Companies explore whether they can disclose that someone has been diagnosed with COVID-19, in their efforts to protect staff and the general public. This article describes recent opinions published by EU Data Protection Authorities on the issue.
Statement of the European Data Protection Board
The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, specifically tackles the question of disclosing that an employee has been diagnosed:
“Can an employer disclose that an employee is infected withCOVID-19 to his colleagues or to externals?
Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context)and the national law allows it,the concerned employees shall be informed in advance and their dignity and integrity shall be protected.”
What are the EU national DPAs saying?
The Irish DPC does not institute a general prohibition, but states that “any communications to staff about the possible presence of Coronavirus in the workplace should not generally identify any individual employees” and that the “identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification“. Moreover, the authority’s FAQ section provides a concrete example:
“Can an employer disclose that an employee has the virus to their colleagues?
This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID-19 in the organization and requesting them to work from home. This communication should not name the affected individual.
Disclosure of this information may be required by the public health authorities in order to carry out their functions.”
Italy’s Garante only mentions that, in the context of specific and detailed legislation passed at the national level:
“Where an employee performing duties that entail contact with the public (e.g. at a front office, at a service desk) encounters a suspected Coronavirus case in the course of their work, that employee will ensure that the competent health services are informed – including through the employer – and will follow the preventive instructions provided by the healthcare professionals consulted.”
The Hungarian Data Protection Authority (NAIH) indicated that organizations should inform employees that they must report any suspected contact with the virus, and that such information can be recorded by the employer. Specifically, the NAIH mentioned that the Police are authorised to use CCTV footage to investigate those who do not observe the legislation for preventing the spread of COVID-19.
Belgium’s APD takes a restrictive stand and states that:
“Under the principle of confidentiality (Article 5.1, f) of the GDPR) and the principle of data minimization (Article 5.1, c) of the GDPR), an employer cannot reveal the names of the persons concerned. The employer can only inform other workers of the situation without mentioning the identity of the person (s) concerned.”
The Danish DPA indicated that, within the framework of data protection law, an employer can, to a large extent, disclose non-specific information (even health information) when the necessity of the situation would thus require, for example: that an employee has returned from a so-called “risk area”; that an employee is in the home quarantine (without stating the reason); that an employee is ill (without stating the reason). The authority recognised that in some situations (e.g. to allow management and colleagues to take precautions) it might become necessary to disclose that an employee has been diagnosed with the Coronavirus. Even if information is disclosed, it should be factual and kept to the minimum necessary (including by avoiding to name the person infected).
The DPA from Luxembourg does not institute a strict prohibition, but it does state that “The identity of the data subjects can therefore not be disclosed to third parties or the data subjects’ colleagues without clear justification.”
The UK’s ICO expressly answered that an organization can tell their staff that a colleague may have potentially contracted COVID-19, but they should assess whether they can name individuals and should not provide more information than necessary.
Lastly, neither DPA sees any impediment to report cases to health authorities or other public bodies who have legal competences to manage the epidemic.
Romanian DPA’s point of view
The Romanian DPA issued a press statement about the legal conditions of processing data in the current health crisis. The authority expressly stated the following:
“As regards the disclosure in the public sphere of the name and health status of a physical person, we underline that the processing (the disclosure) of such data can only be done based on the consent of the concerned person.”
The specific point of view is welcome – however it does raise questions about the theoretical applicability of other exemptions allowed by Art. 9(2) of the GDPR. Moreover, this opinion should not prejudice journalistic activities which fall under the journalistic exemption provided by the Romanian GDPR Application Law (no. 190/2018), as long as these activities observe human rights privacy standards and ethical guidelines.