction, “the screening campaigns organized by the companies for their employees are not authorized”.

The CNIL remembers also that only the health workers (in particular the work medicine) can recollect, act and have the access to any module or forms by employees/agents including their health data or information about their family status, their life conditions and also potential movements

The same happens for the serological texts or covid-19, which results are subjected to medical confidentiality: the employer can only receive the eventual judgement or the inability when the employee comes back to work which was given by the health professional. He can only process this single information, without any additional details relating to the health status, similarity to the treatment of sick leave which does not indicate the illness from which the employee is suffering.

Business continuity plans or “BCP”.
The companies and the administrations could be obliged to establish a “business continuity plan” which aims to keep the essential activity during crisis periods.
This plan must include all the measures in order to protect the security of employees, identificate the essential activities that must be kept and also necessary people in order to continue the service. It is possible to create a nominative file for the preparation and the maintenance of the plan which must include only necessary data in order to reach this objective.

The CNIL remembers that the employer must guarantee in all the cases the security and the confidentiality of data that he processes: for example, when sending a proof of professional travel that contains personal data and should not be communicated only to individual data subjects.

The work reorganization, in particular with software solution.
During an epidemic recovery, are developed a lot of projects with the aim of limiting the virus diffusion and protecting the health of people, in particular in a professional scope. Employers are trying to limit the risks of expositions of employees/agents to covid-19 in the workplace with the aim to prevent professional risks. It is expected that the implementation of software solutions in order to facilitate the management by employers of the health crisis.

The CNIL remembers the following points:

1. The employer is responsible for the health and the  security of its employees and must adopt all the prevention collection protections.

The employer, in accordance with the Labour Code and the texts that regulate the public service, must ensure the health and the employees/agents security (see the security obligation for employees and agents).

If an employer has, in particular during this period, an obligation, this is limited to the development of preventive measures. So it is part of the employer to adopt collective protection measures (for example the recall of “wall actions” and social distancing measures, offering of individual protection material, hands sanitizer). Protection measures connected with the reports sent, as well as re-transmission of messages of the Health Authorities.

So it is not possible for the employer to establish a diagnosis, a vulnerability analysis or any other medical analysis.

2. The employer does not have to organize the collection of health personal data of all the employees.

The only solution that requires the employers to adopt individual measures is the report done by the single employee when this last one could have been exposed to the virus by its colleagues or the public. In this situation, the employer needs to define an individual measure (e.g. smart working) for a small period, meanwhile the employee comes in contact with an health professional, the only one able to act and prescribe or renew the work interruption (see the reminder on personal data related to health status and the GDPR field of application).

Consequently, the employer must not systematize by his own the assessment of the individual risk level of virus exposition of all its employees.

3. Only the health services can offer individual work conditions.

The employer which want to go on his objectives by guaranteeing health status of its employees in order to establishes individual work conditions, must rely on the occupational health service, which has the exclusive competence (see the reminder on personal data process related to health status and the GDPR field of application).

As a matter of fact, the occupational health service is the only organism which is authorized to process personal data related to health of employees, with exceptions listed in the text (examples: work interruption, declarations about work accidents which include the workplace and the nature of injuries, pregnancy).

Any vulnerability representation or the exposition risks of the employee’s device to Covid-19 (for example digital display, colors QR code) is a personal health data (article 4-15 of the GDPR): only the occupational health service can recollect or have access to those data.

In addition, it is part of doctor proposes individual measures for the adaptation or the transformation of the workplace or the working time justified by considerations relative in particular to ages or the physical or mental health status of the workers (article L. 4624 3 of the Labour Code). Only the nature of the recommended measures should be passed on to the employer.

The role of the employer is therefore to apply these measures.

Finally, the CNIL recalls that the role of the occupational health service has been clarified with respect to the current health situation (Decree No. 2020-549 of 11 May 2020).

Requests and recommendations by health authorities
Finally, health data may be collected by health authorities, empowered to take measures appropriate to the situation, within the limits of their respective competences. The assessment and collection of information relating to coronavirus symptoms and information on the recent movements of certain people is the responsibility of these public authorities.

Although the health situation requires all parties concerned to exercise particular vigilance, the CNIL invites individuals and professionals to follow the recommendations of the health authorities and collect only data on the health of individuals that may have been requested by the competent authorities.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL