This post is part of a series on contact tracing apps. You can read our introduction to the series and find links to the other entries here.
Businesses re-opening during the ongoing pandemic are facing the issue of how to protect their employees, customers and visitors. The use of contact tracing and health information apps to record or restrict movement into premises has emerged as a useful solution from a public health perspective, although few countries have mandated their use to date. Where businesses are considering using contact tracing apps on their own accord, they may need to consider the following issues:
Data privacy: The actual data collected by organisations will depend on the ways in which apps are used. In situations in which organisations merely require employees and visitors to “check-in and out” of premises using apps, the organisation itself may not be collecting any personal data. In circumstances where organisations require employees and visitors to disclose information displayed in an app (e.g. a “green” light in an app that works on a traffic light system) or to, for example, make a reservation through an app that is also collecting COVID-19-relevant information, only a limited amount of personal data may be disclosed - potentially even less than is being collected through health declaration forms. On the other hand, if organisations mandate the use of contact tracing apps and collect data from those apps, compliance with data privacy regulation will become a very relevant consideration.
Employment law and discrimination: Organisations will need to evaluate whether it is lawful to require employees to use contact tracing apps or to deny entry to the workplace or a commercial premises on the basis of information collected from apps. In absence of emergency regulations addressing the pandemic, are employers able to treat employees and/ or visitors differently depending on their health status or recent contact with a potentially infected person?
China
Considerations for using the Personal Health Information Code (PHI-Code) system
In our first blog post in this series, we noted the widespread adoption of various PHI-Code systems (i.e. traffic-light systems) in different cities and provinces in China and that these systems were often not compatible with each other. Organisations in China have been gradually resuming operations in accordance with local government guidance. Requirements vary on whether the use of PHI-Code systems are mandatory or not.
For example, the Shanghai Government requires organisations to take visitors’ temperature at the entrance and to deny entry to individuals who have a fever or cough or display other respiratory disease symptoms. Organisations also need to disclose their COVID-19 measures to the government, record the health condition of employees and file online reports each week via a designated website. The Beijing Government requires organisations to check employee health conditions every day using the “Beijing Health Kit” (Beijing’s version of the PHI-Code system).
On 29 April 2020, State Administration for Market Regulation published a series of national standards (the PHI-Code Standards), that include standards on a reference model, an application interface and the data format for a unified PHI-Code, in an effort by the Central Government to enable users to travel within China by using a single recognised colour code system.
According to the standards on the PHI-Code data format, four types of data will be collected for the PHI-Code system:
- Personal identification information (including name, gender, nationality, identity card number, hukou (household registration), address, contact number, medical history, etc.).
- Personal health information (including body temperature, symptoms, period of stay in high-risk areas, contact with high-risk individuals, etc.).
- Travel history.
- Health assessment information (including medical test results, assessment results, risk level, etc.).
In early February, the Central Cyberspace Affairs Commission issued a Circular on Ensuring Personal Information Protection and Utilisation of Big Data to Support Epidemic Prevention and Control. The Circular recommends that competent organisations participate in the prevention and control of COVID-19 under the guidance of the government, by collecting and using data according to the following principles:
- No discrimination: avoid discriminating against specific groups of people, such as residents of individual regions (e.g. Wuhan or other cities in Hubei Province).
- Purpose: data collected by organisations for the purposes of preventing and controlling the spread of COVID-19 cannot be used for other purposes.
- Consent requirement and exceptions: data collected may not be disclosed without data subjects’ consent, except where (1) the disclosure is necessary for the prevention and control of COVID-19, and (2) the data has been de-sensitised through processing. The National Information Security Standards Technical Committee’s (TC260) guidance on how to process personal information for de-identification provides a reference for meeting this requirement.
- Protective measures: strict management and technical measures should be adopted to protect personal data from being stolen or leaked.
Once the proposed unified PHI-Code system has been fully implemented, it is likely that organisations will be required to use the system to check the PHI-Code of employees and visitors before granting entry to their premises.
