report

Social Distancing in Workplaces: A Paradigm Shift for Privacy Policy

Published in Privacy by

AA

After almost two full months of lockdown, from May 4, 2020, Italy will finally start the so-called Phase 2 in fighting COVID19. Indeed, now that the number of the new cases seems to be (slowly) decreasing, Italy is starting to gradually re-open its economic and social activities.

During a press conference held on Sunday 26th of April, the Italian Prime Minister explained to citizens what activities will be allowed to start again after May 2020 and, most importantly, to what extent people can start to both work again and travel throughout Italy [1].

“Distance” was the main theme underpinning the entire press conference. Indeed, during Phase 2 as well, Italians shall ensure to keep social distance among them in all the aspects of their life, including work places.

As at the beginning of the COVID19 crisis, where international observers started to carefully observe which restrictive measures were implemented in Italy, an analysis of the social-distance measures to be implemented in Italian work places today can be interesting and useful for other countries, as well. Therefore, after an initial phase of general euphoria due to the possibility for about 4,5 million of Italians to get back to work, questions abound.

Even before COVID19, Italian employers had to ensure health and safety conditions in workplaces. However, with the start of Phase 2, the burdens placed on employers increased. For that reason, to help employers establish what “social distance at work” means concretely, from the start of the crisis and all throughout it, the Italian Government has provided a series of regulations and executive acts aimed at providing clear explanations on what to do. These include a protocol (the “Protocol”) signed with trade unions on March 14 and now integrated with new provisions, considering also the foreseen re-opening on May 4 [2].

The Protocol, to fight the spread of the virus, introduces a series of new obligations for employers, who shall provide employees with adequate measures of protection (masks and gloves for example), but who may also implement temperature checks at the entrance of the work premises. The exact modalities (including the technological instruments) according to which temperature measurements will be taken, are left to the discretion of the single employer, who, in any case, shall ensure the proportionality and effectiveness of the instruments adopted. Moreover, employers shall ensure distance within work premises: this, in concrete, means that desks should be separated in offices, barriers among desks might be implemented, and different walkways identified for the entry and exit of premises.

Besides these organizational and more practical measures, the Protocol extends the perimeter and scope of the traditional data processing that employers normally conduct of employees’ personal data.

Employees are now obligated to inform their employer if they have alteration of their body temperature up to 37.5 degrees Celsius and if, during the working hours, they start to show symptoms compatible with COVID19. Before COVID19, in Italy, employers did not receive this much information on the health conditions of their personnel.

What appears clear, is that the Protocol introduces a shift in the paradigm of the traditional relationship between employer and employees, pursuant to which employers now can (must) be informed about detailed health conditions of their employees.

From a data protection point of view, this shift in paradigm can be easily “covered” by the umbrella represented by the general principles and specific provisions of GDPR, which can be found applicable also during this time.

For example, the data processing of health data can be considered lawfully provided if an adequate privacy policy is distributed among employees, whereby, at least, the following should be clearly provided:

  • the legal basis for the processing, which can be identified in article 9 paragraph 2 letter b [3] of GDPR;
  • that the processing operations will last until the end of the COVID19 crisis (as of today, the 31st of July 2020);
  • that the amount of personal data collected is minimized by using the most appropriate and proportionate technological tools, ensuring that the data collected are concretely necessary to ensure the security of the employees on work premises. According to this consideration, it is not necessary to buy and put in function a thermal scanner for 5 employees, but a simple thermometer might be enough. This also means that if the temperature checks do not reveal fever up to 37.5 degrees Celsius, there should not be any need to record this information and to correlate it with other information on the individual, since this process could lead to his or her identification;
  • duly explained appropriate security measures for protecting the privacy of individual employees;
  • a clear indication of the subjects with whom the personal data collected might be shared.

 

However, there are still some blind spots in the wording used by the Protocol concerning how such information might be processed, used, and exchanged in the employee-employer-public authority relationship, without creating discriminating situations.

Besides temperature checks at the entrance of work premises, the protocol establishes that employees shall communicate their temperature measurement to their employers and, in case of COVID19, they can’t leave their houses. This means that this kind of check will be performed also at home. However, how should this communication occur? Whom should it involve, the Human Resources manager and the company’s doctor? Or also potentially interested co-workers previously in contact with the subject? And what if one of those co-workers spread the news with other people?

And what about relatives and co-inhabitants? What if the employee is perfectly healthy or is asymptomatic, but one of the relatives is sick? Is there a duty to disclose? Not for employers, according to the Protocol, which only states that an employer must collaborate with the competent public authority in identifying “close contacts” of the sick individual, without specifying if these persons are only co-workers or also relatives. But if we think that the purpose of implementing the company’s guidelines is to protect all the individuals that go to work every day, it appears clear that, to a certain extent, this kind of information should be shared, as well.

