COVID-19 symptom screening in the workplace: Data protection implications and restrictions Authors: Philip Mifsud, Philip Formosa Published on April 7, 2020 1. Workplace Symptom Screening Although the responses to the threat posed by COVID-19 have varied from one country to another, a common thread between them has been the adoption of preventative measures designed to contain the spread of the virus as far as possible or, failing that, to at least slow it down and minimize the strain placed on local hospitals. For that reason, employers have generally been encouraged and, in some countries, even directed to shift to remote working during this time in order to reduce the level of contact between their employees and hopefully, in turn, the risk of possible infection and further transmission. Similar measures have also been taken in Malta, and many employers have in fact temporarily closed their offices and other premises and instructed their employees to work from home for the time being until the situation clears. Unfortunately, though, a wholesale shift to remote working is not a fully realistic option for all businesses or service providers, such as manufacturers (e.g. pharmaceuticals) and utility providers, both of whom, for instance, require the presence of certain employees on-site in order to be able to continue to operate and maintain their service provision or supply to the population during this time. Furthermore, some businesses and outlets have even been classified as being “essential” or as providing “essential supplies”, such as supermarkets and pharmacies, in large part because people are reliant on them for their everyday needs. Consequently, in those particular cases, there is at the very least a strong interest by the employer to implement preventative measures and other safety precautions in order to safeguard against possible transmission of the virus amongst the present employees and visitors or customers. Whilst the possible measures and precautions are rather varied in nature, many of them share a common characteristic and purpose – they are intended to detect whether an employee or visitor has or is exhibiting symptoms of COVID-19 (“screening”). Examples of this may include temperature readings prior or upon entry into the office building, medical check-ups for employees and other forms of COVID-19 testing. However, though the interest of an employer to conduct COVID-19 symptom screening is clear, it does not necessarily override or set aside the data protection implications and possible restrictions that may apply or otherwise arise. For instance, the receipt of the outcome of a test result would constitute an evident case of processing of personal data, and therefore applicable data protection rules would need to be observed (such as identifying a basis on which that test result can be shared with the employer). In the context of positive test results, this would, in particular, constitute processing of health data, which itself is listed in the General Data Protection Regulation (“GDPR”) as being a special category of personal data and is subject to a higher level of protection. Moreover, when dealing with positive test results or suspected infections, these potentially give rise to further data protection considerations, such as (for instance) whether an employer should or is even permitted to communicate the details of the infection to the rest of the workforce (including the identity of the affected employee) and, if so, to what extent. There are, in effect, various data protection considerations which an employer must navigate through in order to ensure that any COVID-19 symptom screening is aligned with its data protection responsibilities and duties. 2. Health Data As indicated, an immediate consideration is that COVID-19 symptom screening could potentially lead to, if not even require, processing of employee or visitor health data by the employer. As defined in article 4(15) of the GDPR, the term ‘health data’ or ‘data concerning health’ means and includes: “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. Accordingly, the notion of ‘health data’ is not limited to diseases or illness-specific information about the data subject, but is in fact wider in scope and even encompasses general statements or assessments as to whether an individual is healthy or not (for example, the outcome of a medical test). In addition, information which can be extracted to form or reach a conclusion about an individual’s health condition or status would equally fall to be considered as health data (i.e. as information revealing the health status of an individual). Thus, to apply this to the current situation, the outcome or results obtained from any COVID-19 screening or testing is likely to fall within the scope of ‘health data’ as defined in the GDPR. 3. Can an employer process health data in the context of COVID-19 symptom screening? As a result of its status as a special category of personal data, health data is subject to a higher level of protection under the GDPR and, in fact, additional conditions and restrictions apply to its processing. Therefore, what can be relied upon for the processing of normal or standard personal data (e.g. a name or address) may not necessarily suffice to allow for the processing of health data. In that respect, the general rule established in the GDPR is that the processing of any special category of personal data (health data included) is prohibited, unless either (i) one of the derogations provided for in art. 9(2) applies, or (ii) if the Member State in question has enacted any additional derogations into national law pursuant to art. 9(4). However, at the time of