How to fight Covid-19 while taking into account Data Protection?
Technology as a tool against the pandemic
Following the quarantine periods imposed by Public Authorities aimed at containing the spread of the SARS COVID-19 virus, it was necessary to adopt a series of health prevention measures to allow the resumption of economic and productive activities, while preventing the arise of further infections.
Among the actions taken in consideration, stands out body temperature detection, aimed at detecting the symptoms of a potential infection of personnel and visitors entering company premises, commercial establishments and public offices. This measure, first made mandatory by many Government Authorities, only at a later time has been left to the evaluation of any economic activity.
In a similar context, EL.MO. has once again proved to be a dynamic and cutting-edge company, providing innovative and effective solutions capable of promptly identifying those who present the typical symptoms of the infection, in order to allow the prompt adoption of precautionary health measures.
As a demonstration of the versatility that has always distinguished our work, EL.MO. has developed a dual solution to the problems arose from the pandemic, paying particular attention to the several and varied needs of customers (both of the public and private sectors): the facial recognition and body temperature detection panels PROIPF01TC and PROIPF02TC.
These all-in-one panels for facial recognition, based on Artificial Intelligence, allow not only to detect body temperature, but also to verify the use of protective masks: the panels will send immediate alarm notifications in case abnormal situations detection (people without PPE or with high body temperature), directly through the InstaVision function.
Analysis of personal data protection legislation
In the research of the best tool to prevent and fight the spread of the pandemic, EL.MO. has certainly not overlooked the analysis of the risks that might arise from such treatment, with specific reference to the protection of the privacy of all the individuals directly related to the data acquisition.
First of all, it must be specified that body temperature is included in the category of particular data regulated by the GDPR legislation. Particular data refers to all personal and sensitive data able to reveal information relating to: health status, sexual life or sexual orientation of the person, racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data and biometric data intended to uniquely identify a natural person.
With regard to this particular category of data, the GDPR prohibits (art. 9) any form of treatment of such information, unless the interested party has given their explicit consent and with the exception of a few rare cases. Despite the firm prohibition of the aforementioned Community legislator- which prima facie seems not to leave much room for data processing in the fight against COVID-19 - EL.MO. noted that, among the aforementioned exceptions, we can precisely find "reasons of public interest in the public health sector, such as protection from serious cross-border threats to Health" (Article 9 letter f).
In light of the above, body temperature reading, although constituting of particular data, could be subject to treatment as it can be useful to anticipate the prevention, containment and fight of the COVID-19 contagion, a disease that represents a serious threat to global public health.
Having established this, EL.MO. lawyers have carefully analysed the ways in which this particular data can be legitimately treated. For this reason, the requirements imposed by the framework of art. 9 par. 2 lett. b) GPDR have been examined, specifically from the rules of the "Shared regulatory protocol of measures to combat and contain the spread of the COVID-19 virus in the workplace" of March 14, 2020 and subsequent amendments, (hereinafter referred to as just the "Health Protocol"), which, as is well known, constitutes a trade union agreement.
From the examination of the aforementioned regulatory texts it therefore appeared that the data controller (the private company, the commercial exercise or the public body that proceeds to measure the temperature) must inform the subject to whom the data detected belongs of the methods of this treatment, through the creation and publication of a specific privacy policy. In fact, the data owner will be able to consciously consent to the relative processing of the data only after reading the content of the privacy disclaimer.
In particular, it should also be noted that, depending on the activity practiced by the data controller, it may be necessary for the latter to firstly conduct an impact assessment on data protection (pursuant to Article 35 of the GDPR).
Given the above, in any case it is always advisable to prepare the prodromal privacy information to a legitimate detection of body temperature and to conduct the aforementioned impact assessment by adequately valorising the peculiarities of this treatment, in consideration of the needs of one's professional activity and in compliance to the minimization principle imposed by the GDPR, employing if possible qualified professionals in the drafting of the referred disclaimer.
Lastly, it should be noted that the Privacy Guarantor, by the communication dated 10th August, has considered illegitimate all contact tracing activities that do not find their legal basis in a law. Nevertheless, the Authority responsible for the protection of privacy while prohibiting the use of equipment for contact tracing activities, has allowed subjects - both public and private - to continue to resort to the employment of applications, currently available on the market (such as, panels that allows face recognition, mask absence signalling and temperature detection), provided that the latter do not involve - even indirectly - the processing of personal data relating to identified or identifiable subjects.
In other words, this translates into the possibility of using systems that verify whether the subject (visitor or employee) is wearing a protective mask and detects body temperature as long as they never record data (therefore not even in the case of exceeding the temperature threshold) such as names or images, associating them with the aforementioned biometric data.
The above considerations, of course, are strictly connected to the persistence of the state of emergency and, at the end of the same it will be necessary to evaluate, in the case of use of the aforementioned temperature detection devices, how the legislator will decide on this matter and what opinion will be given by the Privacy Guarantor regarding the protections to put in place to allow its employment.
Click here to visit the page dedicated to our anti-covid solutions