Austria: Third COVID-19 Act: lawfulness of processing employee health data

On 3 April 2020 Parliament enacted the Third, Fourth and Fifth COVID-19 Acts.1 Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new laws, perhaps because data protection discussions in the context of COVID-19 have predominantly concerned mobile phone tracking.

Third COVID-19 Act

The Third COVID-19 Act has revised several laws, including the Social Insurance Act (ASVG). Specifically, a new Section 735 has been introduced to the ASVG, reflecting a measure which the minister of health has repeatedly discussed.

Section 735 sets out a multistep process which prevents employees who are at risk of contracting COVID-19 from having to show up at work. The process is as follows:

• An expert group within the ministry has defined the relevant COVID-19 risk groups.
• The social security agency will inform individuals if they belong to such a risk group.
• Selected individuals will consult their doctor, who will assess whether they belong to the risk group in question and, if so, will confirm this with a COVID-19 risk medical certificate.
• The individual will provide their COVID-19 risk medical certificate to their employer.
• Once this procedure has been completed, the individual will be eligible to be suspended from work with full pay if no specifically defined exemptions apply (eg, the employee can work from home or the employer implements safety precautions at the office which will likely prevent the spread of COVID-19).

In its explanatory notes, the legislature explains that the social insurance agency will use the available data to identify potentially eligible individuals and inform them that they may fall into a risk group (step two above). The legislature also explains that COVID-19 risk medical certificates will not include a concrete medical diagnosis.

Data protection issues

Under Article 4(15) of the EU General Data Protection Regulation (GDPR), 'health data' means any data concerning an individual's physical or mental health status. The processing of such data must satisfy the strict requirements set out in Article 9 of the GDPR. Of particular relevance to the Third COVID-19 Act is Article 9(2)(b) of the GDPR, which allows the processing of health data in order to, among other things, allow an individual to exercise their rights under the applicable labour or social security laws, provided that the data processing is supported by a national law that appropriately safeguards the individual's interests.

The new Section 735 of the ASVG can be seen as the relevant national law within the GDPR's meaning. It will protect the interests of employees whose health is at risk and help to secure their salaries. However, it requires the social insurance agency, employees, doctors and employers to share information about an individual's affiliation with a COVID-19 risk group. Since COVID-19 risk groups are determined through medical parameters (see step one above), any information about an individual belonging to a risk group is personal health data. This is not changed by the fact that doctors will not include a concrete medical diagnosis on a COVID-19 risk medical certificate.

However, Section 735 of the ASVG neither includes data protection safeguards nor defines the circumstances in which the social insurance agency can identify an individual's potential eligibility for a risk group (step two above). Section 735 also fails to specify the circumstances in which employers can process an individual's health data (step four above). Notwithstanding its fragmentary character, Section 735 of the ASVG must still be considered the legal basis for data processing. The alternative would be employee consent (Article 9(2) of the GDPR). However, this would be nothing more than a hypothetical option. In a scenario where refusal or withdrawal of consent would lead to a health risk or loss of income, an employer could not reasonably assume that the individual's consent was sufficiently voluntary.

How should employers process data?

Section 735 of the ASVG creates a conflict of interests as it permits data disclosures which have traditionally been deemed unlawful. That said, employers are prohibited from discovering details of an employee's health status. However, if an employer learns that an employee is part of a COVID-19 risk group, it will have discovered details of the employee's health status. This conflict of interests is intensified by the law's rudimentary character. As such, it is predominantly up to employers to mitigate these conflicting interests by implementing appropriate safeguards, such as the following:

• Employers should limit access to COVID-19 risk medical certificates and related payment data.
• As employers can ask the social insurance agency to reimburse their payments within six weeks (Section 735(6) of the ASVG), they will have to retain COVID-19 risk medical certificates for documentary purposes, which prevents their immediate destruction. Employers will therefore have to establish a precise retention rule for such certificates.
• To satisfy the GDPR's technical and organisational requirements, certificates might have to be encrypted. They should also be kept separate from the employee's personnel file and should not be distributed within the corporate group.
• Employers should advise employees how and for how long their COVID-19 risk medical certificate will be stored. In particular, employees should understand that their certificate will not be destroyed before the social insurance agency has reimbursed the employer's salary payments.
• COVID-19 risk medical certificates and the related data cannot be used for any purpose other than suspending the employee and securing salary payments and salary reimbursement.
• Since Section 735 of the ASVG potentially allows comprehensive processing of employee health data in terms of the Austrian Data Protection Regulator's 'blacklist' (see Ordinance 278/2018), the respective data processing might not form only part of the company's data processing register, but also be subject to the company's privacy impact assessment procedure if not covered by a works council agreement.

Comment

Section 735 of the ASVG was doubtlessly established to preserve employee interests. However, the provision lacks data protection safeguarding measures. Although it is principally not up to employers to mitigate legislative deficits, they are nonetheless well advised to adhere to the above safety measures to not only comply with the GDPR's accountability principle, but also ensure that they treat their employees fairly.

Endnotes

1 Further information on COVID-19 is available here.

This article was first published in International Law Office