Statement by the Spanish Data Protection Authority (AEPD) on processing of certain health data in the context of Covid-19
The AEPD expressed their concern about these types of actions (…) “ which represent a par-ticularly intense interference with the rights of subjects and that are being carried out with-out the prior judgment of the health authorities”.
Measures related to the gradual withdrawal of confinement in the context of Covid-19 are including, apparently in a generalized way and in very varied environments, taking the tem-perature of people to determine the possibility that they may access work centers, shops, educational centers or other types of establishments or facilities. In this situation, the Span-ish Data Protection Authority has stated as follows:
This type of practice involves the processing of sensitive personal data which, as such, must comply with the provisions of the applicable legislation. This legislation contains specific provisions that cover situations such as the current one, while allowing the principles and guarantees that protect the fundamental right to data protection to continue to apply. This temperature-taking processing represents a particularly intense interference with this right. On the one hand, because it affects data related to a person's health, not only because the data of body temperature is a health data in itself but also because, based thereon, it is as-sumed that a person suffers (or not) a specific disease, such as coronavirus infection in this case. On the second hand, temperature checkings are going to be carried out frequently in public spaces, so that a denial of access to an educational, laborplace or commercial center might be revealing to third parties that the subject has a temperature and, moreover, may have been infected by the disease. Ultimately, and depending on the context in which this measure is applied, the consequences of a possible denial of access can have a significant impact on the data subject.
The implementation of these measures and the data processing would require the prior de-termination made by the competent health authority - which is currently in Spain the Minis-try of Health- of its necessity and appropriateness for the purpose of effectively contributing to preventing the spread of the disease in the areas in which they are applied, thereby regu-lating the limits and specific guarantees for the subjects’ data processing. It should be noted that a percentage of asymptomatic infected people do not have a fever and that, on the other hand, there may be people who present high temperatures due to other causes. Measures should be implemented only according to the criteria defined by the health au-thorities, both in terms of their usefulness and their proportionality with the intended goal, including reflecting on to what extent these measures could or could not be replaced by other effective but less intrusive ones.
As with any other data processing, the collection of temperature data must be governed by the principles established in the General Data Protection Regulation (RGPD) and, among them, the lawfulness of processing. This processing must be based on a legitimate cause of those provided for in the regulation for special categories of data (articles 6.1 and 9.2 GDPR). In the case of checking body temperature as a measure to prevent the spread of COVID - 19, this legal basis may not, generally, be the consent of the data subjects, since such consent would not generally be freely given. In the workplace the possible legal basis could be found in the obligation of employers to guarantee the safety and health of their employees at their service in work-related aspects. This obligation would operate both as an exception that allows the processing of health data as well as a legal basis that legitimizes the pro-cessing. This legal basis could be taken into account, with a wider scope, also for the pro-cessing of customers and users’ data, in connection with the employer’s obligations regard-ing their employees’ health. This approach, however, requires an adequate weighting be-tween the impact on the rights of the clients or users and the impact on the level of protec-tion of employed persons. Where this legal basis is not relevant, it could be suggested that there are general interests in the field of public health that must be protected; however, this option would require additional implementing legislation support.
Further principles to comply with would include purpose limitation and accuracy of data. In any case, the statement goes on, data subjects do continue to hold their rights in accord-ance with RGPD as well as the rest of guarantees, duly adapted nonetheless to the specific conditions and circumstances of this type of processing. Measures to be considered include, among others, information for employees, clients or users regarding the respective pro-cessings. It is likewise of the utmost importance to establish the terms and criteria for data retention, whilst in principle, given the purposes of this processing, data retention should not take place, unless it can be sufficiently justified in view of the need to face eventual le-gal action derived from the decision to deny access.
The DPA full statement can be accessed in Spanish here:https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/comunicado-aepd-temperatura-establecimientos
Article provided by: Belén Arribas (Andersen Tax & Legal, Spain)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)