By Michele Gioffrè, Giusy Cardinale, AMTF Lawyers
Can employers take the body temperature of their employees or third parties (e.g., customers, suppliers, etc.) at the entrance to their premises?
In the current situation related to the COVID-19 emergency, due to the worsening of the national scenario, numerous regulatory interventions and consequent guidelines have been issued by the competent institutions in quick succession. In order to identify urgent measures for the containment and management of the epidemiological emergency, these guidelines have established that employers whose activities are not suspended are required to comply with the measures for the containment and management of the epidemiological emergency contained in the "Shared Protocol regulating measures to combat and contain the spread of the Covid-19 virus in the workplace between the Government and social partners" of March 14, 2020, with the relevant update of April 24, 2020 (hereinafter "Protocol").
The aforementioned Protocol provides for the measurement of employees' body temperature for access to company premises, among the measures to combat the spread of the virus that also apply to users, visitors, and customers, as well as suppliers, where no specific and separate access procedure has been set up for the latter (see Protocol paragraphs 2 and 3 and note no. 1).
Temperature checks should be carried out by a designated person (e.g., a member of the emergency/first aid team or a company employee who, due to their experience, expertise, and awareness, is familiar with health-related issues).
The person in charge must be:
• equipped with the required Personal Protective Equipment, as indicated in the supplementary document to the risk assessment;
• trained in the preventive measures to be adopted, as indicated in the aforementioned document;
• trained in how to measure temperature or any other physiological parameters;
• appointed as authorized to process personal data in relation to the purposes of the processing, pursuant to and for the purposes of Article 29 of the GDPR, with specific instructions.
As also confirmed by the Privacy Guarantor, given that real-time body temperature measurement, when associated with the identity of the data subject, constitutes the processing of personal data (Article 4(1) of the GDPR), the recording of body temperature data is not permitted. However, in accordance with the principle of "minimization" (Art. 5, para. 1, letter c) of the GDPR), only the circumstance of exceeding the threshold established by law may be recorded, and in any case when it is necessary to document the reasons that prevented access to the workplace.
The aforementioned Protocol emphasizes the non-mandatory nature of measuring the body temperature of employees and third parties and urges that the data acquired not be recorded.
It is possible to identify the data subject and record the exceeding of the temperature threshold – subject to the provision of specific information pursuant to Article 13 of the GDPR – only if it is necessary to document the reasons that prevented access to the company premises. On the other hand, if the body temperature of customers (for example, in large retail outlets) or occasional visitors is measured, even if the temperature exceeds the threshold indicated in the emergency provisions, it is not normally necessary to record the reason for denying access.
In any case, as this constitutes the processing of personal data, it is necessary to inform those who access these environments of the methods and purposes of the processing of personal and health data.
Is a specific privacy policy required?
As regards employees (and not external parties), it may not even be necessary if the information provided to the employee at the time of hiring or subsequently clearly specifies, in detail, the purposes of data collection for the assessment of aspects relating to the health and safety of the employee. However, it would seem preferable to adopt a specific policy, given that the purposes of the processing may differ from those referred to in previous privacy policies.
Based on the above, the specific contents of the disclosure to be provided may be:
• finalization of data collection related to the COVID-19 emergency for all individuals who, for any reason, enter the company premises, based on protocols and national/regional regulations and the biological risk assessment as reported in the latest version of the DVR (Risk Assessment Document);
• the legal bases that make processing legitimate, including the following articles of the GDPR:
— Article 9(2)(b) concerning the protection of social security;
— Article 9(2)(f) concerning the pursuit of an important public interest;
— Article 9(2)(i) concerning reasons of public interest in the area of public health, such as protection against serious threats to health;
— Article 6(1)(c) provided for by a legal obligation (in this specific case, Article 2087 of the Italian Civil Code and Legislative Decree 81/08 on health and safety in the workplace, in addition to the specific provisions issued by the authorities from time to time);
— Article 6(1)(d) concerning the protection of the vital interests of operators who collaborate with the Data Controller, in addition to natural persons, including visitors. On this basis, no consent is required;
— Article 6.1(e) concerning the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
• storage periods should not be limited to the "end of the state of emergency," but should also refer to cases where data may also be stored on the basis of instructions from the Ministry of Health or the ATS (Local Health Authority) or other body responsible for any epidemiological investigations;
•the communication of data, indicating that, at the request of the authorities, the same may be transmitted to other authorized entities including, for example, the Ministry of Health, the ATS (Local Health Authority) or other bodies responsible for any epidemiological investigations;
•inform that failure to provide data will result in the inability to access company premises;
•Finally, regarding the signing of the privacy policy, it is recommended that it be signed for acceptance, given that the purpose is not to obtain the consent of the data subject.
