As of 30 January 2020, World Health Organization (WHO) has declared “Public Health Emergency of International Concern” due to the Covid-19 disease caused by SARS-CoV-2 virus, known as the novel coronavirus (hereinafter simply “coronavirus”). The Harvard epidemiology professor Marc Lipsitch predicted that within the coming year, 40 to 70 percent of people around the world will be infected with the virus. Moreover, he indicated that if any seasonality effect is ignored, the numbers may go up as high as 80 to 90 percent. Indeed, the outbreak has already infected more than 170,000 people in 148 countries and the Turkish Ministry of Health has confirmed the first case of coronavirus in Turkey on 11 March 2020. As of 16 March 2020, the total number of confirmed cases in Turkey is 18.
WHO underlines that the spread of this virus can be significantly slowed or even reversed through the implementation of robust containment and control activities. While public authorities are implementing systematic measures, it is critical that businesses take extra steps in the workplace to manage the outbreak on a more micro level. However, albeit the vitality of a pandemic, we would like to remind our clients that businesses are subject to certain limitations and obligations deriving from data protection and employment law. We recommend that the risks of an outbreak in the workplace be managed in parallel with addressing the risks of non-compliance with the steps taken for the fight against the virus.
In this first part of our article series, we will cover the fight against coronavirus in the workplace from a data protection law perspective, which will be followed by a second article in the upcoming days addressing the employment law aspect.
The Fight against Coronavirus in the Workplace in General
There are many measures that can be implemented by businesses to fight the spread of coronavirus in the workplace, including1.
- Holding training sessions regarding coronavirus and how it spreads (for instance by the workplace doctor), raising awareness by posters in the workplace that encourages sick employees to stay at home and advices on hand hygiene and respiratory etiquette;
- Deep cleaning and disinfection of office spaces (particularly of frequently touched objects and surfaces); providing hand sanitizers and tissues in common areas such as conference and meeting rooms, reception areas, and kitchen while encouraging their use;
- Forming an internal task force to handle the business’ response to the virus (for instance convening the Occupational Health and Safety Board to discuss the matter);
- Ceasing face-to-face job interviews in favour of interviews conducted by teleconference;
- Tightening travel restrictions for non-critical trips, postponing attendance to conferences, trade fairs, and similar events;
- Encouraging employees to work remotely from their home, particularly those that have recently travelled to any of the high-risk areas (China, Singapore, Iran, Thailand, Japan, Hong Kong, South Korea, Italy);
- Ensuring that sick leave policies are flexible, encouraging employees who appear to have acute respiratory illness symptoms to stay at home;
- Preparation for the worst-case scenario, holding a company-wide exercise to simulate the possibility that no employee may be able to come to the office (for instance by requiring all employees to work from home for one day and tracking efficiency company-wide).
Critical Measures from a Data Protection and Employment Law Perspective
We observe that the main measures relevant from a data protection and employment law perspective are to (1) collect certain additional information from the employees and visitors to assign them to pre-determined coronavirus risk categories and (2) implement a variety of measures in accordance with such categories.
We note that businesses are requesting employees and visitors to fill in questionnaires including the below questions in order to determine the risks that such persons may pose (“Coronavirus Questions”):
Within the past 14 days;
1. Whether the person visited any of the regions considered to be at risk and/or have travel restrictions (whether for business purposes or personal reasons) such as China, Singapore, Iran, Thailand, Japan, Hong Kong, South Korea, Italy;
2. Whether the person has been in the same environment with people from these regions;
3. Whether the person has provided direct care or support for a patient infected with coronavirus or visited a medical centre which had such patients under treatment;
4. Whether the person himself/herself has encountered any of the symptoms of fever, cough, or shortness of breath.
Businesses also seem to be implementing the below measures for employees and visitors in accordance with their risk groups determined per the Coronavirus Questions:
- Removing the employee and the visitor from the office, requesting employees to work remotely or to take a sick leave;
- Requesting the employees and visitors to use respirators in the office;
- Referring the employees for a medical examination.
