Talking about personal data in the workplace the 14 March 2020 was subscribed anti-contagious security agreement adopted in accordance with article 1, paragraph 7, letter d of the DPCM 11 March 2020, supplemented by the agreement of the 24 April 2020. The document helps companies and bodies in the adoption of anti-contagious security measures, such as Regulatory protocol for combating and containing the spread of Covid 19 virus in the workplace environment, but it has also privacy rules.
For example the detection of temperature is a personal data processing, and so, it must comply with the Privacy regulation. For this reason, a number of precautions are suggested.
In particular we need to:
1. take the temperature and do not store the data. It is possible to identify the data subject and store the overcoming temperature only if it is needed for documenting the reasons that prevented access to the premises.
2. Give the personal data processing policy. Please note that the policy can omit information that the data subject has already known and it is frequently oral. The policy content, with regard to the purpose of the treatment, prevention of COVID-19 infection may be indicated and with reference to the legal basis may be indicated the implementation of anti-contagion safety protocols under art. Art. 1, No. 7, lett. (d) of the DPCM on 11 March 2020 and with reference to the duration of any data retention can be referred to the end of the state of emergency.
3. Define organizational and technical measures in order to protect data. In particular under the organizational terms, we need to identify data subjects designated for the process and give to them necessary instructions.
Please note that data can be processed only for COVID-19 infection prevention and they can not be shared or reported to third parties
apart from specific regulatory provision (for example in the case of a request from the Health Authority for the reconstruction of the supply chain of any “close contacts of a worker who tested positive for COVID-19).
4. In case of temporary aislation because of an excess of temperature, in order to ensure measures for guarantee workers confidentiality and dignity.
This guarantees must be ensured even if the employer forgot to communicate to the personnel department to have outside of the work environment, contact with Covid-19 positive results and in the case of removal of the worker who develops fever and symptoms of respiratory infection and his colleagues during work
5. Anyway it is required a declaration with attests that he/she does not come from a “red zone” and about no contacts during the last 14 days with positive Covid-19 subjects, please pay attention to personal data protection legislation, because the declaration acquisition means data processing. For this purpose, directions above are applied, we recommend collecting only relevant and necessary data in compliance with prevention of COVID-19 infection.
For example, if you request a statement about contact with people who tested positive for COVID-19, you should refrain from requesting additional information about the person who tested positive. Or, if you require a statement on where you come from areas of epidemiological risk, you should refrain from requesting additional information about the specifics of the places.
The Italian Data Protection Authority published its own FAW the 14 May 2020 and it specified that under the workplace prevention and safety system or anti-contagion safety protocols, the employer may require his employees to carry out serological tests only if arranged by the competent doctor or other health professional according to the rules relating to the epidemiological emergency.
Only the occupational doctor, in fact, in health surveillance, can establish the need for special clinical and biological examinations. And always the competent doctor can suggest the adoption of diagnostic means, when he deems them useful in order to contain the spread of the virus, in accordance with the indications provided by the health authorities, also regarding their reliability and appropriateness.
In the FAQ, the Authority also states that information relating to the worker’s diagnosis or family history cannot be processed by the employer (for example, by consulting the reports or exam results). Instead, the employer must process the data relating to the employee’s suitability for the job and any prescriptions or limitations that the competent doctor may establish. Visits and investigations, including for the evaluation of the employee’s readmission to work, must be put in place by the competent doctor or other health staff, and, in any case, in accordance with the general provisions prohibiting the employer from carrying out diagnostic examinations on employees directly.
Finally, the Authority clarified that participation in serological screenings promoted by regional prevention departments against particular categories of workers at risk of infection, such as health workers and law enforcement agencies, can only take place on a voluntary basis. The results can be used by the health facility that carried out the test for the purpose of diagnosis and treatment of the person concerned and to arrange the epidemiological containment measures provided by the current emergency legislation (e.g. home insulation).
SOURCE: FEDERPRIVACY