key: cord-0757957-83qbmc7q
authors: Shabani, Mahsa; Goffin, Tom; Mertes, Heidi
title: Reporting, Recording and Communication of COVID-19 Cases in Workplace: Data Protection as a Moving Target
date: 2020-04-22
journal: J Law Biosci
DOI: 10.1093/jlb/lsaa008
sha: 0f21ab49f3edebb00729d3a32f0c515eb4fe6df1
doc_id: 757957
cord_uid: 83qbmc7q

In response to concerns related to privacy in the context of COVID-19, recently European and national Data Protection Authorities (DPA) issued guidelines and recommendations addressing variety of issues related to processing of personal data for preventive purposes. One of the recurring questions in these guidelines related to the rights and responsibilities of employers and employees in reporting, recording and communicating COVID-19 cases in workplace. National Data Protection Authorities in some cases adopted different approaches regarding duties in reporting and communicating the COVID-19 cases, however, they unanimously stressed importance of adopting privacy preserving approaches to avoid raising concerns about surveillance and stigmatization. We stress that in view of increasing use of new data collection and sharing tools such as “tracing and warning” apps, associated privacy related risks should be evaluated on an ongoing manner. In addition, the intricacies of different settings where such apps may be used should be taken into consideration when assessing the associated risks and benefits.

In the wake of COVID-19 outbreak, concerns related to lawful processing of personal information from COVID-19 cases have led various European and national Data Protection Authorities (DPAs) to develop guidelines regarding personal data protection in the context of the COVID-19 outbreak.

Notably, under the EU General Data Protection Regulation (GDPR) processing personal health-related data is subject to a higher protection, since health data are considered as sensitive data. 1 According to the Article 9 (2) of the GDPR, sensitive data, including personal health related data can only be processed inter alia when data subjects gives her/his explicit consent or when processing is necessary "for reasons of public interest in the area of public health" on the basis of Union or Member State law.

One of the recurring questions in these guidelines has been related to duties and responsibilities of employers regarding recording the COVID-19 cases and disclosing the relevant information to the staff for preventive purposes. In this context, the COVID-19 cases may refer to both confirmed, and/or potential cases including symptomatic but not tested individuals or those being at a higher risk due to being in close contact with positive cases. While processing information from COVID-19 cases by public health authorities is justified on the basis of their legal mandate in preventing infectious diseases, there is diversity regarding whether employers should/may communicate COVID-19 cases to coworkers, and how far identifying information including name(s) of the positive cases should/may be disclosed.

The guidance provided by the European Data Protection Board on 19 March 2020, asserts that "Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected." 2 In any event, the principles of proportionality and data minimization should be fully respected in processing personal information from employees.

The guidelines issued by the national DPAs adopt different approaches regarding the duty of communication of COVID-19 cases to staff. For instance, while the UK Information Commissioner's Office states that employers "should" communicate the COVID-19 cases to staff, 3 according to the Ireland and Belgium's DPAs employers "may" communicate the cases, when justified. 45 It is also interesting to note that according to the Netherlands' DPA, communicating the positive cases to staff is

3 not a duty of employers. 6 This heterogeneity may be due to differences in national regulations regarding epidemiological surveillance and protocols regarding safety and risks management at the workplace.

With regard to permissibility of disclosing personal information about the positive cases when communicating to staff, disclosing names of the cases has been generally disfavored and perceived to be unnecessary in many cases. The Danish DPA's states that a number of points should be taken into consideration when deciding to disclose information from COVID-19 cases, including whether the recording or disclosing information is justified and whether it is necessary to specify the information. In addition, account should be taken whether the purpose can be achieved by "telling less" and whether it is necessary to name names -e.g. the name of the person infected and / or in the home quarantine. Therefore, employers are instructed to evaluate on a case-by-case basis whether disclosing the identifying information from individuals is necessary or not. 7 It seems this approach is better suited for the realities of different workplaces. Thereby, employers can adopt communication strategies based on the setting of the workplaces (the number of the employees, likelihood of direct contact, etc.) and strive to communicate information in a manner that protects the privacy of employees as much as possible. As disclosing the names of individuals may have stigmatizing effects, it is essential to adopt communication strategies that respect the privacy of the persons involved.

