The processing of personal data as part of preventing the spread of COVID-19
Pepeliaev Group advises of certain details concerning the processing of personal data which is carried out to prevent the spread of the coronavirus.
A company is obliged, among other things, to prevent the spread of the infection by controlling the body temperature of its employees. This entails issues connected with the processing of personal data (“PD”) since the results of the temperature measurement [A.1] obviously belong to a special category of PD, namely, data about a person’s health condition.
To be able to process special categories of PD, the operator will have to ensure that the relevant legal ground is in place. The Federal Service for the Supervision of Communications, Information Technology and Mass Media (known by the abbreviation ‘Roskomnadzor’) has provided its clarifications concerning this issue.
Thus, for instance, the body temperature of employees may be measured by virtue of an express provision allowing such measurement which is set out in Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (article 10(2)(2.3)).
If, on the other hand, the company has decided to collect and, even more importantly, to store the results of the measurement of the body temperature of persons other than its employees (for instance, visitors, employees of recruitment agencies, etc.), there are no direct legal rules allowing this to be done. Therefore, for such cases we recommend that companies obtain written consents for PD to be processed, with all the details required by article 9(4) of the Federal Law “On personal data”.
We remind you that, if companies face changes (updates) in their methods for processing PD as a result of actions aimed at preventing the spread of the coronavirus - for instance, if the categories of the PD to be processed are supplemented, or additional objectives for its processing emerge - this may serve as a ground for sending an information letter to Roskomnadzor (article 22(7) of the Federal Law “On personal data”).
Special attention should be given to the process of recording the results of the measurement of employees’ body temperature in logs, which is especially important for companies engaging third parties to help them with such records - for example, employees of recruitment agencies who are on duty at reception, or the staff of private security companies.
If a company maintains a hard-copy log and such log is intended to incorporate PD, it should be designed appropriately. For instance, the Russian Government's Resolution No. 687 dated 15 September 2008 “On approving the Regulations concerning the specific features of processing personal data carried out without automated means being used” lays down special requirements for the details of such documents.
We also note that these requirements also relate to any other hard-copy questionnaires, data sheets and other documents to be filled in by employees and other persons. In practice, questionnaires may be encountered in which, specifically, the PD subject is to confirm that he/she has not visited any countries with an unfavourable environment.
To wrap up, here is some positive news. According to the information published on Roskomnadzor’s website, the activities of the supervisory body aimed at scheduled and unscheduled audits will be suspended up to 1 May 2020 inclusive, and the body will switch to tools of systemic online monitoring for that period. All scheduled preventive measures within all areas of the authority’s supervisory and controlling activities will also be cancelled till the above date.
What to think about and what to do
We recommend that companies check their compliance with the requirements of Russian legislation concerning PD, including in relation to measures aimed at preventing the spread of the coronavirus:
- assess the need for changes to be made to the company’s business processes regarding the collection and processing of PD concerning a health condition;
- if necessary, update (change) the forms of questionnaires, logs and other documents being used;
- ensure that there are lawful grounds for the processing of PD classified as data concerning a health condition.
Help from your adviserPepeliaev Group’s experts possess extensive expertise in working on issues related to compliance with the legislation concerning PD. They will readily provide assistance with checking compliance with the legislation, for instance, with the legislative requirements listed above.