Employees may also have certain requests due to the coronavirus outbreak:
Due to the concerns arising from the coronavirus outbreak;
- Absence from work,
- Refusing to travel for work.
The collection of data in relation to employees and visitors as well as identification of risk groups concern data protection law, while the measures and requests in the workplace relate more to employment law.
The Data Protection Perspective
Can businesses collect information from employees and visitors to manage risks associated with the coronavirus?
In principle, the Personal Data Protection Law (PDPL) does not prohibit the collection of personal data from employees and visitors to manage internal risks associated with the coronavirus. The key issue here is to adopt a compliance-by-design mentality in drafting the procedures for the fight against coronavirus.
Businesses should first and foremost determine whether the collection of personal data is indeed required for the purposes of fighting the coronavirus (“Necessity Test”). Businesses should be aware that simply being afraid of the virus is not sufficient for the collection of additional personal data and particularly health data from employees or visitors. Businesses should first carry out a risk assessment by taking into account many factors including the below:
- Field of activity of the business;
- Employee and visitor profile;
- Current circumstances in relation to the coronavirus in the country and the region.
Businesses should not forget that the fight against coronavirus can be carried out without collecting any additional personal data. In this regard, they should carefully assess whether the collection of data is a must for the purposes of managing the risks associated with the virus. For instance, rather than collecting data from the employees with the Coronavirus Questions, businesses may provide training and firm instructions to encourage the employees to use respirators and stay at home if they are sick. This would allow the business to reach the same result without collecting any personal data. It is possible to doubt the effectiveness of this approach as employees may not strictly adhere to the instructions provided by the employer. However, businesses should remember that the employees will have two significant motivations to comply with the instructions of the business: (1) The measures are necessary for the protection of their own health and (2) they are under a legal obligation to comply with the health and safety instructions of their employer.
In the Necessity Test, businesses should also remember that pre-emptive measures to fight the virus are principally carried out by the public institutions, meaning that their duties and authorities to implement measures to protect public health is limited. The fight against the coronavirus in the workplace should aim to support the employees and be considered as part of the employer’s obligation to ensure health and safety within the workplace. In this regard, it is not possible to reach a definitive and general conclusion on whether businesses can lawfully collect travel and health information from employees and visitors in response to the Coronavirus Questions. Indeed, this issue is currently under debate in the European Union as well. The Italian data protection authority, the Garante, has recently published guidance on the matter and suggested that businesses cannot oblige employees or visitors to disclose information about their presence of coronavirus symptoms. Instead, the Garante highlighted that actions for the purposes of preventing the spread of coronavirus must be carried out by healthcare professionals. Similarly, the French data protection authority CNIL provided that it is likely unlawful to collect medical information from all employees via questionnaires. On the other hand, the Irish data protection commissioner stated that requesting information about recent travel and symptoms of employees and visitors is potentially justified. In short, the Necessity Test will need to be carried out by taking into account many factors as mentioned above based on the specifics of each case.
How can businesses decide on what information to collect? What are the considerations for complying with the data minimisation principle?
Businesses should ensure that the data collected and processed within their efforts to fight the coronavirus is minimised. In this regard, the risk levels identified by the business in the Necessity Test will be indicative of the justifiable processing activities that can be carried out by the business. In other words, the risk levels and the processing activities should be compatible with each other.
Above all, a specified and explicit purpose must be established for the processing activity, and the quality and the quantity of the data to be collected should be reduced to the absolute minimum required for such purpose. Any data collected by the business must have a clear purpose, and it should not be possible to reach this purpose without collecting such data. For instance, a few of the abovementioned Coronavirus Questions are sufficient to collect the necessary information to combat coronavirus in most of the cases. In the absence of an explicit and legitimate purpose, measures such as requesting detailed health records from employees and visitors, asking for details of their travels that would not benefit combatting coronavirus, or mandatory measurement of temperature of each employee and visitor would be contrary to the principle of proportionality.
