Coronavirus: Health data may be collected for protection against infection

Many employers and employees are faced with the question of the extent to which they can and must exchange health data and under what circumstances. The data protection supervisory authorities of the federal and state governments in the data protection conference (DSK) provided one common position in front.

Don't miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.

Federal data protection officer Ulrich Kelber emphasized that health information is very sensitive data and data processors should therefore be aware of their special responsibility. But "as long as the measures taken by employers and employers are proportionate, data protection does not stand in the way of fighting infections." The health of citizens is now the focus.

To contain the corona pandemic, companies and organizations can collect and use not only the personal data of employees, but also of guests and visitors, to prevent the virus from spreading among employees. This includes, for example, data on cases in which an infection was identified or in contact with a person who has been proven to be infected.

Health data may also be collected if a stay in an area classified by the Robert Koch Institute as a risk area took place during the relevant period. The data of persons who have been proven to be infected or who are suspected of being infected are only lawful "if knowledge of the identity is exceptionally necessary for the precautionary measures of the contact persons". This means that the name should be avoided in principle.

The supervisory authorities point out that the duty of care obliges the employer or employer to ensure the health protection of all employees. Accordingly, he must respond "appropriately" to the spread of a notifiable illness. However, the precautionary measures would "of course always be proportionate". Therefore, the respective data would have to be treated confidentially and used exclusively for the intended purpose. At the latest with the end of the pandemic, the data collected would have to be "deleted immediately".

Consent is only possible if they are informed about the data processing and can voluntarily consent to the measure. However, employees would also have to comply with duties of consideration, conduct and cooperation towards their employer and third parties. For example, they are obliged to inform their employer or employer about an infection with the Corona virus, which could also result in a disclosure right under the GDPR regarding the contact persons.

The Baden-W├╝rttemberg state data protection officer, Stefan Brink, makes it clear, however, that investigative and intervention powers are generally not the responsibility of the employer, but only the state health authorities. If in doubt, employers should therefore seek contact with the health authorities and not raise the will of the employees "on their own" or even against health data. Brink has a very detailed, practice-oriented approach "Corona FAQ" released.

In it, Stefan Brink also states that the employer may collect private contact details from the workforce in order to be able to provide the workers with a short-term warning if the company closes – provided the employee has given his consent. Brink points out that the handbook of the Federal Office for Civil Protection and Disaster Relief recommends the establishment of an "in-house communication network" tailored to the respective company, so that companies can take certain measures depending on the pandemic phase. However, after the pandemic at the latest, the contact data should be deleted and allowed not be used for other purposes.

To what extent is the population ready to accept restrictions on their privacy in order to contain the corona crisis? This question was a representative one survey among 1,020 Germans, which the tech company Usercentrics commissioned from the market research institute Innofact in March 2020. They came to the conclusion that most would be prepared to restrict themselves: For example, 66.8 percent were willing to register their names in a public database in the event of an infection in order to warn third parties who were in contact with them. 9.5 percent support the expansion of data retention for flight and travel data in order to be notified in the event of suspicion or to limit the spread of the virus. 54.6 percent would allow public authorities to use their personal movement profile to track the spread of the virus.


. (tagsToTranslate) Coronavirus (t) data collection (t) data protection (t) data storage