Closely related to this topic, is a duty of potential or confirmed COVID-19 patients to report their test results/symptoms to their employers. For instance, the Netherlands DPA asserts that such reporting should be only on a voluntary basis, while the France and Luxembourg DPAs assert that the employees who contracted COVID-19 should report to their employers. 8 9 Notably, a potential duty of the employees to report is closely related to the responsibilities of the employers in recording such cases, and eventually communicating to staff and health authorities.

In the guidelines provided by the DPAs, it has been presumed that the management of personal information from employees and consequently the scope of communication of the COVID-19 cases would be effectively controlled by employers. In parallel, rapidly emerging mobile apps that, among others, aim for tracing and preventing spread of the virus by potentially warning the exposed people, offer novel opportunities that may also be used by employers to facilitate reporting and communication of the COVID-19 cases in workplaces. Potential benefits of using tracing and tracking apps has been highlighted in recent scientific literature 10 and policy recommendations such as a recent European Commission Recommendation C(2020) 2296, which states: "expert opinion suggests that applications aiming to inform and warn users seem to be the most promising to prevent the propagation of the virus,

taking into account also their more limited impact on privacy, and several Member States are currently exploring their use." 11 Thereby, duties of reporting and the scope of communications of the positive cases may be considerably expanded beyond what has been originally foreseen in the relevant data protection guidelines. Employers may favor using apps by staff as it will allow recording, and (partly) automating communication of positive cases in the workplace by sending direct notifications to those who are considered to be at a higher risk of contracting virus. These apps have been already used in countries such as Singapore, South Korea and Israel, and recently plans for using them in Germany, Belgium and the UK have been announced. 12 Use of tracing-warning apps in workplaces raises a number of privacy concerns. While use of such apps are generally considered to be voluntary, 13 their mandatory use in some settings such as workplaces may be justified on the basis of already existing duties and responsibilities for reporting and recording the (potential) COVID-19 cases. Additionally, risks of identifiability and privacy breaches may be higher when using apps in small workplaces. Most tracing apps are claiming that they are operating on the basis of anonymized data, therefore their activities fall outside the scope of data protection regulations, such as the EU General Data Protection Regulation (GDPR) that only applies to directly or indirectly identifiable data. However, what one needs to take into account is that removing obvious identifiers (e.g. names, national registration number, etc.) does not always sufficiently address the concerns about identifiability, especially when reporting and notification take place in a setting comprising a small group of people. Moreover, accounts should be taken of general privacy related concerns in using health-related apps which have been previously discussed in scholarly literature and normative documents. 14

In view of new possibilities that ICT offers in processing personal sensitive data, 15 it is imperative to consider assessment of the data protection concerns and adequacy of the proposed safeguards and guidance in the context of COVID-19 as a dynamic endeavor. Thereby, data protection oversight bodies should be involved in the development of such apps from the beginning and publish their consultations publicly when possible. This is crucial for improving transparency and eventually maintaining public trust related to using such apps for processing sensitive health-related data. Recently, the importance of an ongoing evaluation and consultation by the relevant oversight bodies has also been duly stressed in the European Data Protection Supervisor's response to the European Commission DG Connect regarding monitoring spread of COVID-19 by using data from telecommunication providers and the European Commission's Recommendation C(2020) 2296 (see above). 16 Notably, risks associated with processing of personal data may considerably evolve, when new data collection and communication tools are being used.

Finally, regardless of whether monitoring and communication of COVID-19 cases in the workplace rely on apps or not, disclosing the identity of those infected should only happen on a need-to-know basis, in order to prevent stigmatization and privacy breaches. While it is expected that the current public health emergency would justify limiting the privacy rights of individuals temporarily, it is crucial to ensure that adequate safeguards are in place to mitigate potential risks for the individuals when collecting, reporting and communicating their health-related information for preventive measures. As it has been stressed in the recent joint civil society statement on States use of digital surveillance technologies to fight pandemic, "These are extraordinary times, but human rights law still applies". 17

Denmark Data Protection Authority

COVID-19): Remarks from CNIL on collection of personal data

COVID-19): CNPD Recommendations relating to the Collection of Personal Data in a Context of a Health Crisis

Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing

Howe will the NHS COVID-19 app contact-tracing app works and when it will go live

German minister says tracking apps to tackle coronavirus must be voluntary

Draft Code of Conduct on privacy for mHealth apps