The General Data Protection Regulation (GDPR), which took effect in the European Union in mid-2018, states that people’s data is their own and requires anyone seeking to process it to obtain their consent.
Companies are allowed to obtain information on whether an employee has travelled to a region with confirmed coronavirus cases and some systemic data collection may also be required, such as through workplace questionnaires or requiring staff to report their travel plans.
But data protection office CNIL has warned that this is where it ends. Employers are not allowed to take mandatory readings of the temperature of employees or visitors, nor can they require them to fill out compulsory medical questionnaires,
In practical terms that means a receptionist may only take the temperature of a visitor under certain conditions, as this may require processing of health data that can only be done by a doctor, said Holger Lutz, partner at law firm Baker & McKenzie.
Italy, the European country hardest hit by coronavirus, has passed emergency legislation requiring anyone who has recently stayed in an at-risk area to notify health authorities either directly or through their doctor. Germany, meanwhile, recently inserted wording into its GDPR enabling legislation that specifically allows for the processing of personal data in the event of an epidemic, or natural and man-made catastrophes, said Lutz.
Apparently governments are looking at the possibly of mass tracking to see who has had contact with a corona virus victim and German Federal Data Protection Officer Ulrich Kelber told Reuters that smartphone tracking was possible if it had a person’s consent to have a valid legal basis.
Any tracking-based system would need to undergo detailed analysis to ensure an acceptable level of data protection, Kelber said. It should be proportionate, both in terms of whether the accuracy of the location data gathered serves the intended purpose and whether a less intrusive method is available.