The same problem might arise in relation to work premises shared by several companies, such as building sites or co-working offices. The Protocol simply sets forth for an obligation to inform everyone that is entering the work premises about the countermeasures adopted, obligating everyone (providers, visitors, etc.) to abide by the guidelines made available by the responsible employers. But again, what about situations in which an employee of a company in a co-working space gets sick and he or she communicates as much to his or her employer? Does the latter have a duty to also tell the other companies that share the office space? Or to the office space provider?

In this respect, the Protocol explicitly cites only contract companies providing for a duty to share the information concerning a positive COVID19 case, which to a certain extent can be understood and explained considering the legal obligations regulating the relationship between the principal and the contractor. Nevertheless, article 14 of the law decree no.14 of the March 9, 2020, already provides for the possibility to communicate personal data (not falling within the categories of articles 9 and 10 of GDPR) to “public or private bodies” if said data are indispensable for the “performance of the activities connected to the management of the health crisis”.

Even if the wording used by both the Protocol and the aforementioned law decree is not completely clear, by applying a theological method of legal interpretation (i.e. the necessity to ensure the protection of the individual), employers potentially might share that information. Provided, of course, that security is balanced, to a minimum extent, with the fundamental and undeniable right to privacy of the individual concerned.

It is therefore in this light that the guiding principle in providing company guidelines should be a balance between the right to privacy and the right to live and work in a healthy environment. The balance itself should be found in the protection of society as whole, of which individuals are essential elements, and where stigmatization or discrimination are to be avoided at all costs.

In practical terms, this balance might be declined by applying the following suggestions:

  • Introduce and support a form of trustable and reliable communication as a company strategy, according to which employers explain why it is necessary for the employee to share his or her health conditions, ensuring him or her anonymity. In a trusted environment, where an individual feels part of the company and not simply of an economic organization, it would also be likely that the employee will check her or his temperature even before leaving home, and most importantly he or she might also communicate if a relative is sick.
  • Inform employees in plain language of the consequences of a positivity to COVID19, or of sickness, including also the reassurance of the support of the company for the individual and for the family affected. The company should not be perceived as an antagonist, and it shall ensure that no forms of discrimination occur.
  • Distribute a tailored privacy policy, which clearly indicates the kind of personal information collected, the reasons for collecting it, the length of time it is kept, and with whom it is shared.
  • Ensure the minimization of the amount of information collected and include a strict application of the principle of the need to know in terms of exchange of the data with public authority, but also to the rest of the personnel.
  • Design common guidelines with all the companies that are sharing the same working environment, providing for a wide acceptance of forms of communication among them.

Most importantly, make sure that the individual is at the center of all the actions and countermeasures adopted. In other words, promote an environment in which, she or he can feel to be an integral part, not a potential obstacle, of the strategy for tackling the virus in this crisis.

[1] https://www.gazzettaufficiale.it/eli/id/2020/04/27/20A02352/sg

[2] Protocollo condiviso di regolazione delle misure per il contrasto e il contenimento della diffusione del virus Covid-19 negli ambienti di lavoro, https://www.fiscoetasse.com/upload/protocollo_24_APRILE.pdf

[3] (…) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject(..).

Service involved

Assessment of technology impact on privacy
We help our clients and partners to achieve their business goals while addressing ethics, privacy and cybersecurity concerns in a manner that prevents conflicts, sanctions and loss of money derived by the lack of ethical and legal compliance to national and European applicable regulations. All information technologies must respect human fundamental rights and ensure the rights of people in relation to the protection of their private life, personal data and freedom. The new EU General Data Protection Regulation (GDPR) that replaced the Data Protection Directive in all EU member states on May 2018 introduces many new obligations for companies and a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, data controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR. Our approach to help our clients to avoid this kind of issues consists of a holistic service composed by the following main components: providing a Data Protection Officer to drive the organization’s legal compliance action; mapping the data processed by the organisation to measure its impact on the ethical principles and legal framework; assessing the cybersecurity mechanisms used by the organisation technologies; conducting an impact assessment for all data processing mechanisms identifying ethical, legal and security risks; making recommendations for the implementation of the organisational and technical means to be compliant with the legal framework while ensuring data confidentiality (preserving authorized restrictions on information access and disclosure, including personal privacy and proprietary information protection), integrity (assurance that data is not modified or deleted in an unauthorized and undetected manner), availability (ensuring there’s timely and reliable access to and use of information) and accountability (supporting non‐repudiation, deterrence, fault isolation, intrusion detection and prevention, and after‐action recovery and legal action).