Can the organization collect personal data as part of the implementation of the COVID-19 contingency plan?

Any organization can collect personal data as part of the implementation of a contingency plan. However, it must always ensure that a set of requirements are met. Firstly, it must ensure that the data to be collected is adequate and not excessive and that only such data that is actually required should be processed for the purposes at stake.

The applicable legal requirements vary according to the type of data to be collected, and in some instances the data subject (employees, employees’ families, clients or services providers) can also impact the rules to be observed.

 

Can travel data be collected?

If the organization wishes to collect information on trips made or to be made, places visited or persons contacted (data that can be qualified as private data), the organization must ensure on the one hand that such data is actually required to implement the contingency plan and on the other hand that the processing of such data is lawful. 

 

Can health data related to the body temperature be collected?

The Portuguese Data Protection Authority (Comissão Naiconal de Proteção de Dados – CNPD), in its Guidelines on the processing of personal health data under Decree no. 8/2020, of 8 November, considers that body temperature measuring is considered a processing of personal health data, subject to the GDPR, whenever the person is identifiable. This occurs, for example, in the access to the workplace, to educational and teaching institutions or sport academies, and also whenever the establishment or place is equipped with systems of control that use biometric data reading or video surveillance with image recording (which increases the possibility of identifying people).

Though CNPD analyses several possible legal grounds, it considered that the most adequate in this case would be the necessity of the processing for reasons of public interest in the area of public health on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy) (article 9.º, no. 2, line i) of the GDPR).

CNPD considers that the foreseen measures do not safeguard sufficiently the rights and freedoms of the data subjects, in particular regarding the secrecy and confidentiality of information.

Hence, CNPD considers that for article 4.º of the Decree 8/2020 to be applicable in compliance with the GDPR, data controllers must: (i) bind the worker carrying out the temperature measurements to a specific duty of confidentiality, either by contract or by an autonomous declaration; (ii) define and carry out the procedures following the detection of a case of temperature equal or above 38°C, which guarantees the confidentiality and dignity of the treatment of the person subject to the measurement.

 

Can health data related to SARS-COV-2 diagnostic tests be collected?

Performing tests is considered a processing of personal health data subject to the GDPR.

According to the CNPD, the provision foreseen in article 5 of the Decree no. 8/2020 does not define the circumstances in which diagnostic tests may be imposed by public and private entities, nor does it define who collects the sample for diagnostic purposes and who analyses the test results. Therefore, there are no measures to ensure the privacy of people who are
required to be tested (in this specific context of stigmatisation tendency and discrimination against carriers of the virus).

CNPD’s position does not change due to the type of diagnostic tests carried out, being also applicable to rapid antigen tests.

Diagnostic tests can only be carried out by healthcare professionals, in accordance with DGS Standard n.º 019/2020, of 26 October 2020 (updated on 6 November 2020) concerning the National Testing Strategy for SARS-CoV-2, where the conditions for the use of the different types of tests are defined.

Hence, CNPD considers that for article 5.º of the Decree to be applicable in compliance with the GDPR, data controllers must: (i) ensure that the diagnostic test are performed by a healthcare worker, subject to the obligation of professional secrecy; (ii) define and carry out the procedures following the detection of a positive result, which guarantees the confidentiality and dignity of the treatment of the person being tested. 

 

What other care should be taken?

The organization must in any event provide information on what terms the data will be processed as part of the contingency plan and identify from the start the purposes for which the data will be processed. The collection of data of employees’ family members may be more challenging as the organization does not have a direct relationship with those persons.
Given the sensitivity of the data, adequate technical and organizational safety measures should also be adopted to ensure the confidentiality of the data.

Considering the limited processing (i.e., the data will be collected as part of the implementation of a COVID-19 contingency plan), it must be ensured that upon the expiry of this period the data will be erased by the organization and not used for any other purpose.

 

Can the organization monitor the performance of the employee’s remote work?

CNPD issued guidelines, establishing that the employer retains direction and control powers on the performance of the work. Without prejudice, the general rule prohibiting the use of means of remote surveillance, with the purpose of controlling the employee's work performance, shall apply.

Therefore, technology solutions for remote control of employee's work performance, such as software that tracks working and downtime, Internet pages visited, real-time location of the terminal and use of peripheral devices, are not allowed. Similarly, it is not acceptable to compel the employee to keep the video camera permanently on, nor, in principle, to record teleconferences between the employer (or managers) and the employees.

However, CNPD admits that records of working time may be obtained by means of specific technology solutions in this remote work regime, which should be limited to reproducing the record made when the work is performed at the employing entity's premises. In the absence of such tools, it is exceptionally legitimate for the employer to establish the obligation to send an e-mail, SMS or any other similar method.

 

Have the data protection authorities already stated their position on this matter?

A few data protection authorities have already issues guidelines on this matter:

Recently, CNPD issued a set of guidelines:

As to the App STAYAWAY COVID, and following CNPD’s Guidance 2020/277, it was approved Decree-Law no. 52/2020 of 11 August, establishing, as the data controller for the collected personal data, the General Directorate for Health (Direção-Geral da Saúde – DGS). The Decree-Law also regulates the intervention of a doctor in the STAYAWAY COVID system.

 

 

 

__________________________

This information is being updated on a regular basis.

All information contained herein and all opinions expressed are of a general nature and are not intended to substitute recourse to expert legal advice for the resolution of real cases.