Data Protection

The below frequently asked questions were provided by Mr Ian Deguara, Commissioner at IDPC during a webinar entitled Data Protection during COVID-19.

1.  Malta Enterprise is asking employers to obtain employee consent before submitting staff personal data details to ME for COVID Wage supplement. In this case, how should we deal with this request, seeing that employee consent is not considered ‘freely given’? Would a staff member’s signed agreement be sufficient?

In principle, consent in the employment context is not freely-given and not considered to constitute a valid consent due to the imbalance of powers that exists between the employer and employee. Therefore, employers should not rely on consent to legitimise processing activities in the employment field. On this specific issue, this Office has already contacted ME to amend the online form accordingly.

2.  If consent from an employee is null and void as they cannot use consent, what about asking family members for consent, ex: to get evidence of swab being negative?

Consent in the employment field is not considered to be freely-given given that the employees have no genuine or free choice.  As an answer to this question, it important to note that the employers’ contractual working relationship is with their employees.

3.  In order to apply for quarantine leave and in the application we are asked to provide ID card and D.O.B. of person who has been abroad as an eg. and this person is not our employee but lives in same residence of our employee who had to go in quarantine leave. We gave a consent form where both our employee and the third party person by which they were asked to give us authorisation to process this data in order to apply for quarantine. Did the company do wrong by this consent form?

Consent is not the proper legal basis in these cases. Whereas employers need to ensure that they observe health and safety regulations and, consequently provide their workforce with a safe working environment, particularly during these trying times of the pandemic, in the absence of a specific national law allowing for such processing, the collection of information about third parties is considered to be not proportionate and excessive.

4.  Employees eligible for quarantine leave are receivng a letter issued by the superintendent of Health. Can we attach the letter with the application form when applying for reimbursement for quarantine leave?

The most data protection friendly approach is for the employer to take note of the letter without retaining a copy.

5.  In case a company has a suspected infected individual, and individual fails to obtain an appointment for testing, can the company call 111 on their behalf to book an appointment for them?

This is not possible as the COVID-19 Helpline 111 will not engage with a third party who speaks on behalf of another individual. 

6.  If we know of a staff member who may have been exposed to the virus, can we consider it as protecting vital interest of other data subjects and inform other employees who were in contact with that person, so that they can quarantine / test themselves?

Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.

7.  Can the employer ask the employee for proof (copy of email from health authorities) that covid test was negative, in order to protect other employees at the place of work?

No.

8.  If an employee tested positive for the virus, but is now recovered. Can the Company still ask that employee to provide an additional doctor certificate as proof of this?

Yes, however the certificate shall not contain any health information but only whether the employee is fit or otherwise to report for work.

9.  If an employee reports sick, is it justifiable in this situation for an employer or its represenative to ask the employee about his/her ailment? This is seen in a situation where a company doctor is not sent to the visit the employee.

No. Generally, the rule is that the medical practitioner engaged by the employer should inform the employer with a ‘fit-for-work’ report following the assessment of the employee’s working capacity.  Having said that there may be specific cases, which are to be considered as an exception to the rule, where the practitioner would be required, in line with her or his professional duties, to provide a detailed report about the medical condition of the employee.  

10.  If a staff member enquires about a colleague who has gone out on sick leave and if they had done the test, can we inform the same staff member of the outcome of the test to put their mind at rest that they are safe? Of course in order to do that I will be exposing the person on sick that they have done the swab.

Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.

11.  I work in the Educational sector and I have registered to a local educational site, using my personal password. I should think that passwords are part of data protection. Should they have sent me a thank you mail with my password seen?

This approach goes contrary to the implementation of the integrity and confidentiality principle.  Sending the password that would have been created by the user in plain text and without any form of security safeguards certainly poses serious data protection risks.

12.  Upon return to the office, would we need to wear masks? Should we implement a space restriction in terms of seating? Can we check employee’s temperatures before they come in?

Where the devices used for temperature measurement do not in themselves store, record or otherwise register such measurement or any other information to identify the data subject, such as an image, the processing operation, in principle, does not fall within the material scope of the GDPR. This is based on the assumption that no records, being either in a manual form and intended to form part of a structured filing system or in electronic format, are created, retained or somehow linked or synchronised to a database of personal records. Having said that, this specific issue is currently being discussed within the structures of the EDPB.

13.  We have been hearing of some countries using apps to monitor people with the virus. Obviously these apps use either location data or telecoms data. What’s your view on this pls?

The EDPB issued guidelines on this specific subject which are accessible at the following hyperlink: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042020-use-location-data-and-contact-tracing_en

14.  Can an employer ask his/her employees whether they had applied for any medical benefit through the Department of Social Security? Can an employee refuse to give this information?

It shall be within the remit of the competent authorities or departments to assess and make the necessary verifications to ensure that those who apply for the wage supplement do indeed qualify for such benefits and if they have reasoned suspicions of abuse, use their powers pursuant to their applicable laws to take the necessary action against those applicants.

15.  At the moment we are taking temperatures of our employees before starting their shifts. Can we keep log of the temperatures?

No, there is no legal basis for employers to retain this kind of information about employees.

16.  To what extend can employers monitor their employees if they work from home?

Opinion 2/2017 adopted by the then Working Party 29 on data processing at work provides, inter alia, information on the application of data protection rules in relation to monitoring ICT usage at the workplace.

17.  Do we have hide employee signatures in internally signed documents or agreements such as Standard Operating Procedures (SOPS) that have to be forwarded to our suppliers?

Employees’ signatures which relate to an identified or identifiable natural person, would have been provided by the employees in the context of discharging their work duties and not in a personal or private capacity.  Therefore, from a data protection point of view, there is no need to redact such information.   

18.  If employees need to attend into private residents as part of their duty/get into proximity of customers, are there any issues with contacting customers prior to the visit and asking them for information as to whether any residents in the premises are quarantined or infected to safeguard our employees?

If no personal data is requested from your customers, the request for information falls outside the material scope of GDPR.

19.  Restaurants partial reopening. Discussions are under way in other countries whereby the temperature of customers coming in and a consent form with the customers data being given on entry to sit down dining. This information to be used solely by the Health Authorities for contact tracing incase a customer or member of staff gets the virus. What position should Malta take with GDPR in mind with these suggestions for conditions of partial opening of restaurants?

Where the devices used for temperature measurement do not in themselves store, record or otherwise register such measurement or any other information to identify the data subject, such as an image, the processing operation, in principle, does not fall within the material scope of the GDPR. This is based on the assumption that no records, being either in a manual form and intended to form part of a structured filing system or in electronic format, are created, retained or somehow linked or synchronised to a database of personal records. Having said that, this specific issue is currently being discussed within the structures of the EDPB.

IDPC has issued guidelines on the data protection aspects related to the collection of employees’ COVID-19 vaccinations

https://idpc.org.mt/idpc-publications/guidelines-on-vaccination-status-employment/