Due to the COVID-19 outbreak, many companies have had to suspend their activities or, where possible, ask their employees to work from home by introducing teleworking as a necessary precautionary measure.
In businesses that still continue to function and in sectors considered "essential" by the Grand Ducal Regulation of 18 March 2020 introducing measures to combat COVID-19, some employees still have to go to work. In this case, the employer is expected to take all appropriate measures to prevent infection. This obligation arises from Article L. 312-1 of the Luxembourg Labour Code, which provides that employers have a general duty to ensure the health and safety of their employees (and contractors) in all work-related aspects.
When taking such precautions, whether on site or through the introduction of teleworking, employers must nevertheless pay proper attention to the privacy of their employees, including those who may be infected.
Processing of Employee Medical Data
The measures taken in response to COVID-19 could lead to employers having to process personal data of their employees, in particular medical data. In principle, the General Data Protection Regulation ("GDPR") prohibits the processing of medical data, which are regarded as particularly sensitive, by employers unless an exception applies, e.g., where (i) the data subject has given his or her explicit consent (although it is unlikely that employee consent will be deemed valid in this context), (ii) there is a need to protect vital interests of the employee, (iii) the processing is necessary for reasons of substantial public interest in the area of public health, or (iv) the employer is authorised to process the data by national or EU law in the context of its or the employee's specific obligations and rights in relation to employment and social security.
If the employer can rely on one of these exceptions to process medical data, it must still comply with all obligations arising from the GDPR, including the principles of proportionality and data minimisation and the prior information right of data subjects.
Taking into account the foregoing and following the most recent guidance of the European Data Protection Board ("EDPB") and the Luxembourg National Commission for Data Protection ("CNPD"), please find below some information on what can (and cannot) be done.
1. Systematic testing and temperature checks
While the Belgian Data Protection Authority does not consider temperature checks to entail the processing of medical data provided the results are not recorded or linked to other personal data, the CNPD considers that "employers should refrain from collecting information on possible symptoms experienced by an employee/external person and their relatives in a systematic and generalised manner, or through individual inquiries and requests" (except in specific situations authorised by the government).
By way of example, the CNPD states that employers should "refrain from requiring their employees to provide daily body temperature readings or to fill in medical forms or questionnaires, which have been drawn up in advance".
As an alternative, it is recommended to encourage employees to inform their superior promptly in the event of suspected exposure to COVID-19 or as soon as infection is confirmed by their attending physician. Pursuant to Article L. 313-1 of the Luxembourg Labour Code, employees must take all necessary measures to preserve their health and safety and those of other employees or persons concerned. This obligation implies that employees are expected "to report immediately, to the employer and/or to the designated employees and to the health and safety representatives, any work situation they have reasonable grounds to consider represents a serious and immediate danger to health and safety". Failure to comply with this obligation could give rise to liability.
Practical advice: It is recommended to politely ask an employee with a fever to contact the occupational physician and to stay at home if the employee is experiencing symptoms. The key here is to support rather than stigmatise the employee.
2. Keeping of medical information related to COVID-19
Even in the current situation, it is unlikely that an employer will have a valid justification to keep records of COVID-19 information relating its employees, as such information can, in principle, only be processed by the occupational physician.
3. Disclosure of the names of infected employees
Employers should avoid disclosing the names of infected employees (even internally). The fact that someone is infected (or not) is personal data relating to health, which they are prohibited from disclosing except:
- to the extent necessary to comply with employment and/or social security obligations, or
- to the extent necessary to protect the "vital interests" of the employee or another natural person (e.g. to call emergency services if the employee is no longer physically able to do so).
When considering disclosure under these exceptions, employers should pay proper attention to the principles of proportionality and data minimisation. Thus, where disclosure of the employee's name can be avoided (for instance, by referring to a department), the employer should strive to maintain the anonymity of the employee concerned. In any case, the EDPB stresses that where there is no other choice but "to reveal the name of the employee who contracted the virus, (…) the concerned employees shall be informed in advance and their dignity and integrity shall be protected".
The foregoing applies even if the employee has given his or her consent. Indeed, given the hierarchical nature of the employer-employee relationship, the "free" nature of employee consent can be called into question. As far as small businesses are concerned, other employees may notice the absence of a colleague and discover that (s)he is infected. This does not raise any issues for the employer under the GDPR. The same is true where employees decide voluntarily to inform colleagues of their situation.
Data Protection Consequences of Homeworking
1. Specific information obligations
In principle, the employment contract should expressly provide for the possibility of teleworking. If this is not the case, the employer can introduce teleworking by means of an addendum to the employment contract or through the conclusion of a separate agreement with the employee, which provides for teleworking as a precautionary measure to avoid infection.
Regardless of how teleworking is introduced, the employer should provide its employees with certain minimum information, as agreed with the Union of Enterprises in Luxembourg ("UEL") and the major labour unions in the convention of 15 December 2015 on the legal framework for teleworking. Such information includes in particular:
- the place from which the employee will telework;
- the contact person(s), (depending on the nature of the question/problem, this could be HR, the IT manager, etc.);
- a precise description of the teleworker's professional tools and equipment;
- information concerning any insurance taken out by the employer against the loss of or damage to professional equipment.
This information will partially overlap with the information the employer is obliged to provide under the data protection rules. If the employer uses time-tracking or IT monitoring tools, Article L. 261-1 of the Labour Code requires that the employee representative body or, in the absence thereof, the Luxembourg Labour Inspectorate be duly informed of such use, along with information gathered by the employer about employees, on the basis of Article 13 GDPR. Furthermore, Article L. 261-1 of the Labour Code states that the employer may have to perform a data protection impact assessment in accordance with Article 35 of the GDPR.
2. Information security considerations
Homeworking raises of course information security concerns. As a data controller, the employer is obliged to keep personal data secure and must be able to deploy the necessary organisational and technical measures to ensure the security of personal data. The use by employees, for professional purposes, of a personal email address or private device should be avoided if possible. Where personal devices are used, it is recommended that the employer have a strict BYOD (bring your own device) policy. In the current context, it is expected that hackers and criminals will target homeworkers in order to breach IT systems.
In addition, the employer may have a duty to protect its systems and data. This is in particular the case in the financial sector as financial institutions are subject to a duty of professional secrecy and an obligation to ensure the sound organisation of important internal functions, such as IT. It is thus not surprising that the Luxembourg financial regulator, the CSSF, has already issued minimum standards in terms of access management (with a strict “least privilege” policy), secure (encrypted) communications, compulsory monitoring of connections, and the requirement to activate distance access in exceptional circumstances only.
Another point for attention is the use of screen-sharing and/or video conferencing tools. The terms of such tools should be carefully checked, as some may allow the provider to reuse shared content or to analyse conversations, which is not optimal from an information security perspective.
The COVID-19 crisis has obliged employers to take rapid decisions in order to ensure health and safety in the workplace and define a homeworking strategy. Even though we are facing an exceptional and challenging situation, this does not mean that data protection laws and principles can be overlooked. On the contrary, respect for key data protection principles (especially in terms of information security) will help businesses that are still operational continue to function securely.
Would you like to stay up to date of our publications regarding COVID-19? Register here. We will send you a weekly update with the latest publications.