Similarly, the number of people that will provide information in response to the Coronavirus Questions should also be minimised. Considering the current state of the epidemic and specifically, the spread of the virus in Turkey, businesses may consider directing the Coronavirus Questions only to people that are projected to be in high-risk groups. It should be noted here that the selection of such people should be based on reasonable and legitimate criteria. For instance, a pharmaceutical company may direct Coronavirus Questions to its field force as it is reasonable to predict that the field force would be a high-risk group considering the number and categories (i.e. doctors and patients) of people they come in contact with.
Further, (1) access to the data collected in response to the Coronavirus Questions should be restricted to a “need-to-know” basis (e.g. to the personnel who are essential to the fight against coronavirus in the workplace, preferably the workplace doctor), (2) infected employees or visitors should not be disclosed, unless this is strictly necessary, and (3) the data should be kept securely under limited access.
Is it necessary to collect consent for collection of travel and health information?
The type of data that will be collected plays a key role in this respect. The processing grounds in relation to the general categories of personal data are quite diverse. For instance, entities could base the processing on their legitimate interests. However, in case the data is sensitive (i.e. data falls under the definition of special categories of data), businesses would not have any ground other than explicit consent.
The primary category of sensitive personal data that could be collected in the fight against coronavirus is obviously personal health data. There is no definition of health data under the PDPL or the secondary legislation published by the Personal Data Protection Board (PDP Board). However, the Regulation on Personal Health Data published by the Ministry of Health defines health data as “any data relating to a person’s physical and mental health.”
In this framework, there is no doubt that information collected in response to the fourth Coronavirus Question will be considered as health data. As the presence of medical symptoms relates to one’s physical health, responses given to the fourth question will constitute personal health data and thus sensitive personal data. This means that it will be mandatory to collect explicit consent from employees and visitors if the fourth Coronavirus Question is posed to them.
Returning to the first three Coronavirus Questions, it is possible to argue that the answers given to these questions (which involves visits to the high-risk locations or being present at the same location with people of high-risk groups) would not technically qualify as sensitive data as travel records and location data does not relate to the “physical or mental health.” Yet, if we were to interpret the PDPL in light of its spirit and not only its letter, it is also possible to argue that these questions would reveal the probability of whether a person is infected with the disease or not. Thus answers to the first three questions could be considered as health data depending on the context and specifics of the case. Indeed, Article 29 Data Protection Working Party provides in its opinion “On the Concept of Personal Data” (issued during the effect of the European Union Directive numbered 95/46/EC) that the “element of purpose” can be used to determine whether data qualifies as personal data. This leads us to consider whether the element of purpose can also be used in determining the type of the data (i.e. whether data is sensitive), beyond its qualification as “personal” data. Further, under the European Union’s General Data Protection Regulation (GDPR), which is referred to in various decisions of the PDP Board, sensitive personal data is defined as data that reveal sensitive information in addition to the sensitive information itself. Following this line of argument, the United Kingdom’s Information Commissioner’s Office (ICO) states that data can be considered sensitive in case it is possible to reveal sensitive information by using the available data.
Our view is that travel records and location information will constitute sensitive personal data within the current context and under the umbrella of the fight against coronavirus. Although travel records might technically not be considered sensitive personal data, the risk category data that will be inferred based on travel records will undoubtedly be considered as sensitive. This leads us to the ultimate conclusion that explicit consent is a must also for the collection of travel records and location information.
Last but not least, businesses should consider carrying out their efforts to fight against coronavirus via their workplace doctor, if any. This would allow them to eliminate the need for explicit consent to a certain extent, provided that the employer does not have any access to the information collected in response to the Coronavirus Questions. In any event, it is clear that workplace doctors will play an important role in the fight against coronavirus, meaning the businesses keep in close contact with their workplace doctor.
Can businesses refuse to provide entry to the office to the visitors who do not consent? Does this affect the validity of consent?
