Are Coronavirus checks on employees and visitors privacy compliant?

Coronavirus checks are run by a large number of companies, but their privacy compliance has been rarely ascertained due to the urgency.

Given the situation of emergency during the last days because of the spreading of the Coronavirus, I noticed the adoption by several companies of body temperature checks to be run and questionnaires to be filled in at the entrance of their building by any employee or visitor, with also surveys sent to suppliers to track their movements of the last days.

To help companies handling the current situation, below is a list of do’s and don’ts on privacy related matters connected to the management of Coronavirus checks: 

Top 3 don’ts on privacy issues relating to Coronavirus checks

1. Is it possible to collect information on movements, pathologies, or temperature of employees, suppliers, or visitors?

In the vast majority of cases, the collection of personal data is not necessary, and the data collection might be unjustified under the data minimization principle. This approach has been recently confirmed by the Garante, the Italian Data Protection Authority and reiterated by the CNIL, the French privacy authority.

2. Is the detection of temperature and the collection of answers to a questionnaire at the presence of employees, suppliers, or visitors processing of personal data? Are collected data anonymous?

Even the mere display of the body temperature and the answer (even in case of negative answers) to a questionnaire is a processing of personal data. Such data are not anonymous since the collection occurs at the presence of the individuals, then identified or already known.

3. Is it possible to investigate movements, contacts, and health conditions of employees, suppliers, or visitors?

No, private companies are not in charge of investigating the movement of individuals; public authorities have to perform such activities.

Top 3 do’s on privacy issues relating to Coronavirus checks

1. Informing individuals

Placing a notice at the entrance of the building and sending a communication to clients and suppliers indicating that if they either were at-risk areas or in contract with persons at risk or have flu symptoms or just fever or cough, they cannot have access at the company’s building, also encouraging smart working practices.

2. Let individuals running checks themselves

If the top management wants to protect the company against individuals that might not know that they are sick and might have access to the company’s building, make available some thermometers at the entrance of the building so that employees, suppliers, visitors can check their temperature themselves without being seen by others and after having received the notice in point 1 above.

3. Ensure privacy compliance of processing of personal data

If the top management wants in any case to check the body temperature of employees, suppliers, or visitors at the entrance of the company’s building, it is possible (but not recommended) to

have a medical practitioner at the entrance of the company’s building. He will provide his own privacy information notice and collect a privacy consent to the processing of health data checking the temperature in an area of the building not visible by third parties and not recording the body temperature. 

I have read several comments from other privacy experts arguing that checks do not need consent from individuals since they might be based either on public interest or on the need to protect vital interests. However, public interest needs to be identified by a primary law that has to expressly authorize the data processing activities that – as far as I am aware of – has not happened. On the purpose to protect vital interests, I doubt that checks performed by private companies according to modalities that are determined at their discretion can meet the requirements provided by this legal basis.