The State Data Protection Inspectorate of the Republic of Lithuania has published information regarding processing of certain personal data in connection with the current situation due to coronavirus (COVID-19).
What personal data can be processed by the Employer?
In assessing the need for additional safeguards – to oblige employees who have worked together or who have been in contact with a sick (symptomatic) person to undergo quarantine, create conditions for remote work or medical examination, the Employer has the right to process information:
- whether the person has traveled to a “state of risk”;
- whether the person was in contact with a person that has traveled to a “state of risk” or sick with COVID-19;
- whether the person is at home due to a quarantine (without giving a reason) and the period of quarantine;
- whether the person is sick (without specifying a specific disease or other cause);
- the fact of remote work and other restrictions on the employee’s work;
- other necessary data.
The Employer shall collect the data in accordance with the data minimization principle indicated in the General Data Protection Regulation (GDPR), i.e. the minimum that is necessary to achieve the purposes and not to collect redundant data.
What actions should be avoided by the Employer?
The Employer should refrain from collecting temperature readings of staff or visitors, medical records, or other. This cannot be considered as an obligation on the Employer.
Where global measures to control the current situation such as restriction of missions and meetings, cancellation of events, ensuring certain hygiene requirements are in place, data controllers should not violate the right of their employees or other data subjects to the protection of personal data, for example, they should not be required to provide personal data which are not necessary to ensure the execution of the procedure established.
It is advisable to avoid mentioning the names of COVID-19 sufferers in order to avoid possible subsequent exclusion or discrimination.
Information provided for the employees
The Employer shall properly inform the employees of the purpose and scope of the information collected.
The data controller should take active steps to inform the employees about symptoms, potential risks, ways of managing them, measures to be taken, opportunities for teleworking, the duty of employees to report on COVID-19 or similar symptoms, etc.
Can processed lists (other personal data) be disclosed to public authorities for public health purposes?
Requests for personal data must be assessed on a case-by-case basis, for example, where statistics are requested, the controller (data processor) should not provide data identifying the particular data subject.
We do recommend documenting each case of personal data submission to ensure later implementation of the accountability principle.