Businesses are under the obligation to ensure the health and safety of their employees under Occupational Health and Safety Law no. 6331 and to protect the personality of the employee and implement all measures necessary to ensure her health and safety under the Turkish Code of Obligations no. 6098. If the risks are found to be significant as a result of the Necessity Test, it can be possible to implement certain measures for visitors who do not consent and therefore whose risk group cannot be identified. These measures may include holding meetings in quarantined rooms, requesting visitors to use respirators in the office, or refusing visitors entry to the office.
One of the key requirements of valid consent under the PDPL is that it should be “freely given.” This means that (1) consent cannot be a precondition for the provision of products or services (coupling prohibition) and (2) there should not be any negative consequences for the data subjects who do not consent. The type of the visitor becomes quite relevant in this regard. For instance, in the absence of any alternative means for receiving service, refusing customers entry to the office may invalidate the consent. On the other hand, consent collected from a customer who wishes to visit the headquarters of a business where no services are provided to customers may be deemed valid. However, we recommend that businesses establish alternative channels of communication for these visitors as well.
In any event, it is important to highlight that the measures that can be implemented should be evaluated based on the circumstances and specifics of each case.
What can businesses do in regards to employees who do not consent? Does this affect the validity of consent?
The explanations in the previous question in relation to consent equally apply. Moreover, consent is more problematic here as there is an employment relationship, where we normally do not recommend consent as a processing ground. However, considering that (1) the processing grounds are quite limited for health data under the PDPL, even more so in comparison with the GDPR, (2) employers are legally obliged to ensure the health and safety of their employees, and (3) the high risks that may be identified as a result of the Necessity Test, consents collected from employees by employers (particularly those who do not have any workplace doctors) can be deemed valid. We highlight here that this does not overrule the requirement that non-consenting employees should not face any adverse consequences. Indeed, the measures to be applied if employees do not consent should not result in any negative consequences for such employees, and employers should particularly be careful in not causing any discrimination against these employees. Employers may consider requesting these employees to work remotely from home depending on the specifics of the case.
Can businesses share the data collected for the fight against coronavirus with public institutions and other third parties?
It depends. The employer would have a lawful basis to transfer the data if there are legally binding requests from authorised public institutions. However, for the time being, voluntary sharing of health data belonging to employees and visitors, even with public institutions or health institutions, would be in violation of the PDPL, particularly when there is no definitive diagnosis of Covid-19. In the event of a definitive diagnosis, the transfer must be affected only after carefully evaluating the specific case from a data protection perspective and by implementing measures to protect the rights of the data subject. In any event, as it will be the healthcare institutions who will be diagnosing Covid-19 in a definitive manner, the data sharing with the Ministry of Health can be affected via the healthcare professionals.
Businesses should also consider coordinating their efforts with their workplace doctors, who can increase the frequency of medical check-ups and eventually have any definitive diagnosis be notified to the public authorities via healthcare institutions.
As regards sharing of data for purposes other than the protection of public health (e.g. due to the use of cloud services), the issue will not be specific to coronavirus and the businesses will need to comply with the PDPL in general.
Should the employees and the visitors be informed of the processing of their data?
One of the key obligations of businesses under the PDPL is to provide data protection notices to data subjects, informing them in relation to the processing of their data. In this regard, it is critical that businesses provide these notices prior to any processing of employee or visitor personal data in order to ensure the validity of consent. Data protection notices should be provided to the employees and visitors prior to or at least simultaneously with the provision of the forms containing Coronavirus Questions.
Data protection notices are of vital importance not only for compliance with the PDPL but also for ensuring the effectiveness of the businesses’ efforts to fight the coronavirus. If the data subjects are informed adequately and truthfully, they will be more inclined to participate in and support the efforts of the business by providing correct information and consenting to the processing of their information.
Are there any other points to keep in mind?
1 These measures are compiled from the following sources: (1) COVID-19 Guide of the Turkish Ministry of Health Science Board, (2) “Workplace vs. Coronavirus: ‘No One Has a Playbook for This’” from The New York Times and (3) ”Interim Guidance for Businesses and Employers” from USA Centre for Disease Control and Prevention.