Privacy in the era of Covid-19
General Covid-19 requirements
Various measures undertaken in Russia were aimed at ensuring the population’s immunisation against Covid-19. Specific regulations were introduced to ensure health and safety at workplaces (offices, production and trading sites). These measures have been introduced both at the federal level and by regional authorities, and are being constantly updated due to the spread of the virus. In this regard, companies with a presence, or operating, in different regions of Russia should track the regional Covid-19 legislation and comply with different mandatory requirements and follow the state authorities’ guidance.
Covid-19 measures apply to employees, as well as to individuals hired as independent contractors (those engaged under civil law contracts, including self-employed individuals) and agency workers (further collectively referred to as ‘employees’).
Currently, in most regions in Russia, the employers and employees must comply with the following mandatory Covid-19 requirements:
- mandatory vaccination of the employees working in specific industries;
- daily measuring of employees’ temperatures before the start of their work;
- employees with high body temperature, or signs of infectious diseases are not allowed into the workplace;
- ventilation and daily disinfection of the workplace;
- providing employees with masks, gloves (where necessary), and hand disinfectant;
- maintaining the obligatory social distance of at least 1.5 metres;
- wearing masks, respirators, or other respiratory protective equipment (where necessary);
- minimising employees’ in-person attendance at their workplace, as well as limiting direct interaction with each other; and
- informing employees about Covid-19 preventative measures and the necessity of complying with them.
In general, vaccination is voluntary. However, given the current Covid-19 situation and considering that certain industries are at a higher risk of spreading the infection, the majority of Russian regions have introduced mandatory vaccination in specific (listed) industries. Employers in those industries must ensure that up to 80 per cent of their employees have been vaccinated. This requirement extends to all such companies and employees operating in those industries, but does not cover companies operating in other industries in the same region.
For instance, in most regions (if not all), Covid-19 vaccination is obligatory for the employees working in catering, beauty and spas, fitness clubs, swimming pools, laundries and dry cleaners, entertainment centres, museums, libraries, concert halls, public transport and taxis, education, health care and social services, to name a few. It also applies to trade, customer service in banks and post offices, entertainment centres, as well as to mass sporting and physical culture events, among others.
In addition to ensuring mandatory vaccination in those industries, employers are also obliged to report to regional governmental authorities about their employees’ Covid status. Employers are, thus, legally entitled to collect, from certain categories of employees, the respective information about their Covid status. Such information may include not only specific vaccination details, but also related information on compliance with quarantine measures or self-isolation.
An employee’s refusal to get vaccinated
Preventative vaccination being obligatory for those working in particular industries, an employee’s refusal to be vaccinated implies the restriction of their ability to perform their job. An employer is obliged to suspend any employees who refuse to be vaccinated, otherwise, a company may be charged with administrative liability. Another option an employer may consider is a transfer of such employees to remote working. The choice of the appropriate option is at the discretion of the employer. However, an employer must take some action with respect to unvaccinated employees in these industries.
At the same time, Covid-19 vaccination is not mandatory for those employees who have justifiable reasons to refuse. A list of medical contraindications to vaccination was enacted by the Russian authorities. Should an employee have a medical contraindication on which ground he or she refuses to be vaccinated, the company must obtain the respective information from the employee and may not suspend such an employee from work.
Thus, in order to make a proper decision with respect to the selection of which employees may be potentially suspended, or put on a remote work assignment, employers need to obtain certain information from employees: such information is likely to include sensitive personal data about an employee’s health status.
Fulfilment of multiple Covid-19 requirements requires the processing of employees’ personal data (eg, daily results of temperature measurement, data on Covid status) by the employer. Information on Covid status includes the vaccination details, medical contraindication to vaccination, Covid-19 PCR test results, personal insurance account numbers and obligatory medical insurance policy numbers. Additionally, employers in certain regions of Russia must report to the authorities the exact number of vaccinated employees, those who work remotely and those who work on-site. Such reports include employees’ personal information.
