The data protection authorities in Finland and elsewhere have given good instructions on data protection and corona. We have been asked a lot of the same questions. We have gathered some of them here and we hope that they are of help to you. Please do not hesitate to contact us, if you have any other questions!
Not as such and the employer has an obligation to protect the employees’ health, but that doesn’t necessarily mean you need to or are allowed to gather the data of the employees.
As the government has advised, it’s good to inform customers and employees that they do not come to the premises if they have visited particular countries or have symptoms associated with the COVID-19 virus.
A good way to avoid collecting unnecessary data is to give different kind of instructions. You may for example ask visitors to consider government advice before they decide to arrive to the premises. In case they have symptoms or have arrived from abroad, you can instruct staff members to call THL’s (Finnish institute for health and welfare) number 029 553 5535 or check their website for guidance. This approach alone should help you to minimize the collection of personal data. You should also consider if instead of collecting data it’s possible to ask for the information without saving it.
If these measures are not enough and you still need to collect specific health data, do not collect more data than is necessary and make sure that the collected data is processed using appropriate safeguards. If you do collect data, remember also to update your privacy notice and to inform and take care of possible co-operation procedure. It must also be noted that health data may only be processed by employees, whose tasks require it. The employer must predesignate these persons or define the tasks, which include processing of health data. The persons processing health data are bound by professional secrecy.
If an employee of an organization is found to have the coronavirus, the employer shall not, in principle, name the employee in question. The employer may generally inform the other employees of a case or a possible infection and instruct them to work remotely from home.
The data protection legislation is applicable only when personal data of an identifiable persons is processed. The other information activities of an organization are not, in principle, subject to data protection legislation.
Data protection doesn’t prevent working remotely from home either. During a pandemic, the staff may work from home more often and use their own devices. However, the employer must consider similar data security measures for working remotely that are used in normal circumstances.