It is important to remember that, obviously, in the presence of a new treatment, both the treatment activity register and the risk analysis must be updated, defining the appropriate security and organizational measures to protect the data. In particular, from an organizational point of view, it is necessary to identify the persons responsible for the treatment (in addition to the possible collection and storage of data) and provide them with the necessary instructions. To this end, it should be noted that data may only be processed for the purpose of preventing the spread of COVID-19 and must not be disclosed or communicated to third parties outside the specific regulatory provisions (e.g., in the event of a request by the health authority to trace the supply chain of any "close contacts of a worker who has tested positive for COVID-19").
Can employers request information from employees, including through self-declaration, regarding possible exposure to COVID-19 infection as a prerequisite for access to the workplace?
According to the regulations on health and safety in the workplace, employees have a specific obligation to report any situation that poses a risk to health and safety in the workplace to their employer (Article 20 of Legislative Decree No. 81 of April 9, 2008).
Among the measures for the prevention and containment of contagion that employers must adopt in accordance with the current regulatory framework is the denial of access to the workplace to anyone who, in the last 14 days, has had contact with individuals who have tested positive for COVID-19 or who comes from areas at risk according to WHO guidelines. To this end, also in light of the subsequent provisions issued in the context of infection containment (see the Protocol), it is possible to request a declaration certifying these circumstances also from third parties (e.g., visitors and users).
In any case, only data that is necessary, adequate, and relevant to the prevention of COVID-19 infection should be collected, and no additional information should be requested regarding the person who tested positive, the specific locations visited, or other details relating to their private life.
The Protocol of April 24, 2020, provides that "if a declaration is requested certifying that the person does not come from areas at epidemiological risk and has not had contact in the last 14 days, with individuals who have tested positive for COVID-19, please pay attention to the rules on the processing of personal data, as the acquisition of the declaration constitutes data processing (...) it is recommended that only data that is necessary, adequate, and relevant to the prevention of COVID-19 infection be collected. For example, if a declaration is requested regarding contact with individuals who have tested positive for COVID-19, additional information about the individual who tested positive should not be requested. Similarly, if a declaration is requested regarding travel from areas at epidemiological risk, additional information about the specific locations should not be requested.
Workers who have already tested positive for COVID-19 must notify their employer before returning to work, providing medical certification confirming that they have tested negative in accordance with the procedures laid down and issued by the relevant local health department. If, in order to prevent the outbreak of epidemics, the competent health authority imposes additional specific measures in the areas most affected by the virus, such as testing workers, the employer shall cooperate fully.
Nevertheless, on March 2, the Italian Data Protection Authority issued a statement declaring that: "Employers must refrain from collecting, a priori and in a systematic and generalized manner, including through specific requests to individual workers or unauthorized investigations, information on the presence of any flu symptoms in workers and their closest contacts or in any case falling within the non-work sphere. The purpose of preventing the spread of Coronavirus must in fact be carried out by entities that institutionally perform these functions in a qualified manner. The assessment and collection of information relating to the typical symptoms of Coronavirus and information on the recent movements of each individual is the responsibility of healthcare professionals and the system activated by civil protection, which are the bodies responsible for ensuring compliance with the recently adopted public health rules."
Therefore, the statement issued by the Privacy Guarantor appears to be reasonable. In advising against "do-it-yourself" initiatives in data collection, it leaves control and verification activities to healthcare operators and the civil protection system, which are the bodies responsible for ensuring compliance with public health rules, and not to employers (in this regard, it should be noted that the "Immuni" app, designed for this very purpose, is about to be launched, as discussed below).
What processing of personal data in the workplace involves the occupational physician?
In the context of the emergency, according to paragraph 12 of the Protocol, the obligations relating to the health surveillance of workers by the competent doctor (e.g., including the possibility of subjecting workers to extraordinary medical examinations given their greater exposure to the risk of infection) constitute a genuine general preventive measure and must be carried out in compliance with the principles of personal data protection and the hygiene measures contained in the guidelines provided by the Ministry of Health.
In such emergency circumstances, the competent doctor collaborates with the employer and the RLS/RLST in order to propose all regulatory measures related to COVID-19 and, in carrying out their health surveillance duties, reports to the employer "situations of particular fragility and current or past pathologies of employees," suggesting, if necessary, the employment of the person concerned in areas less exposed to the risk of infection. To this end, it is not necessary to inform the employer of the specific medical condition suffered by the worker.
In this context, the employer may process the personal data of employees, in compliance with data protection principles (see Article 5 of the GDPR), only if this is required by law or ordered by the competent authorities or upon specific recommendation by the occupational physician in the performance of their health surveillance duties.
Can the employer disclose the identity of infected employees to the Workers' Safety Representative (RLS)?
According to national legislation, employers must report the names of infected staff to the competent health authorities and cooperate with them in identifying "close contacts" so that preventive measures can be taken promptly.
However, this reporting obligation does not apply to the Workers' Safety Representative, nor do the tasks described above fall within the specific duties of the latter, according to the regulations governing the sector.
