European Data Protection Authorities made their mark on a topical issue in COVID-19 ('Coronavirus') containment: on premises workforce temperature scanning.
General approach in Italy
The Italian standpoint seems rather clear, after the protocol by the major Italian Trade Unions and Cabinet to implement workplace safety measures (see our take and some practical hints here and here). When temperature scanning is deployed at the workplace entrances, undergoing such shall be mandatory for entering personnel and reluctant employees can be denied entrance therein (as the general principle of public health safeguarding prevails). From a privacy standpoint employers are granted with legal basis for personal data processing and recommendations of means for fairly collecting and processing the relevant data (that relate to the principles of data minimisation and no-discrimination of those individuals who are being scanned, while keeping in mind that fever is a generic symptom and until proven otherwise it does not demonstrate positivity of Coronavirus).
General approach in the UK
The ICO advises that any data collected from employees must be necessary and proportionate. What this means that if different ways to collect data about employee temperature exist, then the least privacy-intrusive way should be used. So for example, a preferred alternative would be to either ask employees to self-report whether their temperature is high or not or to scan employees individually, rather than to take temperatures by thermal imaging technologies. The ICO suggests that if temperature readings are taken by employers, the latter should be mindful not to store this data. If an employee is sent home as a result of their temperature, employers should only record that the employee went home to self-isolate, not the temperature.
European Data Protection Authorities: standpoint
In Spain, the AEPD believes that this temperature-taking processing represents a particularly intense interference with the rights of data subjects, since it relates to health data. Therefore, the collection of temperature data must be governed by the principle of lawfulness and it should be applied only according to the criteria defined by the health authorities. Besides this, the AEPD underlines that temperature data should be obtained only for the specific purpose of detecting possible infected persons while avoiding their access to the workplace and potential contact with other people therein. This is applicable especially in cases where the taking of temperature is carried out using devices (such as thermal cameras) that offer the possibility of recording and storing the data or processing additional information, in particular biometric data. In these cases, employers must pay special attention to the principles of limitation of purpose and data minimisation established by the GDPR.
In France, the CNIL states that employers who would like to initiate possible steps to ensure the health status of their employees must rely on occupational health services. Except where this is provided under the applicable framework, employers are prohibited from a serial storage of employees' temperature, as well as from installing automatic temperature detection tools (such as thermal imaging cameras). However, manual temperature measurements at premises entrances, without storage, are not subject to the regulations on the protection of personal data.
In Poland, instead, the UODO sides in favour of temperature measurement and affirms that the protection of personal data is not threatened by actions related to counteracting Coronavirus, such as measuring temperature. Nevertheless, it emphasises that the solutions taken by employers should be implemented on a legal basis designated by the Chief Health Inspector.
In The Netherlands, the AP assumes the most negative attitude towards temperature measurement stating that it is not allowed to take people's temperature, especially without the authorisation of those involved. Nevertheless, valid consent in the employment context is questionable as an employee wishing to deny temperature scanning may fear harmful professional consequences. Nevertheless, in the AP's opinion, the GDPR does not apply if the temperature is not stored or does not otherwise end up in an automated system.
In Belgium, the APD has taken the most analytic position, with several different perspectives under the lens. The simple scanning of the temperature does not involve data processing (unless the results are recorded) meaning that in such circumstances the GDPR does not apply. The GDPR would apply if temperature processing takes place using an advanced digital process (e.g. electronic detection through a thermal camera capable of storage).
Notwithstanding the differences, a few common points seems to prevail:
- If temperature information is not registered and stored, there is no personal data processing regulated under the GDPR.
- If temperature information is registered and stored then employers must:
- Look for a lawful basis for processing, likely to be established by the relevant health authorities and/or in statutory law;
- Be fully transparent with the affected employees; and
- Collect the minimum information necessary for health and safety at work and erase this information within a few weeks (if not days) following collection.
What should employers do?
Authorities provide no explicit and prescriptive information on how to actually carry out the on premises temperature scanning at stake. In such circumstances employers should rely on their very own internal procedures and policies to put a further layer in health & safety compliance at workplaces.
From a privacy standpoint the best approach is to take temperature readings without recording them. Where that is impossible or insufficient, the below guidelines should be followed.
In practice, a general approach of cautiousness and non-discrimination during temperature scanning should be followed, along with other practical expedients, like a specific provisional containment area for suspicious cases and a double check for any unclear or inaccurate temperature reading. For example, certain automatic measuring instruments that simultaneously detect the temperature of several people could have a tolerance margin, so the measurement is not always effective and it may be necessary to proceed with a manual measurement. In this regard, vendors who provide such technology should be well-vetted.
As to the minimisation of data, employers can, for example, record the names of individuals actually surpassing the 37,5° threshold perhaps together with the circumstances that prevented entrance at the relevant venue without keeping the actual temperature value. If there are no official guidelines on the retention periods applicable to such data, employers should keep these records for no longer than 14 days.
In this health emergency context, the most commonly used tools for temperature measurement are thermal cameras. They are truly effective support tools: they screen temperature in an extremely reduced time compared to traditional solutions, thus resulting particularly suitable in highly frequented places with people in continuous transit, where speed and precision are needed. Notwithstanding the advantages, many mentioned Authorities are sceptical with regard to their use, since it is possible to get a registration of personal data without the interested subjects being aware of it. The French CNIL is particularly suspicious with respect to these devices, especially if installed in public places. The Authority is worried of the automatic processing of personal data that may occur during their usage and asks for a specific legal framework to regulate them, based on the principle of proportionality. Accordingly, employers in jurisdictions with more conservative Data Protection Authorities should carry out a data protection impact assessment before installing thermal cameras.
All affected employees need to be made aware of the temperature scanning taking place, whether that takes place by automated means or not. Even if a specific lawful basis for this type of data processing is not spelled out in regulatory guidance or legislation, employers should rest assured that no general prohibition of such practices is to be found in the GDPR.