Can the organisation collect personal data as part of the implementation of the COVID-19 contingency plan?

Any organisation can collect personal data as part of the implementation of a contingency plan. However, it must always ensure that a set of requirements are met. Firstly, it must ensure that the data to be collected is adequate and not excessive and that only such data that is actually required should be processed for the purposes at stake.

The applicable legal requirements vary according to the type of data to be collected, and in some instances the data subject (employees, employees’ families, clients or services providers) can also impact the rules to be observed.

 

Can travel data be collected?

If the organisation wishes to collect information on trips made or to be made, places visited or persons contacted (data that can be qualified as private data), the organization must ensure on the one hand that such data is actually required to implement the contingency plan and on the other hand that the processing of such data is lawful. 

 

Can health data related to the body temperature be collected?

Council of Ministers Resolution no. 25-A/2022, of 17 February, declared an alert situation in the context of the COVID-19 disease pandemic. With its approval, the Council of Ministers Resolution no. 157/2021, of 27 November, which included a provision on the control of body temperature, was revoked. In these terms, within the current exceptional and temporary measures to respond to the SARS-CoV-2 epidemic and the COVID-19 disease, the screening or measurement of body temperature is currently provided only for air traffic situations, as provided for under paragraphs c) and d) of Article 8 (1) of the annex to the Council of Ministers Resolution no. 25-A/2022, of 17 February.

The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD), considers in its Guidelines on the processing of personal health regulated at the time by Decree no. 8/2020, of 8 November 2020 (which has already expired), and currently foreseen in the annex to the Council of Ministers Resolution no. 25-A/2022, of 17 February, that body temperature measuring is considered a processing of personal health data, subject to the GDPR, whenever the person is identifiable. This occurs, for example, in the access to the workplace, to educational and teaching institutions or sport academies, and also whenever the establishment or place is equipped with systems of control that use biometric data reading or video surveillance with image recording (which increases the possibility of identifying people).

Though CNPD analyses several possible legal grounds, it considered that the most adequate in this case would be the necessity of the processing for reasons of public interest in the area of public health on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy) (Article 9(2)(i) of the GDPR).

CNPD considers that the measures laid down in Decree no. 8/2020, of 8 November 2020, did not sufficiently safeguard the rights and freedoms of data subjects, considering that this Decree did not provide a rule imposing a specific duty of confidentiality to workers carrying out the temperature measurements. With the repeal of the Council of Ministers Resolution no. 157/2021, of 27 November (namely its Article 4 (5)), this confidentiality duty is no longer foreseen.

Finally, CNPD considers that for Article 4 of Decree no. 8/2020, of 8 November 2020 (currently Article 5 of the annex to the Council of Ministers Resolution no. 157/2021, of 27 November) to be applicable in compliance with the GDPR, data controllers must also define and carry out other procedures following the detection of a case of temperature equal or above 38°C, which guarantees the confidentiality and dignity of the treatment of the person subject to the measurement and is provided for in paragraph d) of Article 8 (1) of the annex to the Council of Ministers Resolution no. 25-A/2022, of 17 February.

 

Can health data related to SARS-COV-2 diagnostic tests be collected?

Performing tests is considered a processing of personal health data subject to the GDPR.

Under Article 5 of the annex to the Council of Ministers Resolution no. 25-A/2022, of 17 February, SARS-COV-2 diagnostic tests, as well as the use of the EU COVID-19 Digital Certificate, shall be carried out in accordance with data protection rules. Therefore, the personal data related to the person who is being tested (including the test certificate or information on the person’s identity) cannot be recorded or stored – unless expressly authorized by that person – and the processing of such data shall be limited to what is strictly necessary in relation to the purpose of the test.

According to the CNPD, the provision foreseen in Decree no. 8/2020, of 8 November 2020 (currently Article 4 of the annex to the Council of Ministers Resolution no. 25-A/2022, of 17 February) does not define the circumstances in which diagnostic tests may be imposed by public and private entities, nor does it define who collects the sample for diagnostic purposes and who analyses the test results. Therefore, there are no measures to ensure the privacy of people who are required to be tested (in this specific context of stigmatisation tendency and discrimination against carriers of the virus).

CNPD’s position does not change due to the type of diagnostic tests carried out, being also applicable to rapid antigen tests. The conditions for the use of the different types of diagnostic tests are defined in General Directorate for Health (Direção-Geral da Saúde – DGS) Standard no. 019/2020, of 26 October 2020 (updated on 23 February 2022) concerning the National Testing Strategy for SARS-CoV-2.

Hence, CNPD considers that the provision foreseen in Article 5 of Decree no. 8/2020, of 8 November 2020 (currently Article 4 of the annex to the Council of Ministers Resolution no. 25-A/2022, of 17 February) to be applicable in compliance with the GDPR, data controllers must: (i) ensure that the diagnostic test are performed by a healthcare worker, subject to the obligation of professional secrecy; and (ii) define and carry out the procedures following the detection of a positive result, which guarantees the confidentiality and dignity of the treatment of the person being tested.

 

What other care should be taken?

The organisation must in any event provide information on what terms the data will be processed as part of the contingency plan and identify from the start the purposes for which the data will be processed. The collection of data of employees’ family members may be more challenging as the organisation does not have a direct relationship with those persons.
Given the sensitivity of the data, adequate technical and organisational safety measures should also be adopted to ensure the confidentiality of the data.

Considering the limited processing (i.e., the data will be collected as part of the implementation of a COVID-19 contingency plan), it must be ensured that upon the expiry of this period the data will be erased by the organization and not used for any other purpose.

 

Can the organisation monitor the performance of the employee’s remote work?

CNPD issued guidelines, establishing that the employer retains direction and control powers on the performance of the work. Without prejudice, the general rule prohibiting the use of means of remote surveillance, with the purpose of controlling the employee's work performance, shall apply.

Therefore, technology solutions for remote control of employee's work performance, such as software that tracks working and downtime, Internet pages visited, real-time location of the terminal and use of peripheral devices, are not allowed. Similarly, it is not acceptable to compel the employee to keep the video camera permanently on, nor, in principle, to record teleconferences between the employer (or managers) and the employees.

However, CNPD admits that records of working time may be obtained by means of specific technology solutions in this remote work regime, which should be limited to reproducing the record made when the work is performed at the employing entity's premises. In the absence of such tools, it is exceptionally legitimate for the employer to establish the obligation to send an e-mail, SMS or any other similar method.

 

Have the data protection authorities already stated their position on this matter?

A few data protection authorities have already issues guidelines on this matter:

Recently, CNPD issued a set of guidelines:

As to the App STAYAWAY COVID, and following CNPD’s Guidance 2020/277, it was approved Decree-Law no. 52/2020 of 11 August 2020, establishing DGS as the data controller for the collected personal data. The Decree-Law also regulates the intervention of a doctor in the STAYAWAY COVID system.

 

__________________________

This information is being updated on a regular basis.

All information contained herein and all opinions expressed are of a general nature and are not intended to substitute recourse to expert legal advice for the resolution of real cases.