Amidst the attempts to ease the restrictions and resume usual professional and commercial activities by adapting related working methods in accordance with the Covid-19 Hygiene and Sanitary Protocols (published on e-albania portal), the Information and Data Protection Commissioner has decided to highlight and clarify certain aspects of these protocols entailing processing of personal data (especially those related to health), on specific Q&A basis.
This hypothetic communication (Q&A) further aims at addressing the concerns of parties, which have been expressed to the Commissioner’s Office, as well as to serve as a guideline for employers, employees, costumers, etc., regarding the rights and obligations stemming from the personal data protection legislation, in the framework of processing operations that will be carried out based on the relevant protocols.
Question 1: Can I collect health data in relation to COVID-19 from employees or visitors who access the premises of my company?
Yes. Under the COVID-19 Hygiene and Sanitary Protocol, you are required to collect personal and health information on COVID-19 related symptoms.
Clearly each employer has an obligation to protect health and lives of employees, as well as any other party related to them (e.g. visitors).
On the other hand, this does not mean that you have the right to process (collect, store, transmit, etc.) personal and sensitive data beyond what is necessary for the purpose of detecting COVID-19 symptoms.
Therefore, it is legitimate to ask employees and visitors about COVID-19 symptoms, or if they had previous contacts with infected individuals (or exposed to infected individuals) as well as to record this data, as specified in the relevant protocols. However, further processing of personal and health data, other than the requisites of these protocols, is not permissible.
Question 2. What measures should the employer adopt in the context of personal data protection?
In your capacity of data controller, you have the obligation to apply the principles and obligations laid down by the legislation on personal data protection, including the law on personal data protection and the bylaws adopted by the Commissioner (in particular, Instructions No. 3, 11, 22, 24 and 47-19). All these acts are published, as updated, on the official website of the Commissioner’s Office (www.idp.al).
Moreover, you must record and document the transmission of personal and sensitive data to law enforcement institutions which are in charge with issuing and enforcing COVID-19 measures.
Question 3. Who can be appointed by the employer for processing personal data and what responsibility does he/she have in this case?
You can find the answer to this question in each of the COVID-19 Hygiene and Sanitary Protocols (you may refer to the green, yellow and red ones).
The persons in charge with the implementation of the measures specified in the respective protocols, including recordkeeping COVID-19 symptoms, must sign a confidentiality statement on the processing of personal data.
It should be noted that in any event data controllers (employers) are, in principle, responsible for the potential violations of privacy of data subjects hence of the legislation on personal data protection.
Question 4. Should the employee or visitor be informed on the processing of their personal data, and if so, how?
Controllers are required to inform the relevant categories of data subjects (employee, visitor, etc.), among others, about the purpose of personal data processing, the categories of personal data being processed (e.g. COVID-19 symptoms), persons carrying out the processing activities, the eventual recipients of the data processed, as well as the fact whether data processing is essential or not.
For more details, we invite you to consult the provisions of the law on personal data protection (Article 18), as well as the acts adopted by the Commissioner, as explained above.
The information provided to the data subjects must be clear, accurate and easily accessible.
Question 5. Can I tell my staff that a colleague may have potentially contracted COVID-19?
It is clear that you need to keep staff informed of any case of COVID-19 identified in your organization. It is your responsibility to protect the health and safety of your employees as well as a duty of care.
However, you should do the utmost efforts to avoid naming individuals, and you should not provide more information than necessary. It becomes now clear that identification would be permissible only in cases where the relevant circumstances make it inevitable. The burden of proof for this purpose lies with the data controller.
In addition, you should also inform law enforcement agencies, including those charged with the epidemiological investigation, as set out in the protocol applicable to your organisation.
Question 6. Can I publish or disclose personal data collected under the COVID-19 Hygiene and Sanitary Protocol?
A priori personal data cannot be made public, as this would be considered illegal processing.
However, as stated above, the disclosure of personal data and those relating to the health of the employees/visitors, in the context of the measures adopted for COVID-19 containment, could be authorized when this personal information is shared with the law enforcement institutions in charge for the pandemic containment in accordance with the relevant law and protocol.
Question 7. How long should I retain employees and visitors’ health related data?
You should take in consideration that this information must be retained for as long as it is necessary to meet the legal requirements in the context of the measures relating to COVID-19 containment.
In any event, we consider that the data retention period should not exceed the virus incubation period. However, longer processing terms may be legitimate subject to a specific legal provision (e.g. the legislation on the prevention of infections and infectious diseases).
Once the processing purpose has been achieved, the data used in this ambit must be deleted/destroyed in a safe, confidential and irreversible fashion. Outsourcing this operation to third parties will not be authorized unless the provisions of the legislation on personal data protection governing the controller-processor relationship are fully observed.
Deletion/destruction of personal data shall be properly documented.
Question 8. Our staff will be homeworking during the epidemic. What security measures should be in place for this purpose?
Personal data protection legislation does not hamper the various types of activities or tasks performed at home.
Accordingly, staff members who are working from home can use personal communication equipments, or those provided by the employer.
However, employers must put in place appropriate technical and organizational measures to ensure the security and confidentiality of personal data.
Due consideration must be given to the use of various online communication platforms (e.g. videoconferences), in order to prevent unauthorized access to the personal data (video images, etc.).
The rate of violation of private life as a result of unauthorized processing (understand: illegal) of personal data when homeworking is greater, and potentially more harmful than in normal circumstances (at the workplace).
For more on the above, you are kindly invited to consult the guidelines on the principles and legal criteria for personal data processing in the context of the measures for COVID-19 containment published earlier on our official website (www.idp.al).
You are also invited to address any question or concern regarding the processing of personal data in accordance with the Covid-19 Hygiene and Sanitary Protocols via e-mailing the Commissioner’s Office at: firstname.lastname@example.org.