SEROLOGICAL TESTS AND PROCESSING OF PERSONAL DATA IN THE EMPLOYMENT CONTEXT: FURTHER CLARIFICATIONS BY THE ITALIAN DATA PROTECTION AUTHORITY

21/05/2020

With a press release issued on May 14, 2020 on its institutional site, the Italian Data Protection Authority (infra “Italian DPA”) published a new version of the FAQ (“Frequently Asked Questions”) [1], clarifying some unresolved aspects about the use of data from the so-called “serological tests” of employees. In particular, the Italian DPA denied the possibility for the employer to directly carry out serological tests to its employees without an explicit medical prescription and intended to regulate the processing of sensitive health data collected by private companies and public administrations.

 

Screening Tests System
The overall Covid-19 tracking and prevention system, in the light of the recent legislative initiatives aimed at a gradual resumption of production and professional activities, appears to be strongly conditioned by the use of sufficiently rapid and reliable monitoring methods, including screening tests (so-called “serological tests”). In this regard, as pointed out in the recent Circular no. 16106 published by the Ministry of Health on May 9, 2020, serological tests are an important aid in carrying out research and epidemiological evaluation of the viral circulation of Covid-19, as they allow to estimate the spread of an infection within the relevant community [2]. Obviously, these tests do not replace in any way the actual diagnostic tools such as the molecular test (so-called “Swab Test”), which remains (at least currently) the only method to ascertain the presence of the virus in the human body.

The Italian Data Protection Authority’s clarifications
In view of the growing diffusion of serological tests as a tool for “preventive screening” in the detection of infection and in order to clarify the proper implementation of the “Shared Protocol for the regulation of measures to combat and contain the spread of the Covid-19 virus in the employment context”[3], the Italian DPA recently published concrete rules to define the scope of intervention and the responsibility of the employer in the processing and disclosure of personal data. First of all, as regards the scope of prevention measures and safety protocols in the employment context, it is impossible for the employer to carry out a serological test on his employee. “Only the appointed doctor – points out the Italian DPA – “in the context of health surveillance, can prescribe clinical and biological examinations, as well as the competent doctor can suggest the adoption of diagnostic tools, when he considers them useful for the containment of the spread of the virus and the health of workers”[4]. Consequently, only in case of specific utility and after obtaining the consent of a health professional authority will it be possible to require the employee to undergo diagnostic tests. From another point of view, it is clarified that nothing prevents an individual employer from offering its employees, bearing all or part of the related costs, the possibility of carrying out serological tests in public and/or private facilities, without however being able in any way to know the final result of the test.
COVID-19 serological screenings may be promoted by the Preventive Medicine Departments of each Region with regard to the categories considered to be at greater risk of contagion and spread of COVID-19. These include health care professionals and law enforcement agencies and the participation of these entities in the tests can only take place on a voluntary basis. The results may be used by the healthcare facility that has carried out the test for the purpose of diagnosis and to provide for the epidemiological containment measures.

Processing of Personal Data
The Italian DPA has also expressed its opinion on the conservation and treatment of information relating to the diagnosis of the employee. This information cannot be directly processed by the employer, who is not authorised to consult the reports and the specific results of the examinations carried out by his employee, except in cases expressly permitted by law. On the contrary, the official FAQs clarify that “the employer must process data concerning the worker’s judgement of suitability for the job and any prescriptions or limitations that the appointed doctor may establish”. Moreover, in order to be able to readmit the employee to work on a regular basis, the examinations and any checks deemed necessary must be carried out exclusively by the appointed doctor or other health authorities, in full compliance with the general provisions that strictly forbid the employer to carry out any kind of direct diagnostic examinations on the employees.

Conclusions:
These latest guidelines issued by the Italian Data Protection Authority come in addition to the numerous clarifications published in the last few weeks, with regard to the processing of personal data in the employment context. These include the absolute prohibition for the employer to disclose the identity of an employee affected by Covid-19. Since this health data is sensitive and confidential, the employer is required to provide the competent institutions and health authorities with the necessary information, so that they can inform the “close contacts” of the diseased employee in order to implement the required prevention measures. “Data concerning health may only be disclosed”, specifies the Italian DPA, “whether externally or within the organization an employee or collaborator pertains to, if this is provided for in the law or ordered by the competent authorities on the basis of statutory powers”.
Finally, it should be noted that, despite the clarifications made by the Italian DPA, there are still some critical aspects in relation to the effective communication and knowledge of sensitive health data within the company’s structure and to the person of the employer. Specifically, in the event that a person chooses to undergo a screening test privately and independently to ascertain its condition and results positive, this result will be reported to the competent Health Protection Agency, which will provide targeted emergency measures and the consequent obligation for the person concerned to undergo a diagnostic swab to confirm the actual presence of the virus. In this case, the specific medical data involved will be communicated to the employer, who will become aware of it through the competent doctor and will therefore have this confidential information concerning his employee. In light of this, it is clear that some aspects relating to the disclosure and processing of personal data in the employment context do not emerge with sufficient clarity from the recent integration published by the Italian DPA and do not fully comply with the reality, merely providing general and not exhaustive guidelines. It is therefore desirable to consider a new clarifying intervention to ensure the right balance between the health needs dictated by the emergency situation and the need to preserve the individual’s right to privacy.

[1] Full version document is available at the following institutional site: www.garanteprivacy.it
[2] The Ministry of Health, with the circular dated 29 April 2020, stated that “serological tests, according to WHO indications, cannot replace the molecular diagnostic test on swab, however they can provide epidemiological data regarding the viral circulation in the population, including the working population”.
[3] As published in its original version on March 14, 2020 and later amended on April 24, 2020.
[4] For further details see par. 12 of the Protocol shared between the Government and the Social Parties updated on 24 April 2020.

Paolo Rovera