In provinces/ municipalities that have not yet made the use of PHI-Code systems mandatory, can an employer require employees to install a contact tracing app on an employee’s phone or require that the PHI-Code be shown?
Data privacy
An organisation would in principle need to obtain an employee’s informed consent to install an app that is collecting personal data that is made available to the employer. The Personal Information Security Specification does, however, contain a broad exemption for collecting and using personal data without consent where directly related to the protection of public health and sanitation. The exemption will only apply to the collection of data that is required for the protection of public health. For example, if an organisation tracks an employee travel movements through an app without their consent, it should avoid also collecting less directly-related personal data such as the employee’s broader health or fitness profile, etc, which is unlikely to benefit from the exemption and should therefore be separately permissioned.
Employment law and discrimination
Organisations will not be collecting personal data merely by requiring employees and visitors to display a PHI-Code to gain entry to their premises (unless they separately record the identity of people entering the building).
If an employee refuses to either install a suitable app or declines to grant the employer access to data from the app, the employer will be permitted to bar the employee from entering the premises. Similarly, this would be a proportionate measure to take if the app data indicates that the employee has come into close contact with an infected person, etc. Employers owe a general duty of care to ensure the safety and health of the workplace.
It is, however, important that employers apply the rules consistently to all employees. But if an employer reasonably believes that any employee/ visitor represents a high risk to their colleagues, refusing them entry ought not be viewed as a discriminatory act.
Hong Kong
The use of contact tracing apps by private organisations has not been as prevalent in Hong Kong. In general, organisations have preferred the use of self-declaration forms and sought to restrict access to premises to individuals who either have self-declared symptoms or have recently travelled or come into contact with persons who are now in isolation or quarantine. Organisations wishing to adopt the use of or collect data from contact tracing apps to will need to consider the following issues:
Data Privacy
The Hong Kong Privacy Commissioner for Personal Data (the PCPD) has issued guidelines to employers on the collection of health data for the purposes of protecting employees and monitoring the spread of COVID-19 under the Personal Data (Privacy) Ordinance (PDPO). The PCPD guidelines indicate that the collection of an individual’s health status or limited medical symptoms of COVID-19 for the purposes of protecting their health or that of other employees or visitors is justifiable.
The PCPD prefers self-reporting systems to mandatory systems, but does not outlaw organisations per se from mandating the disclosure of personal data where this is proportionate to the degree of health risk. From a personal data privacy perspective, this potentially may even allow an employer to enable at the back end an app downloaded to an employer issued-mobile phone (see further below), provided that employees are informed of this in advance. Where practicable, which may not always be the case, the PCPD states that data should be processed in an anonymised or de-identified way.
Under most circumstances, disclosure of the name of an infected employee (without their consent) will not be considered necessary or proportionate. Issuing a notice that a member of staff/ a member of staff in Team A/ on floor 37 is infected would usually suffice.
Employees and visitors must be informed of the data collection through the provision of a Personal Information Collection Statement (PICS) at the time of collection. The PICS should explain what data is being collected, the purposes for which it is being collected (such as whether this includes contact tracing) and the classes of persons (e.g. public health authorities) to whom personal data can be transferred.
If the organisation is collecting the data at a reception desk, the PICS could for example be displayed conspicuously on the counter top or handed to visitors in written form.
The PDPO does provide an exemption for the disclosure of data without consent to health authorities for protecting the health of an individual or the public. Personal data - such as the location of an individual or the fact they have come into contact with another infected individual - may be disclosed without consent if not doing so is likely cause serious harm to the physical or mental health of that individual or to the public at large. In separate guidance, the PCPD has, however, construed the exemption fairly narrowly to permit disclosure “solely for the purposes of tracking down and treating the infected, and tracing their close contacts”, and generally only to permit disclosure to health authorities.
Employment law and discrimination
Employers have obligations to protect (as far as reasonably practicable) the health and safety of all employees. Since workplaces are private premises, employers are free to restrict entry to visitors in accordance with their own rules.
