Legal requirements of processing health data by employers during the COVID-19 pandemic

There has long been a debate among privacy professionals about the use of health data and its limitations, as well as the right lawful basis to be applied for its processing. It is obvious that some industries depend on processing of health data, such as the research and health care industries, more than others – for example, your average retailer.

Although any average employer is entitled to process health data in the limited context provided by Art. 9(2)(h) of the European Union General Data Protection Regulation (GDPR) for “occupational medicine, for the assessment of the working capacity of the employee,” the need to limit and prevent the spread of the coronavirus in the context of the Covid-19 pandemic, especially in the workplaces, has led employers to try to collect health data beyond the context of Art. 9(2)(h).

Recital 52 of the GDPR allows for processing special categories of personal data, including health data, for “the prevention or control of communicable diseases and other serious threats to health,” and Recital 53 clearly limits such data to be processed for health-related purposes “only where necessary to achieve those purposes for the benefit of natural persons and society as a whole,” and only where EU member state law is providing “specific and suitable measures” to protect the data.

There is also a serious limitation that emphasizes that such processing should not result in the data being processed for other purposes by third parties, such as employers or insurance companies.

What exactly does health data means?

Art. 4(15) of the GDPR provides a short definition of “data concerning health,” meaning “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

Health data can be found in a variety of documents, such as medical certificates, results of medical tests, and hospital discharge papers and, in most cases, they originate from health care units such as hospitals or medical clinics.

Most important is that the data can be linked to an individual; for example, a simple X-ray that shows a broken arm is not personal data. However, if the name of the patient is written on the X-ray, we are in front of medical data.

Where does health data come from?

According the European Data Protection Board (EDPB) “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak,” data concerning health can be derived from different sources, for example:

  • Information collected by a health care provider in a patient record (such as medical history and results of examinations and treatments)
  • Information that becomes health data by cross referencing with other data, thereby revealing the state of health or health risks (such as the assumption that a person has a higher risk of suffering heart attacks based on high blood pressure measured over a certain period of time)
  • Information from a “self-check” survey, where data subjects answer questions related to their health (such as stating symptoms)
  • Information that becomes health data because of its usage in a specific context (such as information regarding a recent trip to, or presence in, a region affected by COVID-19 processed by a medical professional to make a diagnosis)

“National flavors”

Although the GDPR is applicable in all EU member states, there are different approaches where member states issue local guidelines on processing of health data during the Covid-19 pandemic. The purpose of these guidelines is to try and balance the increasing need of employers to collect and process health data, the public interest to control and limit the spread of the disease, and the rights and freedoms of the employees.

As you can see from the comparison table below, there is not a single approach among the Supervisory Authorities in Europe.

Processing of health data: What is allowed in particular EU countries

Technical and organizational measures

If allowed, where medical data is collected, there is a need for a set of technical and organizational measures to ensure compliance with the provisions of Art. 32 of the GDPR.

Although the provisions of Art. 32 are quite broad, at least the following measures should be considered:

  • Implement a set of security policies to regulate the way health data is protected within your organization.
  • Consider appointing a Data Protection Officer.
  • Perform a Data Protection Impact Assessment to address any possible risks to the rights and freedoms of the data subjects.
  • Use encryption and/or pseudonymization where it is appropriate to do so.
  • Set a limited retention period for any health data collected from employees.
  • Include specific information about your processing of special categories of data in your Privacy Notices.
  • Avoid using consent for processing health data of your employees.

Be careful when processing medical data in Europe

Due to the different opinions issued by Supervisory Authorities around Europe, it is advisable to avoid processing of medical data unless you have a clear legal ground, and preferably a legal obligation, if you are not a health care provider. If you have such a legal obligation, be sure to apply extra caution when processing health data, as the rights and freedoms of the data subjects may be seriously affected if the processing is unlawful. Also, remember to keep an eye on the website of the European Data Protection Board, as well as your local Supervisory Authority, for further guidance and opinions.

To learn what the process of GDPR compliance looks like, download this free Diagram of the EU GDPR implementation process.