In a non-binding opinion published in May, the Slovenian data protection authority (the IP), gave its view on the extent employers are permitted to use data regarding employees’ health. This opinion was given in the context of signed statements from employees confirming whether they belong to an “at-risk” group for the purposes of managing COVID-19 risks.
The IP concluded that Slovenian law required employers to obtain a statement as to whether an employee belonged to an at risk group so they could manage the risk. This meant employers could rely on the condition in Article 9(2)(b) of the GDPR to use that health data. However, the IP also concluded that this did not entitle employers to require workers to submit supporting evidence or other documentation related to their health. This was because “it is only the health profession that can assess which workers belong to the risk group”.
This is only one opinion issued by one data protection authority. However, it is certainly useful in understanding the extent data protection authorities may consider health data can be collected and used to assess workers for susceptibility to COVID-19, particularly under Government mandated measures, such as the Irish Return to Work Safely Protocol
The full opinion can be found be found at: https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1635
