Coronavirus: The measures taken by the Italian government and read-across on privacy matters

published on 19 March 2020 | reading time approx. 2 minutes

The Italian government has adopted the “shared Protocol to regulate measures to tackle and contain the spread of the Covid-19 virus in the workplace”. The Protocol is the result of the mediation with the national trade unions representatives and addresses the issue of the need to collect information regarding employees accessing the employer’s premises, aiming to prevent the spread of Coronavirus.

Namely, art. 2 of the Protocol sets forth that “the employee, before accessing the workplace, may be subject to control of body temperature. If it turns out to be over 37.5 degree (Celsius), access to the workplace will be forbidden. People in such conditions – see footnote – will be temporarily isolated and supplied with masks. Such people shall not reach the emergency room and/or office infirmaries but shall contact as soon as possible their doctor and follow his instructions.
 
The employer shall notify the personnel and visitors on the access ban to the company premises for those having had contacts with subjects resulted positive to COVID-19 or coming from restricted areas during the last 14 days- as instructed by WHO”.
 

Many are the read-across with privacy matters of the Protocol, which provides for:

• Taking body temperature without recording the resulting data;
• If necessary, recording the threshold (37.5 degrees) crossing only as a proof  of the inhibited access to workplace;
• Providing employees with privacy notice (even as an integration of the previous notices, by omitting the information already provided to data subjects). To that effects:

1. The purpose of data processing is predicated on the prevention from COVID-19 infection;
2. The legal basis is represented by legal obligation fulfillment such as, namely, art. 9, para. 2, litt. b) GDPR; the implementation of security protocols from contagion as per art. 1, no. 7 litt. d) of Italian Decree of Prime Minister of March, 11th 2020 and as per the Protocol in mention;
3. The possible data retention is legitimate and allowed until the end of emergency status;

To define adequate security and organizational measures in order to protect data. Specifically, on the organizational sight, it might be necessary:

• To identify the subjects in charge of the data processing;
• To provide those subjects with proper instructions (i.e. to be specified within the appointment letter or through procedures/guidelines);
• If external subjects, to enter into a data processing agreement/ to integrate the existing data processing agreement, appointing them as data processors;
• Not to release or disclose to third parties the collected data, except for the specifically law-regulated cases (i.e. in case of request from the health authority, in order to collect and monitor the potential “contacts” of a COVID-19-positive employee);
• To ensure best practices to protect employee’s privacy and dignity in case of temporary isolation, due to the crossing of the temperature threshold. Such warranties should be ensured even if the employee reports to HR to having entered in contact with COVID-19-positive subjects outside the workplace and in the case of access ban of the employee showing fever and respiratory infection’s symptoms during working hours. In such a case, the access ban should extend to his colleagues;
• To update the ROPAs (Records of Data Processing Activities);
• To perform a DPIA (Data Protection Impact Assessment).