On March 6, 2020, the CNIL published recommendations on the collection of personal data in the context of COVID-19. Health data is particularly protected within the framework of a series of regulations (notably GDPR, French Data Protection Act and French Public Health Code).

Restrictions

The CNIL insists that employers cannot take measures likely to impair the privacy of the data subjects, in particular, by collecting health data that would go beyond the management of suspected exposure to the virus.

For example, employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee/agent and their relatives. It is, therefore, not possible to implement, for example:

  • Mandatory readings of the body temperatures of each employee/agent/visitor to be sent daily to their hierarchy
  • The collection of medical files or questionnaires from all employees/agents

Lawful Processing

As part of its actions to prevent occupational risks, the employer can:

  • Make employees aware and invite them to provide individual feedback of information concerning them in connection with a possible exposure, to the employer or to the competent health authorities
  • Facilitate the transmission of information to the competent health authorities by setting up, if necessary, dedicated channels
  • Encourage remote working methods and encourage the use of occupational medicine

During the influenza A (H1N1) epidemic in 2009, the CNIL published an exemption to register processing activities implemented within the framework of business continuity plans (BCP) relating to a pandemic influenza implemented by public and private employers. The only purposes of the processing activity are (i) to contribute to the development of a BCP by identifying people who may be unavailable due to their family situation and/or their mode of travel; and (ii) in the context of monitoring the BCP, to warn the personnel of the measures taken by the organization; or (iii) to carry out all non-nominal statistical processing linked to the development and activation of the plan in the company. Processing of this data is only lawful if a certain flu pandemic stage is reached and the data must be erased when the health risk disappears. Although this text has no longer had any effect since the entry into force of the GDPR, it remains a good indication of what the CNIL considers proportional and lawful.

In the event that a report is made to the employer, the latter may:

  • Record the date and identity of the person suspected of having been exposed and the organizational measures taken (confinement, teleworking, orientation and contact with the occupational doctor, etc.)
  • Communicate to the health authorities who request the elements related to the nature of the exposure, necessary for possible health or medical care of the exposed person

According to the CNIL, each employee/agent must, for their part, implement all means in order to preserve the health and safety of others and of themselves (article L.4122-1 of the Labor Code). They must inform their employer in case of suspected contact with the virus.

The processing of actual health data is the responsibility of the health authorities, qualified to take the adequate measures considering the situation. The CNIL invites individuals and professionals to follow the recommendations of the health authorities and to only collect data on the health of individuals who have been requested by the competent authorities.

CNIL 2020 investigation program

On March 12, 2020, the CNIL announced its investigation program for 2020. It will focus, among other topics, on the security of health data. The CNIL clarified that “recent news related to health issues (telemedicine, connected health objects, personal data breaches in public establishments …), demonstrates the attention that must be paid to the security of health data”. Although this is specifically intended to cover activities by healthcare professionals, the CNIL will also take an interest in activities of organizations relating to the health of employees or visitors, when carrying out an investigation on this particular topic or any other.