Information about health is considered by Russian data protection laws as sensitive personal data. Processing of sensitive personal data is generally prohibited, except for the following cases:
- a data subject has given written consent;
- a data subject made this data available for distribution to an unlimited number of persons;
- processing is conducted for protection of life, health and other vital interests of personal data subject or third parties, when obtaining a data subject’s consent is not possible;
- processing is conducted in accordance with Russian laws on state social assistance, labour laws or pension laws;
- processing is conducted by a doctor, medical institution, or other person who must ensure medical secrecy, for medical or healthcare purposes;
- processing is required for defining and the execution of rights of a personal data subject and third parties, as well as for judicial purposes; and
- in some other strictly limited cases.
The existing Russian legislation, as well as the clarifications of the regulatory authorities, does not establish any specific regulation for the processing of personal data, including sensitive data, due to newly enacted Covid-19 regulations. Therefore, companies must choose the proper legitimate basis to process Covid-19-related information from the options above, and must comply with the general legislative requirements and principles of processing an employee’s personal data, including in the context of compliance with Covid-19 preventive measures. A company must process employees’ personal data based on such principles as lawfulness, purpose limitation, security and confidentiality, completeness and accuracy, transparency and so on.
The safest option for an employer would be obtaining an employee’s written consent, prior to processing an employee’s sensitive personal data. Moreover, according to the Russian Labour Code, processing of employee personal data should be regulated by the employer’s local policy. This means that employers should also update their data privacy policies to cover the new Covid-19 data processing activities, purposes of data processing and new categories of personal data which are processed.
If Covid-19-related information is transferred to third parties (eg, affiliated companies, service providers, medical institutions), employers should obtain separate written consent on any transfer of employee information to such third parties.
According to Russian data protection and labour laws, an employer may collect employee personal data directly from a data subject. There is also a basic requirement to have a legitimate basis for processing personal data, when Covid-19-related information is collected from a medical organisation, rather than from a particular employee, or from a relative of an employee, or other representative. Such legitimate basis could be protection of life, health or other vital interests of personal data subject or third parties, when obtaining the data subject’s consent is not possible. If obtaining consent is possible, then a consent by a data subject is commonly chosen as the legitimate basis for such data processing.
Another important aspect is the retention period for the collected Covid-19-related personal data. According to the general rule, a data controller may process employee personal data until the achievement of the purpose for which the personal data were collected has been reached, or during the period of data processing specified in the employee consent form. Once either of the above is reached, the employer is under obligation to delete (destroy) the data within 30 days. In practice, Covid-19 related information about employees is processed until it is necessary to ensure compliance with the legislative requirements, or until an employee withdraws his or her consent for processing personal data.
Processing of non-employee Covid-19-related data
In the changing epidemiological situation, companies must adapt to ever-changing circumstances, to continue their operations. During the ongoing pandemic, companies' premises may be visited not only by employees, but also by other persons (customers, clients, service providers, etc).
Currently, in some Russian regions, local authorities require that the temperature of visitors is mandatorily measured at the entrance to shopping centres, restaurants, theatres, museums and other places. Some of these facilities require their visitors to provide a Covid-19 QR code or a negative Covid-19 PCR test result, which also requires the processing of sensitive personal data. Processing of such personal data by these organisations is based on their legal obligation.
Conclusions and recommendations
Current Russian data protection legislation does not contain specific rules for the processing of Covid-19-related information. Official clarifications by Russian authorities on the issues related to data processing during the Covid-19 pandemic have not yet been issued either. Therefore, Russian employers need to assess each Covid-19-related data processing activity from the perspective of potentially needing to justify their actions, by the processing due to compliance with a legal obligation of an employer, in a particular Russian region. In case the data processing goes beyond the scope of legal obligation, employers should obtain written consent from the employee for the relevant data processing. The authors recommend justifying the processing of sensitive information, related to employees’ health, by written consent, where other specific grounds for sensitive personal data processing are not relevant. Transfer of employee Covid-19-related personal data to third parties, unless such transfer is required by law, usually also requires employees’ written consent. Companies should also review and update their internal data processing policies, preferably periodically, to ensure that they contain the most current information about Covid-19-related data processing specifics.