COVID-19 and the GDPR: Should Employers Conduct Temperature Checks?

New guidance issued by the U.S. Equal Employment Opportunity Commission (EEOC) in the United States has advised that employers may measure employees’ body temperature given that the Centers for Disease Control and Prevention (CDC) and state/local health authorities have acknowledged the community spread of COVID-19. Many U.S. businesses operating in the EU are analyzing the position in Europe in respect of their local operations.

Businesses have a duty to safeguard the health and well-being of their personnel. And, equally important given current circumstances, businesses involved in the production and supply of food, medical equipment, and cleaning/sanitary products — many of whose workers work in close proximity — need to be able to maintain operations for the wellbeing of the wider community. As the European Data Protection Board (which consists of national data protection regulators) has recently stated, “data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However…. even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.” We set out below a summary of the GDPR implications and practical steps which businesses operating in the EU will need to take.

Information Relating to Temperature Checks

Information collected through checks relating to an employee or visitor’s temperature, even just noting it as “high” or “within a normal range,” will constitute “data concerning health” under the GDPR. By recording such data, you will be processing a “special category of personal data.” The GDPR generally prohibits processing of this kind of data unless you can demonstrate you satisfy one of the legal grounds under Article 9(2).

Can You Satisfy One of the Legal Grounds in Article 9(2)?

This is one of the most difficult aspects of GDPR compliance. The lawfulness of your temperature check policy is likely to stand or fall on whether you can make out one these grounds.

The legal grounds with most potential are: (1) employment law rights and obligations, (2) explicit consent, (3) health (occupational medicine) and (4) public health.

To satisfy grounds (3) or (4), the checks would need to be carried out by a qualified health professional, which is unlikely to be an option for many organisations. Valid explicit consent is very difficult to secure in an employment context in any event, but even where valid, employees must be able to refuse a temperature check without detriment. This may prevent universal application of your temperature check policy, which ultimately defeats its purpose.

Of the four grounds identified, “employment law rights and obligations” is likely to be the ground with the greatest potential, but even it has difficulties.

To satisfy this ground, your processing (i.e., the temperature check) must be necessary for the purposes of exercising or performing obligations or rights which are imposed or conferred by law in connection with employment, social security or social protection. For example, in the U.K., this could be an employer’s obligation to provide a safe working environment under Health and Safety at Work Act 1974.

However, while it may be arguable that carrying out temperature checks may be part of a series of measures which assist you in protecting the health and safety of your personnel, in relation to the COVID-19 pandemic, taking temperature checks is not (at the time of writing) a measure recommended by European authorities or the World Health Organization.

Consequently, there is a risk a court or supervisory authority would find that temperature checks are not strictly speaking “necessary” for satisfying your employment law obligations. Instead, following the latest medical and government guidance, advising employees to stay away when they (or anyone else in their household) exhibit symptoms, and implementing enhanced cleaning and hygiene policies arguably achieve the same objective without being as privacy intrusive.

Approach of Supervisory Authorities — Variations in Approach

The GDPR promised consistency and harmonization for data protection across Europe. Unfortunately, but not unsurprisingly, these features have been somewhat lacking in the approach of European supervisory authorities to data processing in the context of COVID-19.

This is partly a function of the fact that processing special categories of personal data, like someone’s temperature, is an area in which individual member states have significant scope to set specific requirements and local frameworks.

Equally, another factor in the variation in approaches is the differences in cultural norms around privacy in different member states. For example, while the U.K. Information Commissioner’s Office (ICO) has not issued specific guidance on the collection of employees’ temperatures, it has, however, stated that employers have an obligation to protect employees’ health. The ICO has also indicated it will be pragmatic in relation to enforcement, stating that it “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” Whereas for the supervisory authorities in Belgium, France, Italy and Hungary, taking the temperature of workers and visitors and other generalized and systematic checks have been ruled out and are not considered proportional measures consistent with data protection law.

Other Important Considerations — Documentation and Records

As with any new and potentially privacy-intrusive proposal, you should document your decision-making and the context in which you came to your decision. This is even more important during the COVID-19 pandemic.

What does this look like in practice? Performing a data protection impact assessment and updating your records of processing activities. These are familiar concepts which have a statutory basis in the GDPR.

Another two documents which you should ensure are in place and meet the needs of your organisation are your internal Privacy Standards or Data Handling Policy, together with your Data Retention Schedule. Firstly, these are crucial in complying with the GDPR’s “storage limitation” and “integrity and confidentiality” principles. Secondly, they also form an important part of the conditions imposed by certain individual member states for being able to rely on the legal grounds mentioned above. For example, under the U.K.’s Data Protection Act 2018, to rely on the “employment law rights and obligations” legal ground, you must have in place an “appropriate policy document.” You will satisfy this requirement to some extent if you have comprehensive internal privacy standards and a data retention schedule.

Comparison to Position of U.S. Authorities

In the U.S., the Americans with Disabilities Act (ADA) regulates employer’s disability-related inquiries and medical examinations of employees. The ADA prohibits employers from excluding individuals with disabilities from the workplace for health or safety reasons unless they pose a “direct threat” — a significant risk of substantial harm that cannot be eliminated or reduced even with reasonable accommodation. The EEOC, the federal agency that enforces the ADA, has indicated that whether an employee poses a direct threat must be based on objective, factual information. The EEOC has concluded that, as of March 2020, the COVID-19 pandemic meets the direct threat standard because given the community spread, there is a significant risk of substantial harm posed by having someone with COVID-19, or symptoms of it, present in the workplace.

In light of the current CDC guidance, the EEOC has advised that:

• It is permissible for an employer to send home an employee with COVID-19 symptoms.
• Employers can ask employees who report feeling ill at work or who call in sick questions about their symptoms to determine if they have or may have COVID-19. In particular, they may ask about fever, chills, cough, shortness of breath or sore throat.
• Employers may measure employees’ body temperatures as a screening measure to prevent individuals with greater risk of being infected from coming into the workplace.

The EEOC notes that the fact that if an employee had a fever or other symptoms, it would be considered medical information subject to ADA confidentiality requirements.

Key Takeaways

This is a complex area, with many local variations and requirements , but to summarise the key takeaways:

• Check for any local employment law related issues with the proposed measures — these can differ significantly.
• Assess local variations, both culturally (i.e. how is your workforce likely to react) and regulatory (i.e. how is your local regulator likely to react).
• Document your decision making in the specific context of your business activities — it may be easier for some businesses to justify than others.
• Perform a data protection impact assessment — even if in short-form. 
• Provide privacy information to your employees/visitors before requesting them to take a check.
• Ensure you meet the relevant conditions for the legal basis you will rely on (e.g. in the U.K., having an “appropriate policy document” in place).
• Minimize your data collection — do not record more personal data than is strictly necessary.
• Update your record of processing activities, and document your decision making relating to the new measure, including your safeguards.

Please contact the authors or any other member of our privacy, cybersecurity and data strategy team who will be able to advise further.

As the number of cases around the world grows, Faegre Drinker’s Coronavirus Resource Center is available to help you understand and assess the legal, regulatory and commercial implications of COVID-19.