writing, the only additional derogation for health data that has been introduced into Maltese law pertains to the insurance sector and for the processing of customer health data, and therefore cannot be relied upon by a Maltese employer for COVID-19 screening. Consequently, any Maltese employer seeking to introduce COVID-19 symptom screening into the workplace would need to identify an available and applicable derogation in article 9(2). In that respect, there may be a temptation on the part of employers to attempt to rely upon explicit consent, which is listed as a possible derogation. However, in the authors’ opinion, there are other derogations in article 9(2) which are likely to provide a more appropriate justification and legal basis in these circumstances, as follows: Article 9(2)(b): the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law; Article 9(2)(g): processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The latter, that is article 9(2)(g), was even specifically identified by the Office of the Information and Data Protection Commissioner (“IDPC”) in a recent press release as a potentially applicable derogation to legitimise the processing of special categories of personal data in the context of epidemics. 4. Duty of Care Besides article 9(2)(g), in the authors’ opinion, an employer may also potentially seek to rely upon article 9(2)(b) as its legal basis to conduct employee COVID-19 symptom screening in the workplace. In fact, it is even arguable that this derogation may even be the more appropriate and suitable legal basis in this context, given that it is in fact an employment-specific provision. Accordingly, for the purposes of the application of article 9(2)(b), it should be recalled that employers have a general duty of care under Maltese law to ensure the health and safety at all times of its employees as well as any other individuals who may be carrying out work for that employer. This is enshrined in art. 6 of the Occupational Health and Safety Act, Chapter 424 of the laws of Malta, and constitutes a foundational health and safety obligation for employers under our law. In addition, as directed by the Maltese Occupational and Health Safety Authority (“OHSA”) : “the measures that need to be taken to prevent physical and psychological occupational ill-health, injury or death, must be taken on the basis of the ‘general principles of prevention’ which are considered to be the foundation upon which occupational health and safety can be successfully managed”. Considering this, it may be surmised that an employer even has a distinct obligation under Maltese law to implement preventative measures in the workplace to protect the health of its employees during working hours and when present in the office. This can be further construed as including an obligation to take preventative measures and other precautions against active viruses, such as COVID-19, and to safeguard against risks of possible infection or transmission between employees whilst carrying out work for the employer. In that light, the justification to conduct COVID-19 symptom screening, and possible application of article 9(2)(b) to legitimise any health data received by the employer, would appear to be rather pronounced within the context of employees. Arguably, this position has also been implicitly endorsed by the European Data Protection Board (“EDPB”) which, in a recent statement, advised that employers should only access and process employee health data, “if their own legal obligations require it” to do so. In the case of Malta-based employers, the existence of such a legal obligation could potentially be inferred from their duties to employees under local health and safety legislation and OSHA guidance. However, within the context of visitors to a particular establishment, an employer would not be in a position to rely on Article 9(2)(b) GDPR but would then need to turn to article 9(2)(g) and the grounds that such processing is necessary for reasons of substantial public interest. 5. Principles and Case Scenarios Identifying an applicable legal basis or derogation is not, however, the extent of the employer’s obligations and responsibilities. The employer must also ensure that its processing activities, as resulting from its screening measures, are carried out in conformity with the fundamental data protection principles in the GDPR, as follows: (i) lawfulness, fairness and transparency; (ii) purpose limitation; (iii) data minimisation; (iv) accuracy; (v) storage limitation; (vi) integrity and confidentiality; and (vii) accountability. As also noted earlier, the introduction of screening measures could give rise to various and rather differing instances of processing by the employer, covering both normal personal data and even health data. Moreover, due to the recognized ‘sensitivity’ of health data and the enhanced protection afforded to it under the GDPR, additional safeguards are also required in order to ensure that any processing of health data is carried out lawfully, with full respect to the rights and privacy of the employee or visitor, and limited to the extent strictly necessary. Consequently, depending largely on the nature of the screening measure and what it involves (e.g. a temperature reading as compared to a ‘swab test’), it may be recommendable, and in certain cases even mandatory, for the screening to be performed either by or, else under the responsibility and supervision, of a healthcare professional (“HCP”). Besides the assurance and comfort that those being screened may potentially derive from knowing that the screening is being conducted under the authority of a qualified professional, it is also notable that