Data Protection Rules Do Not Prevent Occupational Safety At Work
The coronavirus pandemic has brought into the spotlight the question that causes conflicts between employers and employees – what rights and obligations the parties have in protecting their health at work and how to act lawfully in doing so.
In spring 2020, a wider discussion arose about whether the employer can ask for information related to the infection and whether and to what extent the employee must provide this information. On the one hand, it concerns data protection, and on the other hand, the obligations of the employer and the employee from the point of view of ensuring the protection of life and health arise.
Which comes first – data protection or safety in the workplace?
Indeed, data protection imposes restrictions on whether, by whom, and how health-related data can be processed, and these restrictions are quite strict. However, this cannot be regarded as an obstacle that makes it impossible to ensure health safety at the workplace. The employer must clarify what information, in what way and for what purpose he/she needs, and whether he/she can ensure the protection of health at the workplace by other means than by requesting specific information. By finding answers to these questions, it is possible to assess the situation, including from the point of view of data protection. The Data Protection Inspectorate has also clarified its vision for the processing of personal data and provided guidance on its website but this is a general view.
However, the working environment is regulated not only by data protection requirements but also by other legislation. According to law, the employer is required to ensure the occupational health and safety of employees (Employment Contract Act § 28 (2) 6) and the Occupational Health and Safety Act). However, that legislation does not regulate which measures the employer needs to take in more detail and it is not specified whether and which health data may be processed more precisely by the employer for that purpose. There may therefore be several different methods for fulfilling the employer's obligation. For example, explaining to employees that if they are sick, they must stay at home. Or asking for confirmation that the employee is not sick and does not pose a risk to other employees and customers – in this way, the employer does not need specific information about the health of the employee. The Chancellor of Justice has also referred to obtaining such confirmation. When choosing a suitable measure, the employer must assess the working environment and the type of work, consider the type of employees, and consider whether there are alternative ways to obtain the necessary information. It must also be verified that the measure complies with the obligations laid down by legislation, including data protection.
Thus, personal data protection requirements cannot be considered as an obstacle to ensuring the safety of the working environment, but they must still be respected, as well as the rules for processing personal data. The employer may not indiscriminately share this data with other persons, publish it on a notice board or the intranet. The employer must also ensure that the data that is no longer needed are erased and processed as little as possible by the employer, i.e., to follow the principle of data minimization.
What can an employer do?
Legislation has been improved during the pandemic. Namely, the Government of Estonia has supplemented the regulation regulating the occupational health and safety requirements of the working environment affected by biological hazards. As a result of the amendment, employers will be able to use the measures provided for in the regulation if, as a result of the risk assessment, the employer has found that the working environment is being affected by biological hazards.
Thus, the employer has the opportunity to ensure the infection safety for the employees in contact with other people in the working environment, in particular through vaccination against COVID-19, the verification of the certificate confirming the safety of SARS-CoV-2 infection, or testing the employees with the SARS-CoV-2 test. However, it should be borne in mind that, before these measures are implemented, it is necessary to assess whether there are alternative measures that are less infringing. This has also been referred to by the Data Protection Inspectorate in its recent response to a request for clarification.
When carrying out a risk assessment, the employer must assess what risks are present in the working environment and whether and how they can be managed. For example, in a situation where there is a risk of coronavirus transmission in the working environment, unrestricted access to everyone's health data, sending everyone home, or, conversely, allowing everyone to work without taking any measures, cannot always be considered an appropriate measure. In some workplaces, the most suitable solution may indeed be to implement a home office, but in others, this may not be possible due to the type of work, for example, and other solutions need to be implemented.
Employees also have to ensure safety at the workplace
Ensuring the safety of the working environment is not only a matter for the employer. According to the Employment Contracts Act, this obligation is also the employee's responsibility. Namely, an employee must refrain from actions that hinder other employees from fulfilling their obligations or endanger the life, health, or property of the employee or other persons (subsection 15 (2) 5) of the EA). Therefore, the employee also has a role to play in ensuring occupational safety, and employees must take into account that a breach of the obligation may lead to sanctions, including the termination of the employment contract. The employer should remind employees of this and explain it using vital examples.
Thus, data protection rules do not prevent occupational safety at work, as different measures can be used. It must be acknowledged, however, that the obligations of the employer and employee described above may not serve their purpose – be it economic, worldview, or any other reason. In such a situation, the employer must take that risk into account and assess whether and what measures are necessary and proportionate to address the situation. At the same time, the state has established regulations that allow employers to obtain the necessary information and implement measures.