Testing. Testing. Testing. This is the current motto of the Dutch government. Even in case of mild complaints. Unfortunately, there appears to be a great lack of testing capacity at the moment. As a result, people have to stay at home for several days at a time. As a result, organisations are struggling with a lack of employees in the workplace. This has particularly serious consequences for sectors in which it is not possible to carry out work from home. Many organisations are therefore looking for solutions to get their employees back in the workplace as quickly as possible.
For example, it was recently announced that the Dutch National Police has joined forces with a commercial testing company that offers rapid tests in order to reduce the shortage of capacity within the Dutch police force. With a corona rapid test it can be determined within a day whether someone is infected with the corona virus or not. All in all an effective means of getting staff back to work quickly. But is it really permitted to use rapid tests in a working environment? What measures can organisations take to make this possible? And what are the risks? These and other questions will be addressed in this blog series.
Duty of care
Employers have a duty to provide a safe and healthy working environment for their employees. During this pandemic, this duty of care will have to be fulfilled by taking measures to prevent the possible spread of the coronavirus in the workplace. When taking such measures, employers should take the advice of the Dutch government in account.
In many cases, this means that employees must work from home as much as possible, but this is by no means possible in all sectors. In that case, employers will have to deploy their employees in a way that minimises the risks for employees. In this context, the employer may give instructions to his employees. Think about the use of protective equipment and keeping a distance of 1.5 meters between colleagues.
But can an employer also oblige his employees to take a corona rapid test? The difficult thing about the use of such tests is that the employer likely has to deal with a situation in which health data will be processed. And there is a strict legal regime for this. In principle, the processing of health data is prohibited under the General Data Protection Regulation (‘GDPR’).
Vision of the Dutch Data Protection Authority
According to the Dutch Data Protection Authority (‘DPA’), it is therefore not permitted for employers to process medical data of their staff. According to the DPA, this means that an employer is not allowed to inquire about the health of its employees or take a control test. It is also not permitted to keep a record of the reason when someone calls in sick. If employees do tell their employer what they are suffering from, the nature and cause of the illness may still not be recorded by the employer. A company doctor may however test employees for the coronavirus but may not share the test results with the employer.
Thus, clear language on the part of the Dutch supervisor. But does the authority of the DPA extends to all such cases? The answer is no. After all, the DPA only monitors compliance with the GDPR and Dutch implementation act of the GDPR. So if testing can be arranged in such a way that it involves no processing of personal data, the testing as such does not fall within the scope of the GDPR. This means that the DPA will not authorised to take enforcement action against the employer in question.
Are test results regarded as personal data?
Whether test results of corona rapid tests will be regarded as personal data will depend on the way in which the testing is organised and carried out.
Only when a test result can be related to a specific individual – if not by combining data – the result is considered to be personal data. Thus, when employees are able to undergo the corona test anonymously (e.g. at home or in a protected environment) and could subsequently make the results known to their employer in an anonymised manner (e.g. by sliding the test result through a hatch after which they would be granted access to the premises), then the test result does not constitute personal data.
The question is whether it is practically possible to organise testing in such a way that no one within an organisation can relate the test result to a specific employee. In most cases, this will probably not be possible. Certainly not because employees will be expected to report sick if a test turns out to be positive. In such cases, a link can often be made between a positive test result and an employee afterwards.
Automated means or filing system?
The mere fact that certain information is personal data does not mean, however, that a situation falls under the applicability of the GDPR. That also requires processing by automated means or structured recording in a file.
Processing by automated means refers to operations carried out using computers, smartphones, tablets, servers, databases, and so on. In short, if an electronic record is being kept of employees that have been tested positive or employees that have been provided with rapid tests, the processing of such data will be considered to have been carried out by automated means.
Does it make a difference to physically record the test results? Probably not. After all, when personal data are recorded in a filing system, this is also considered to be processing within the meaning of the GDPR. Examples are the manual entry of test results in a personnel file or on a list of names.
Is it possible to think of any situation in which the collection of a corona test would not necessarily involve automated means or a filing system? We do believe so. Think, for example, of a situation in which the result of a corona rapid test is shown to a doorman immediately after being taken, who then physically denies the employee in question access to the company premises without any information being stored.