Privacy in a pandemic: a guide to health data processing rules in Europe

As employees start to return to work, many firms will be wondering what the rules are when it comes to collecting and processing health data and, crucially, conducting virus-related testing. We talk to a privacy expert to assess some of the rules emerging from different countries within Europe.

The spread of the novel coronavirus has had monumental ramifications on the day-to-day business operations of organisations across the industrial spectrum. Companies of all types and sizes have had to dramatically rethink their approaches to conducting business, with many having to employ robust remote working policies, pivot their revenue models, and instill new and innovative management practices.

Although as governments start to ease up on their restrictions and more employees start to physically return to work, many firms might be wondering what they're permitted to do in regard to the collection and processing of health-related data and carrying out virus-related testing. 

In the United States, the EEOC issued a guidance back in 2009 and updated on March 2020 in response to the COVID-19 pandemic, specifically confirming that the current pandemic permits employers to measure their employees' body temperatures before allowing them to enter the worksite. Outside the US, however, the situation is a bit more complex. This is especially true in Europe, where these kinds of practices are covered by the General Data Protection Regulation (GDPR), with even simple temperature checks being dependent on country-specific interpretations of these laws.

As essentially every country in Europe holds at least a slightly different interpretation and a specific set of laws governing what constitutes valid data collection and processing in relation to the pandemic, it can make for a confusing environment, especially for those businesses with a multiple locations/offices within different European countries. In order to cut through some of this confusion, we spoke to Paul Lanois, director of technology, outsourcing and privacy at law firm Fieldfisher. We consult with Lanois to assess some of the different approaches of countries within Europe when it comes to health data processing and specifically whether organisations are allowed to conduct temperature testing.

Overall, we found that there can be large discrepancies between any two individual approaches and it is thus hugely significant to take particularly close attention of the specific country and their relevant laws.

 

The restrictive countries

To continue reading this article register now