HCPs are subject to strict duties of professional secrecy under our law which, in principle, should serve as a valid safeguard for ensuring that the obligations of confidentiality and privacy emerging as a result of screening are respected. Subsequently, if an HCP is used (as recommended), then in accordance with the data minimisation and purpose limitation principles the information shared with the employer by that HCP should preferably be limited to only the particular outcome of the screening. By and large, the information relevant to an employer for fulfilling its health and safety duties is whether the data subject has tested positive or negative and, in the former, if the person screened is symptomatic. Equipped with this information, an employer should then, generally-speaking, be in a position to take an informed decision on the required course of action (namely for a positive or suspected positive result). If an employer wishes to obtain additional information, then it should ask itself whether it has a legitimate reason for requesting it. If unable to identify one, then in those circumstances, apart from the test result or outcome, the rest of the information relating to the screening should remain under the sole control of the HCP and not shared with the employer. Both as a matter of law and good data protection practice (including to avoid unnecessary risk exposure), an employer should avoid collecting excessive information (such as, in the case of a positive test, details on the symptoms which have manifested so far), and limit its processing to only information strictly needed for the aims pursued – i.e. to detect infected employees or other visitors and prevent further transmission. Taking all this into account, we now turn to some particular case scenarios. Can COVID-19 symptom screening be mandatory? As discussed above, an employer owes a general duty of care to all its employees under Maltese law, which may arguably justify making COVID-19 symptom screening mandatory. However, although employers could be entitled to require employees to undergo screening, they should nevertheless, in line with their duties of transparency, explain the reasons as to why the screening is being introduced, the aims and purposes which it is intended to achieve (i.e. as a health protection measure), the manner in which it will be implemented and under whose authority and supervision, and, most critically, the employer should also specify the individuals who will have or could potentially obtain access to the screening results. It may even be recommendable to draw up a specific policy document outlining and detailing the entire screening protocol and what confidentiality and security procedures will be in place. The same level of transparency should also equally be provided to visitors and customers. In the context of visitors and customers, an employer will largely need to rely upon the derogation provided for under Article 9(2)(g) (rather than article 9(2)(b)), and therefore clear documentation of the policy adopted, communication of it to affected persons will be particularly crucial in demonstrating compliance. Furthermore, if COVID-19 symptom screening is indeed introduced on a mandatory basis, then it is important to ensure that the relevant screening measures are actually carried out on all individuals entering the office building or other premises without exception, so as to avoid any issues or claims of unequal treatment (or discrimination). Otherwise, if the screening measures were to be limited to employees alone, whilst at the same time allowing third parties (e.g. suppliers) to freely enter and access the building, it could arguably undermine the whole rationale for introducing COVID-19 symptom screening into the workplace and may even possibly render the data protection justifications null. Can an employer disclose that an employee or visitor is infected with COVID-19? In the event of a positive test result or suspected infection, an employer may be required by the relevant public health authorities to assist with contact tracing for any colleagues or external third parties who may have come into contact with that infected person. In such a situation and where it concerns an employee, then the affected employee should be informed of this in advance – i.e. the employee should not find out after the fact, but the employer should discuss the intended disclosure with that employee beforehand and explain the need and reasons for it and try to address and alleviate any concerns which he or she may have. Within the context of visitors, the employer should conduct a parallel process where both the affected person as well as the health authorities are informed immediately to limit the spread. Moreover, the details communicated to the workforce should be limited to what is strictly necessary in the circumstances, and the employer should take care to avoid disclosing anything which may be excessive, irrelevant or which could potentially invite prying by others. In addition, it is also incumbent upon the employer to take appropriate measures to ensure that the dignity and integrity of the affected employee remain protected and is not prejudiced by the disclosure of his or her infection or suspected infection. Thus, together with its duty of care owed to the rest of the workforce, the employer must equally ensure that the affected employee does not suffer from any consequential stigma/s or discrimination as a result of the disclosure (e.g. unfounded speculation as to how the employee may have potentially contracted it). Guidance to this effect was in fact issued by the EDPB in its above-mentioned statement on COVID-19. Go back