Now that the various governments are rolling out their exit strategy slowly and in phases, it is the right moment that you as an employer also prepare the restart of your activities to the “new normal”. In addition to the many practical questions, the questions about privacy are increasingly being raised. What can you ask from your employees to ensure a safe restart as best as possible? Many questions, but one thing is clear: when planning a restart, privacy is an item to consider.
Does GDPR still exist?
Right! The General Data Protection Regulation, or GDPR for short, is now well established in all European countries. However, GDPR was not written with a pandemic in mind. And while people seem more and more willing to give up some of their privacy at the moment, this doesn’t mean that you as a company should respond to this. On the contrary!
If we follow what the text says, you should have a basis according to GDPR to process personal data, including your employees. Medical data even fall under the stricter “exceptional situation”, something COVID-19 undoubtedly falls under. After all, medical data should never be processed in the base.
The reality, of course, is not so black or white. Firstly, because this is an unseen situation we are facing. Companies, governments, citizens, even experts often feel in the dark and act to the best of their ability.
Secondly, there is a dilemma to what extent privacy takes precedence over the general health interest. This is a more ethical and moral issue, as GDPR can address this issue in the public interest, such as protection against serious cross-border health threats.
Finally, it will also depend on the various authorities to know what you can and may do. During this crisis, the various governments took the necessary measures in accordance with the speed and pace of the situation in their country. This will be the same for the exit strategy and the impact on restarting your operations.
There are still many questions about privacy and COVID-19
At the time of writing this blog post, many things are still unclear. Many countries roll out an exit strategy, but all in different ways and with different timings. It is almost certain that corona apps will be launched. The discussion is still raging on what the legal and privacy frameworks of these apps are going to be.
Some basic rules
If they could, many companies would rather “restart their activities yesterday than today”. This won’t, undoubtedly, be different for you. This must be done safely and with respect for the privacy of the employee. We would like to give you some basic rules that apply in case of illness, not specifically COVID-19:
- Of course, you can register a disease, but not the actual disease. So neither COVID-19.
- Internal communication about the affected employee cannot and must not, or the employee in question must have given explicit permission for this.
- Although it is a much-suggested measure, as an employer you may not check the temperature of employees before they enter the work environment.
- As a rule of thumb, keep in mind that the basic medical question and imaging may only be (established) by a (company) doctor.
Trust comes from both sides
It all sounds contradictory. On the one hand, you are responsible for the restart in a safe manner and healthy conditions, on the other hand, you are limited in terms of (medical) privacy.
Ultimately, GDPR is about processing personal data. This does not prevent you from communicating openly and transparently to and with your employees. If you have knowledge of an employee who is or has been infected, we even recommend that you show involvement. As long as you do not register and communicate, this is not a problem.
As we wrote in our blog post last week on the importance of communicating appropriately in times of crisis, it is at least as important that you continue to do so during the restart. An open and transparent culture is desirable for a good restart of your activities. After all, you want employees to dare to look at their health situation without fear in order to be able to determine with their own responsibility whether it is wise to work. This not only benefits the employee himself or herself, but also the company. After all, you only want healthy employees back to work in the workplace.
Note: Would you like to learn more about privacy and restarting in times of COVID-19? Then register for our Efficy Expert Session on Wednesday 13 May with Clément Bauduin, certified Data Protection Officer.