With Spain gradually emerging from its lockdown, the country's data protection authority (DPA) is concerned that certain monitoring measures may become widely used and consequently involve the widespread invasion of people's privacy.
Companies need to adopt sensible precautions to prevent the spread of the coronavirus. But at the same time, they mustn’t overstep individuals’ employment and data privacy rights.
This is not an easy balance to strike. Some organisations are considering (among other precautions) temperature-screening processes at their premises to not only protect the health and safety of their workers and visitors but also reassure consumers that it’s safe to come into contact with their products.
Initially the Spanish DPA had taken a more flexible approach, indicating that, in the current circumstances, some additional processing of personal information such as health data could be allowed. But with a growing possibility that temperature checking could become part of the post-corona 'new normal', the Spanish DPA has chosen a narrower approach.
There are three reasons for this change of heart:
- Checking people's temperature means not only dealing with sensitive personal information about an individual's health but also giving someone (in most cases, someone who’s not medically trained) the 'power' to decide whether that individual is infected or not.
- If someone 'fails' a temperature check in public, other people nearby might unintentionally receive personal information about that individual's health (ie the fact that the individual has a high temperature and may therefore have the coronavirus).
- Thirdly, because the consequences of screening might have a substantial negative impact on the individual.
Temperature screening raises a number of legal issues, particularly in relation to data protection. If possible, you could avoid temperature screening by adapting your premises so that workers can easily keep their distance (eg by having separate offices or erecting barriers between workstations).
However, if you are not able to do this and plan to introduce temperature screening on your premises, you should consider the following.
Your screening programme should follow instructions or guidelines from the health authorities, particularly on the limits of and the guarantees that apply to the screening methods and equipment.
It should also be down to the health authorities to decide which temperature is relevant. Making your own decision could lead to claims of discrimination.
Consent and the legal bases for screening
The Spanish DPA considers that any consent given in the current circumstances, where 'failing' the screening would prevent the individual from entering the premises, would not be 'freely given' and therefore falls foul of the EU general data protection regulation (GDPR).
To justify carrying out temperature screening of people coming onto their premises, employers could rely on their obligation to safeguard the health and safety of their staff.
The Spanish DPA suggests that maintaining public health offers a further legal basis for justifying screening. However, it understands this would require specific legislation on the subject.
The authority excludes, as a third possible basis, the legitimate interest, as fundamental rights and freedoms of the data subject always over-ride the company’s interest, particularly if dealing with especially protected data such as health data.
The aim and the accuracy of the data
The Spanish DPA has reminded companies of the following:
- The sole aim of temperature screening is to prevent infected individuals accessing a certain place. (Some screening devices may collect additional data or use it in way that would not be justified.)
- The screening devices must be accurate.
Rights and guarantees
Individuals being screened retain all their rights under the GDPR, including the right to know how the data will be collected, whether it will be retained and, if so, how it will be stored and for how long, etc.
You should consider having a written policy on the screening process that explains how you are complying with the GDPR, such as how long you will keep the data for. You should also update your general privacy notices for workers and visitors.
Ultimately you should minimise the amount of data you collect by only asking for the information you need and put in place appropriate data security measures.