Following the outbreak of COVID-19 and its development into a global pandemic, governments, public and private organisations throughout the world are taking exceptional measures to contain and mitigate its spread.
These exceptional measures involve the processing of different types of personal data of the individual such as body temperature, other health data, geolocation data, to name but a few. These are classified as personal data and need to be processed in accordance with the Data Protection Act 2017 (the DPA).
The DPA does not hinder measures that need to be taken in the fight against the coronavirus pandemic. It is in the interest of the Mauritian population that the spread of the virus be curbed by the implementation of different mechanisms. However, even in these exceptional cases, due care must be exercised by the controller or processor when personal data is being processed. An emergency is a condition which may legitimise restriction of freedoms provided these restrictions are proportionate and limited to the emergency period. If something feels excessive and too intrusive from the public point of view, then it probably is.
Below are a few questions which we consider pertinent during these unprecedented times of COVID-19.
Can hypermarkets, supermarkets, superettes and food retail shops (food outlets) take the body temperature of its customers? If yes, who can take the temperature and to whom can the temperature be communicated?
This scenario is specifically catered for in the General Notice (GN) No. 547 of 2020 which has been enacted under Regulation 13(2) of the Prevention and Mitigation of the Infectious Disease (Coronavirus) Regulations 2020, which is itself made under section 79 of the Public Health Act. Accordingly, one of the conditions for reopening and operation of food outlets in Mauritius is that the body temperature of each customer may be taken by staff of the relevant food outlet. In the event that any customer has a high temperature (38 degrees and above), the law provides that the customer will be transferred to the nearest hospital and he will be dealt with according to the protocol of the Ministry of Health and Wellness.
According to the GN, the taking of temperature can be done as from Thursday 2 April 2020 until 15 April 2020. A new regulation will need to be enacted to extend this duration so that this practice may lawfully continue beyond 15 April 2020.
What are the obligations of organisations towards the customer when collecting health data or other personal data under the DPA?
Under the DPA, when body temperature or any other personal data is collected (such as name, address, email address, phone number, NIC number), the person collecting such data has an obligation to give certain information to the customer. There is, for example, the duty to explain to the customer the reason and purpose for collecting the data, the authority to whom the information will be communicated, his right to be shown the collected data, the retention period, and his right to lodge a complaint with the Data Protection Commissioner, should he not be satisfied with the way his personal data is being processed. All this information should be easily accessible and provided in clear and plain language. It can be set out in a notice which would be affixed at the entrance of the premises of the organisation.
It is also important to adopt security measures to properly safeguard the personal data which can be in paper version or in digital form so as to ensure that personal data are not disclosed to unauthorised people thus, committing a data breach under the DPA.
In the absence of a specific law allowing it, can private organisations such as banks, hotels, or private companies collect the temperature or other health data of their customers entering their premises?
With the COVID-19 pandemic, many private organisations are exploring the option of taking the temperature of their customers to ensure that they do not have fever before they enter the premises of the controller. If the customer consents to this, the legal basis for the taking of temperature will be “consent” and it will be legally correct for the taking of such temperature. However, if the customer does not consent to his temperature being taken, the controller should refrain from doing so as it is arguable that there will be no legal basis for such processing under the DPA. It will be interesting to know the position of the Data Protection Commissioner on this moot point. Just as was done for food outlets, a regulation which sets out clearly what type of personal data may be collected by private organisations would be most welcomed.
It is advised that the least intrusive methods, if available, should always be preferred, rather than collecting personal data. The methods which may be explored by the controller include dissuading customers from visiting the premises and instead using its online services, if any, or advising customers on the necessary precautions to be taken when visiting the premises.
Can health data such as the temperature of employees in relation to COVID-19 be collected by employers? Is an employer allowed to perform medical check-ups on employees?
Employers have a legal obligation to ensure the safety, health and welfare of all its employees at work. However, in the absence of a specific law granting it the power to do so, the employer should think twice before recording the temperature of employees or performing medical check-ups on employees as this would more likely than not be against the principle of proportionality and data minimisation under the DPA. In principle, the obligation to protect employees’ health does not open the floodgate to the collection of health data. Therefore, during this time of emergency, we would recommend that regulations be made empowering employers to collect health data of their employees for the welfare of all the employees.
In addition, less intrusive ways to protect the health of employees should be considered. For example, employers may ask employees to work from home, if possible, and to stay at home if they are experiencing any COVID-19 symptoms. Those who are symptom-free and who are present at their workplace should be advised to take all precautionary measures to prevent the spread of the virus.
Can an employer inform its staff that a colleague may have potentially contracted COVID-19?
Yes. Staff should be kept informed about positive COVID-19 cases within the organisation, so that the necessary precautions may be taken without however naming the colleague or giving more information than necessary. The employer does have an obligation to ensure the health and safety of its employees whilst at the same time owing a duty of care towards the infected employee.
More employees will be working from home during the pandemic. What kind of security measures should an organisation have in place during this period?
The DPA is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. However, adequate security measures for working from home should be taken, which are comparable to what was provided on the work site. The employer should ensure that the laptop on which the employee is working is properly equipped with the necessary antiviruses, firewalls, encryption and password protection. Employees should ensure that their laptops are properly locked when unattended to prevent unauthorised access. The internet connection being used by the employee should be a safe one and employees should refrain from connecting any device (whether be it tablets, phones, laptops) which has office documents on, to open and unprotected WI-FI networks.
We remain available for any further clarification you may require regarding this newsletter and hope you are all keeping safe.