Combatting COVID-19: have you got the right temperature to shelter you from the storm?
The Belgian Data Protection Authority has updated its guidelines with respect to the measuring of body temperature at the entrance of buildings in order to limit COVID-19 infections in the framework of restarting the social and economic life after the lock-down. Employers of course want to protect their employees against the spread of COVID-19. Questions therefore arise to what extent they can start measuring the body temperature of employees returning to work.
When does the measuring of temperature fall under the scope of the GDPR?
As you may already know, the body temperature of a physical person is qualified as 'personal data'. Moreover, it is deemed to fall within the category of sensitive 'health data'. The collection and processing of health data is in principle prohibited under the GDPR, subject to a limited number of exceptions.
If the temperature is only measured with a classic thermometer and the result of the measurement is not registered in a file, such action will not be seen as a processing of personal data. In other words, simply reading the temperature on a classic thermometer without recording the data afterwards, does not fall under the GDPR and is therefore not subject to the conditions as described below.
Subject to compliance with applicable employment laws, the GDPR does therefore not object to the denial of access to certain buildings or spaces (shopping mall, airport, office, etc.) if an elevated body temperature can be read from a thermometer. The mere temperature reading and denying access without any additional registration does indeed not fall within the scope of the GDPR.
On the other hand, if the temperature reading is accompanied by a registration or recording of the results hereof in a file, e.g. to document the absence of an employee after the employee is denied access, or to justify the refusal of access to a specific supplier, the GDPR will be applicable. In an employee-employer relationship, any action relating to the measurement of body temperature will therefore in practice almost always qualify as processing of personal data since individualization will be necessary to justify the absence of the employee (in contrast to for example the denial of access to a visitor in a museum or a shopping mall). One of the only exceptions in this respect is the inclusion of the temperature of employees for the purpose of fully anonymised reporting (e.g. generating statistics with percentage of persons with elevated temperature, without any link - even retrospectively - to identifiable persons).
What about digitalised temperature measurements?
The Belgian Data Protection Authority further states that the GDPR does not only apply to the manual recording of personal data but also to automated processing of such data, e.g. when a person’s temperature is measured digitally with electronic instruments.
The use of digital fever scanners, heat cameras, temperature measuring stations or other automated systems which measure the body temperature of employees (or visitors) therefore, in itself, entails processing of health data. As a result, the GDPR applies, irrespective of any subsequent human intervention (the prohibition applies both where a guard oversees the recording of the temperature and where the entrance gate to the building remains automatically closed to persons who appear to develop fever).
The GDPR applies: now what?
As the processing of health data is in principle prohibited under the GDPR, employers will need to demonstrate (a) either a clear necessity to process this information to protect the vital interests of employees or for reasons of public interest in the area of public health, (b) a clear legal obligation to do so, or (c) the data subjects’ free, explicit consent.
With regard to (c), it should be noted that the concept of free consent in an employer-employee relationship is highly controversial and often not accepted given the hierarchical nature of the relationship.
With respect to (a) and (b), Belgian employers have a legal obligation to ensure – in general – the health and safety of their employees. In theory, this obligation could therefore cover the implementation of preventive measures (such as temperature checks or the completion of questionnaires) before allowing employees to return to the workplace or to allow certain visitors to access their premises.
However, according to its latest guidelines, the Data Protection Authority seems highly reluctant to accept the measurement of body temperature on these grounds, in the absence of specific legislation allowing temperature checks in the context of COVID-19. More specifically, it explicitly states that - without an explicit and specific legal basis in Belgian law (or in a COVID-19 collective labour agreement) - data controllers, may not:
- measure the body temperature of persons in order to record the results hereof in their files;
- measure the body temperature of persons if the consequences of such measurement are recorded in their files; or
- measure the body temperature of persons through advanced electronic measuring devices such as fever scanners or heat cameras.
On a related note, also the Ministry of Employment has in the meanwhile confirmed that employers may not (a) require a certificate of competence issued by the attending physician of an employee, or (b) oblige the measurement of employees’ body temperature. As this can be assimilated to an act of medicine, especially if the ability to work is linked to the measurement, such measurement is the prerogative of the treating physician (or the occupational physician who can then refer an employee to his/her treating physician). In case of doubt about clinical symptoms (coughing, headache, rhinitis, fever, muscle pain, etc.), the employer may choose to refer the employee to his treating doctor or, if necessary, to the occupational physician who will render an advice.
Conclusion and way forward
The Belgian Data Protection Authority is reluctant to accept the mandatory measurement of body temperature as a COVID-19 prevention measure, as it will almost always lead to the processing of health data without any solid legal ground. Also, it reiterates that the measurement of fever as a measure in the fight against the spread of COVID-19 remains partially ineffective as, on the one hand, COVID-19 is not always accompanied by fever and, on the other hand, fever does not always point to COVID-19.
Employers should thus look for alternatives. At this moment, telework is still recommended in Belgium. Upon phasing-out and allowing employees to return to the workspace, several social distancing, awareness-raising and hygiene measures should be taken. At this moment, these measures are deemed to be sufficient and proportionate to the aims pursued and the Belgian government does not promote excessive testing (whether at home or at the workplace), in particular as insufficient reliable tests are available. Our clients are therefore advised to encourage employees to conduct self-assessments and contact the company doctor in case of any doubt or concern.
To the extent that the government would at some point however consider that temperature measurements should be possible in the light of the exceptional nature of the COVID-19 crisis and for as long as the crisis persists, the Data Protection Authority calls on the government to adopt specific legislation that would allow for such processing of health data, while adequately protecting the rights and freedoms of data subjects and being absolutely necessary and proportionate to the objective pursued.
Stéphanie De SmedtSenior associate Attorney at Law
Stéphanie De Smedt, attorney-at-law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: email@example.com