The Workers' Safety Representative must, however, continue to perform his or her advisory, verification, and coordination tasks, offering his or her collaboration to the competent doctor and the employer (for example, promoting the identification of the most appropriate preventive measures to protect the health of workers in the specific work context; updating the risk assessment document; verifying compliance with internal protocols).
Can the employer disclose the identity of an employee with COVID-19 to other workers?
In order to protect the health of other workers, in accordance with the emergency measures, it is the responsibility of the competent health authorities to inform the "close contacts" of the infected person, in order to activate the necessary preventive measures, and not the employer.
The employer is, however, required to provide the competent institutions and health authorities with the necessary information so that they can perform the tasks and functions provided for by the emergency legislation adopted in relation to the aforementioned emergency situation (see paragraph 12 of the aforementioned Protocol).
The communication, both within and outside the company, of information relating to the health of employees or collaborators may only take place if this is required by law or ordered by the competent authorities on the basis of their statutory powers (e.g., exclusively for the purpose of preventing the spread of COVID-19 and in the event of a request by the health authority to trace any "close contacts" of a worker who has tested positive).
In any case, the measures that the employer must take in the event of the presence of a person affected by COVID-19 within the company or administration premises, relating to the cleaning and sanitization of the premises themselves, to be carried out in accordance with the instructions issued by the Ministry of Health as referred to in paragraph 4 of the Protocol, which provides for the cleaning and sanitization of company premises in accordance with the provisions of Circular No. 5443 of February 22, 2020, of the Ministry of Health, as well as their ventilation.
Is the Immuni app compliant with data processing regulations? Can it be used by employers to track the location of employees and check for possible risk of infection?
The "Immuni" app (hereinafter "App"), identified by Order No. 10/2020 dated April 16, 2020, issued by the Special Commissioner for the Emergency, has two modes of operation. The first is a contact tracing system that uses Bluetooth technology: Bluetooth can be used to detect the proximity of two smartphones within one meter and trace back all encounters of a person who has tested positive for Covid-19, so that potential infected individuals can be traced and isolated. Once downloaded, the app stores a list of anonymous identification codes of all other devices that have been in close proximity to each citizen's device.
The second function of the app is a clinical diary containing all the most relevant information about the individual user (gender, age, previous illnesses, medication). The user must take care to update the clinical diary daily with any symptoms and details about their state of health. This feature is similar to the one already present in the AllertaLOM (CercaCovid) app of the Lombardy Region.
With an "Opinion on the proposed legislation for the provision of an application aimed at tracking COVID-19 infections" dated April 29, 2020, the Italian Data Protection Authority expressed a favorable opinion on the app, as it appears to comply with the criteria set out in the European Data Protection Board's guidelines of April 21 regarding contact tracing systems, which can be summarized as follows:
(a) Voluntary participation: given the significant individual impact of tracking, participation in the system must be the result of a genuinely free choice on the part of the data subject;
(b) regulatory provision: the condition may be identified in the need to perform a task in the public interest, in particular for public health reasons, based on a "regulatory provision or legislative provision" of the European Union or Member States;
(c) transparency: it is necessary to ensure full compliance with the transparency obligations set out in the Regulation with regard to data subjects. The App appears to be in line with this requirement, which ensures that data subjects are provided with adequate information on the processing and, in particular, on the pseudonymization of data, while it is recommended that the Administration concerned submit the impact assessment it is required to carry out to the widest possible public and provide, including in the legislation, for the free and open nature of the software to be released under an open source license;
(d) specificity and exclusivity of purpose: tracing must be aimed exclusively at containing infections, excluding any other purposes, without prejudice to the possibility of using it for scientific and statistical research purposes, provided that this is done in accordance with the general terms set out in the Regulation;
(e) Selectivity and minimization of data: the data collected must be capable of tracing close contacts and not the movements or location of the subject. Only data strictly necessary for the purpose of identifying possible infections should be collected, using reliable anonymization and pseudonymization techniques. Storage must also be limited to the period strictly necessary, to be assessed on the basis of decisions by the health authority on objective parameters such as the incubation period.
(f) interoperability with other contact tracing systems used in Europe;
(g) reciprocity of anonymity among App users, who must not be identifiable by the data controller, as identification must be limited to the purpose of identifying infected individuals.
As previously mentioned, the Immuni app will be exclusively reserved for the competent authorities, therefore not authorizing employers to access the information contained therein. The above would also apply if the app were installed on company mobile devices by employees. a practice that employers would be well advised to prohibit, in order to avoid any violations of personal data protection regulations, since employers are not authorized to access such data (even incidentally, for example, to remotely resolve a technical problem with the device) or to process such data if it comes into their possession.
In conclusion, the matter is clearly very complex and requires a case-by-case assessment of individual needs, especially in view of the gradual return of workers to regular on-site work and not exclusively to "smart working."
Source: DIRITTO24