Under the Disability Discrimination Ordinance (the DDO), employers cannot restrict access to a public area or refuse to provide goods, services or facilities to a person with a disability, unless this would impose unjustifiable hardship on the employer. However, the DDO does not apply to a person with an infectious disease (which includes COVID-19) and where the otherwise discriminatory act is reasonably necessary to protect public health. Therefore, any such restrictions by employers cannot be challenged on the grounds of discrimination alone.
However, an employer will need to think carefully about using a contact tracing app to exclude an employee (rather than a visitor) from the workplace. An employee has a general duty to comply with the reasonable and lawful directions of the employer. In these circumstances, it could be reasonable and lawful for an employer to ask specific employees to stay away from the workplace in light of a contamination risk. However, an employment contract involves a series of reciprocal obligations and an employer will need to be careful not to breach that contract by denying an employee access to the workplace, giving rise to a potential breach of contract or a claim for constructive dismissal. An employer should therefore check what is set out in its underlying employment contracts and policies and have a clear protocol prescribing what will happen if an employee is not permitted to enter the workplace, e.g. the employee will be asked to work from home for a period of 14 days, etc.
Can an employer require employees to install and activate a contact tracing app? Employers will again need to consider the terms of their internal policies and employee handbooks to see whether an employee can be required to install and use a specific app, especially this type of surveillance software. It will also be important to ensure that any employee data protection policies cover the use of such an app and as set out above, that employers think carefully about their data privacy obligations. The position will be more difficult where employees are using personal and not employer-issued devices.
Where an employer, after careful consideration, decides that requiring employees to use a contact tracing app is an appropriate and lawful measure, it should ensure that it has a clear policy on what is required of employees, how the app and the data will be used, and what the consequences will be for an employee who breaches the policy. Generally, employment contracts include a broad obligation on an employee to comply with all of the employer’s policies and procedures, meaning that, in principle, a breach of a contact tracing app policy could give rise to disciplinary proceedings. However, employers may want to consider whether to seek express consent from each employee in relation to the new measure, as part of its wider employee communications.
Singapore
In our previous blog post, we explained that the Singaporean government has launched a contact tracing app named TraceTogether. However, only 17% of the Singapore population had downloaded the app a month after its launch.
On 23 April 2020, the government announced that it had developed another contact tracing app, SafeEntry, which is described as a “national digital check-in system”, which this time will be deployed on a mandatory basis. The Ministry of Health has announced that all workplaces and selected public venues (including hotels, malls and supermarkets) will be required to deploy SafeEntry from 12 May 2020 to log employees’ and visitors’ entry and exit. Users will be required to input their name, NFRIC/ FIN and mobile numbers to the app, and to use the app to “check in and out” when entering and exiting premises. The app will work on a centralised basis, storing data in a Government server for use for contact tracing.
Data privacy
According to advisories issued by the Personal Data Protection Commission (the PDPC), organisations may collect the personal data of visitors to premises for the purposes of contact tracing and other response measures. The PDPC advises that relevant personal data can be collected, used and disclosed without consent to carry out contact tracing and other measures “necessary to respond to an emergency that threatens the life, health or safety of other individuals”. In most instances, it will not be necessary to identify an infected person by name except to the health authorities. Organisations will also be permitted to collect visitors’ NRIC, FIN or passport numbers to enable individuals to be accurately tracked.
Generally, organisations required to deploy SafeEntry at workplaces will not be collecting personal data from employees and visitors directly. Instead they will need to direct attendees to their premises to scan the SafeEntry QR code (or alternatively scan a barcode on the app), through which means the app will log the person’s entry to the premises.
If a visitor is not able to use their own device to “check-in” with SafeEntry, an organisation will be required to “check-in” the visitor on the organisation’s own device, which will represent an act of data collection. In that scenario, the PDPC recommends that organisations take reasonable precautions to safeguard the data, including:
- As far as possible, using a dedicated device to collect the data. If possible, a factory reset should be done before using the device for the collection of data.
- Regularly checking the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken, and ensure that the SafeEntry app and OS are updated regularly.
- Restricting access to the device by locking the screen when not in use, and using password or biometric protection for login.
