The Covid-19 leaves few unaffected and with the state of emergency having been declared in Finland on 16 March 2020, naturally also employers’ duty to protect their employees’ health and safety has been emphasized. Relevant authorities have issued guidelines on how to in practice see to that the risk of Covid-19 infection spreading at workplaces is minimized.
Under the Finnish act on Occupational Health and Safety the employer has an obligation to see to the health and safety of its employees. With respect to the Covid-19 pandemic, an employer may need to use data relating to an employee having been infected with Covid-19 or having travelled to Covid-19 risk zones in order to be able to undertake necessary measures to protect the health and safety of its employees. While fulfilling this obligation, however, the employer must naturally also see to that the employee’s rights under other relevant laws are complied with, such as the employee’s right to privacy.
Employee health data is special category data
Data relating to an employees’ state of health constitutes special category data and may only be processed in line with applicable data protection legislation – for Finland this is the EU’s General Data Protection Regulation (GDPR) and special Finnish legislation on the right to privacy in working life. The main rule is that employee health related data requires special protection and cannot be processed at all. There are some exceptions to this rule – one of them being applicable in this time of the Coivd-19 pandemic: employee health data may be processed if this is necessary in order for the employer to comply with its statutory obligations.
An employer is undoubtedly under an obligation to protect its employees from getting infected by Covid-19 and in order to fulfil this obligation, it may be necessary for the employer to process employee health data, for example in order to be able to order possibly infected employees to stay at home. But what is regarded as health data?
What is regarded health data?
According to guidelines issued by the Finnish data protection authorities on employee data and the Covid-19, the following applies:
- Information that a specific employee is infected with Covid-19 constitutes health data.
- Information that an employee has returned from a Covid-19 risk zone does not constitute health data.
- Information that an employee is in quarantine does not constitute health data (provided that the reason for the quarantine is not disclosed).
Even though an employer may process and use the health data of an employee, this does not mean that the employer would have an automatic right to disclose the identity of the employee in question. Information on an employee having been infected by the Covid-19 may, however, on a general level be disclosed which may facilitate the instructing of employees in order to mitigate the risk for further infections. An employer should, however, always mitigate the risk of an employee being identified even though not disclosing his/her name.
Finnish specific rules on processing
Finally, the Act on the right to privacy in working life includes specific mandatory rules on how employee health data may be processed:
- Health data may be processed only by persons having been authorized thereto or by persons having been assigned tasks that involve such processing.
- Health data must be stored separately from any other employee personal data.
- Health data may only be retained for as long as necessary.
- All persons involved with the processing of health data are bound by a confidentiality obligation.
Further, the data relating to the employee’s health shall always primarily be collected from the employee him/herself.