Covid-19 and privacy: employer’s rights v employees’ right to privacy
Mercedes Balado Bevilacqua
MBB Abogados, Buenos Aires
MBB Abogados, Buenos Aires
The Covid-19 outbreak has become a global emergency, with devastating consequences in loss of life and international economic decline. Evidence has been produced indicating that the collection, use and sharing of data may make a positive contribution to limiting the spread of the virus.
In general, such data collection and processing, including if for digital contact tracing and general health surveillance, may involve the collection of considerable amounts of personal and non-personal sensitive data. This may, potentially, lead to an infringement of fundamental human rights and freedoms, such as dignity and privacy.
Employer’s right to request information, its duty of safety and protection of data
With the evolution of the Covid-19 pandemic, progress has been made with vaccinations and quarantines have been lifted. Consequently, a legitimate question has arisen regarding an employer’s right to request information from employees about their Covid-19 situation, such as whether they have had Covid-19, any close contacts they may have had with infected persons, and the details of their symptoms, like temperature.
Argentina and many other countries in the world have completed their vaccination campaigns and have fully or partially lifted mandatory quarantines, enabling employers to ask their employees to return to working on site or under hybrid models.
Therefore, in order to return to work, employees are required by their employers, as a preventive measure, to provide information about their Covid-19 status, such as whether they have any symptoms or background illnesses and their level of risk. Employers do this within the scope of their duty of ensuring safety, which implies, among other things, seeking to provide a healthy working environment for their employees.
It needs highlighting that Argentine local laws regard employees’ health data as private and sensitive, so its collection is subject to special treatment.
Under the Personal Data Protection Law (PDPL), health-related data is deemed sensitive information, and it may be collected and processed only if there are public interest reasons that are admitted by law.
In addition, this also requires taking into account Resolution No 4/2021, issued jointly by the Ministry of Health and by the Ministry of Labour. The Resolution allows employers to ask employees to return to their offices, provided that they have had a first shot of any approved Covid-19 vaccine and 14 days have passed since it was given. The Resolution requires employees to present reliable proof of their appropriate vaccination, or declare (as a sworn statement) the reasons why they failed to take the vaccine.
Therefore, in Argentina the requirements are being met allowing employers to collect sensitive data from employees. However, according to the PDPL, employees’ information should be used only for the purpose for which the data was obtained and the employees have the right to access and modify any incorrect or false information. Employees’ Covid-19-related information may not be used for discriminatory purposes and personal data collected for processing must be true, appropriate, relevant and not excessive.
A key point is that the information which employees provide must be destroyed once it is no longer required or relevant for the purposes for which it was obtained. This issue is highly relevant because in Argentina and Latin American countries, employers have installed applications enabling employees to book places at their company´s workplace in order to ensure they maintain social distancing and to forestall employees congregating. Before allowing employees to book a place at work, the applications collect answers to questions relating to Covid-19, its symptoms, and any relevant contacts made with infected persons, as a way of conducting screening on behalf of the employer.
In this scenario, the information is not deleted, while the employees also provide their sensitive health data to a third party, which is not the employer, because, in practice, these applications are operated by third parties, different from the employers.
This situation might expose the employers to such risks as: (1) criminal sanctions for disclosing to third parties information which is registered in a personal data bank and which should be kept secret by legal requirement, which may involve imprisonment for six to 36 months; (2) civil remedies: where employees of an employer that infringes their rights under PDPL may file a complaint to court for damages and request an order requiring the employer to stop the infringement or block the personal data in question; and (3) administrative fines: apart from any liability for damages for failure to observe the PDPL, and applicable criminal penalties, the supervising authority may apply sanctions in the form of a warning, suspension, a fine of ARS 1,000–100,000, and close or delete the file, register or database.
Under this scenario, to ensure that the mentioned exposure is minimised, employers must check the information that the application is collecting, reduce the questions regarding Covid-19 and avoid all details of symptoms. Employers must give clear information to employees on who is going to collect their data, for how long and in which country. Employers must obtain the employees’ express and written consent. The consent has to include details, and clear information about the data collection. Employees may refuse to provide sensitive information to a third party, especially if they will not be able to exercise the right of access, rectification and deletion of their personal data.
Employers will have to take personal care in sharing the information with the application’s owner in order to be in line with PDPL and guarantee that employees’ Covid-19 information will not be stored indefinitely. Also, employers must provide a registered database and ensure that employees will be able to exercise their rights over their personal and sensitive data.
In summary, the collection of sensitive data regarding Covid-19 is allowed by law, if the employer fulfills the mentioned legal requirements. Also, there must be harmonisation between the law and technology in order to ensure that employees’ health data and their privacy are protected.