Organisations that collect personal data for contact tracing should provide a brief notice to individuals that their personal data is being collected for that purpose. This notice should be displayed conspicuously at the point of collection. The PDPC has also published a recommended sample notice.
Employment law and discrimination
Singapore is gradually easing its “circuit-breaker” lockdown period. From 12 May 2020, organisations will be responsible for ensuring that employees and visitors use SafeEntry and to communicate and explain these measures to employees before resuming operations. Given organisations’ regulatory responsibility, it would be reasonable to deny individuals entry to private premises should they refuse to use SafeEntry. However, if an employee does refuse to use SafeEntry or does not wish to return to the workplace, organisations will be required to ensure that the employee is able to work from home, provided he or she is able perform their role remotely.
Singapore does not have comprehensive legislation dealing with discrimination against individuals with disabilities or medical conditions.
Japan
The Cabinet Secretary Tech Team for Prevention of COVID-19 is currently developing a contact tracing app using Bluetooth technology which is likely to be introduced sometime in May. As currently envisaged, the app will function on the decentralised model. The signature of another app the app comes into contact with will be stored locally in an encrypted form and not transferred to any external server. If a user infected with COVID-19 registers this fact in the app, the app will alert other users it has encountered within the past two weeks. The alert will be provided on an anonymous basis (i.e., no information on the place, time or the identity of the encounter will be shared).
Organisations wishing to use contact tracing apps to protect employees will need to consider the following data privacy and employment law issues.
Data privacy
Organisations that request or require employees and visitors to use the government-developed contact tracing apps are, according to the current design, unlikely to be collecting personal data directly. The tracing information remains on the phone.
Data privacy concerns are more likely to arise for organisations if they require employees and visitors to use contact tracing apps on organisation-provided devices or to provide contact tracing information through their own apps (or offline). The Personal Information Protection Commission (the PIPC) has stated in its guidance that that the use of contact tracing apps should be voluntary.
If an organisation handles personal data directly through its own contact tracing app or collects data from individuals to input into an app, it will be required to:
- Specify the purpose of for which the personal data is being collected as clearly and explicitly as possible, either on screen or separately.
- Obtain the user’s consent when collecting sensitive personal data (youhairyo kojin jouhou, e.g. a positive diagnosis for COVID-19) and sharing personal data with any third party, including by informing the data subject of the identity of the third party and the purpose for which the data will be shared.
- Store contact history data only for an appropriate length of time from an epidemiological perspective and afterwards delete it.
- Implement appropriate security controls in respect of all data collected and supervise personnel in their handling of the data.
- Establish a system to handle inquiries and complaints from users.
The Personal Information Protection Act contains an exemption to permit organisations to disclose sensitive personal data to central authorities that request it, without obtaining the data subject’s consent. An organisation may also disclose personal data to third parties, including government authorities to protect human life or enhance public health. However, organisations should consider whether it is in fact necessary to disclose the identity of an infected individual of if it is sufficient only to disclose to individuals the fact that they have come into contact with an infected person.
Employment law and discrimination
Organisations can of course install and activate contact tracing apps on employees’ devices if they voluntarily consent. However, obtaining consent from all employees may not be realistic any may be refused. Can an employer go one step further an require employees to install and activate a contact tracing app, or push an app to a work device?
Employers have a duty under Japanese law to secure a safe workplace environment for all employees. On the other hand, organisations should be careful not to intrude on the privacy of their employees in a disproportionate manner. It is therefore important for employers to carefully review the functionality of any apps they propose to deploy and the privacy footprint. Apps that avoid collecting specific information such as personalised contacts or location information are clearly preferable from that perspective.
Organisations should ensure that they disclose to employees how the app and the data will be used, and what the consequences will be for employees who breach the organisation’s policy.
Lastly, if there is a reasonable concern that an employee may have become infected, an employer may bar the employee from entering the workplace. Ideally the decision should be based on a specific provision in the organisation’s rules of employment that specifies the circumstances in which an employee can be prohibited from entering the workplace.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?