As we are in the middle of a global pandemic, we of course have to behave differently than we are used to. But what does it actually mean in relation to the GDPR? New situations create new questions regarding the collecting of personal data, e.g. what actually constitutes personal data concerning health, how you should act as an employer or what responsibility the teacher actually has when personal data is being collected in connection to online lectures. We shall therefore, in this blogpost, look more into situations and problems which can emerge at the workplace and in school.
Published 24 August 2020
At the workplace
Information that an employee has the coronavirus is considered to be personal data regarding their health. Thus, this kind of personal data shall be dealt with carefully, as it falls under special categories of personal data based on the GDPR. You therefore need an exception in order to be able to process this kind of data. If you want to read more about GDPR in relation to healthcare, you can read our Swedish, more general, blogpost about it here.
The Swedish supervisory authority, Datainspektionen, also states that information that a person is being held in quarantine probably counts as personal data concerning their health. Although, information that an employee has returned from a risk area doess not count as personal data concerning their health. The same goes for information that a person is living in so called “voluntary quarantine”, meaning that the person out of precautionary considerations stays at or works from home. These kinds of personal data must however, of course, still be processed in accordance with the other provisions within the GDPR.
What is then the situation when an employee has the coronavirus? What are you, as the employer, really allowed to communicate to the coworkers? It should normally be enough to inform the other employees that a person at their workplace has gotten the virus. You are only in exceptional cases allowed to provide their name. It must, in such a situation, be absolutely necessary to provide it, and the sick employee must have been informed about it in advance. It is namely important to, in accordance with the principle of data minimization, never provide more information than necessary. What is also important is that the information is objective and not offensive for the data subject in any way!
When it comes to information concerning that an employee works from home after being in a risk area, you should think twice before giving out that information. Internally you can of course inform that the person works from home in order for other people to know how to contact them. However, you have to evaluate if it is really necessary to provide that information to people outside the organization. In both scenarios, the Swedish supervisory authority states that you should not inform why that person is not at the workplace.
Regarding the question if an employer can perform medical check-ups on their employees, you have to look at national laws relating to employment or health and safety. The employer should only have access to and process such data if they have legal obligations to do so.
Most education have during this spring been carried out via distance. In relation to this, many new questions have emerged, also regarding the GDPR. One of those questions is who the controller is for personal data being processed in relation to online lectures. You might think that the teacher or the principal is the controller in such a situation. However, that is not the case. In e.g. a Swedish public school the Board of undergraduate studies within the municipality is the controller, as they decide the purpose and means of the processing of the personal data. For a private school the controller is a limited company.
Regarding online lectures it is also important for the school to think about data minimization, e.g. just use sound and/or video of the students if it is really necessary. This is specifically the case in relation to children, as their personal data is considered worthy of extra protection based on the GDPR. It is also important to keep in mind that the more sensitive the personal data is considered to be, the higher the requirements are for the security measures taken in order for the personal data to be considered protected. All balancing made between your need to collect the personal data versus the students need to not have their data collected should be documented and saved.
Before starting to have online lectures, it is therefore important for the school to make sure their work regarding information security is in compliance with the GDPR. The Swedish supervisory authority has created a short checklist for this, which can be found here (however in Swedish). Moreover, it is, as always with the GDPR, important to have a legal basis for the processing of personal data. The legal basis “consent” should definitely be avoided as there is an imbalanced correlation of power between the students and the school. Instead, the legal basis “public interest” can be used both for private and public schools.
We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email firstname.lastname@example.org or phone 046 – 273 17 17.
You can also book a demonstration of GDPR Hero here or contact our partner Sällberg & Co via email email@example.com or phone 046 – 273 17 10.