The present situation of global health crisis, which has affected the whole society in a transversal way, forces us to continuously adapt the measures adopted in order to gradually recover daily life and economic activity, guaranteeing all the time public health and safety .
The actions taken by companies are, without doubt, crucial. For this reason, most companies are implementing various measures, in accordance with the guidelines issued by the National Institute of Social Security (INSS), with the general objective of limiting contagion and, ultimately, the spread of COVID-19.
Within the measures adopted, it is worth noting, due to their relevance and effect on privacy, checking people's body temperature before entering workplaces, shops and educational centers. In this context, the Spanish Data Protection Agency, last April 30th, published a statement where it highlights its concern about this type of actions, which are being carried out without the prior and necessary criteria of the health authorities.
In its statement, the AEPD recalls the importance of the proper treatment of workers' personal data and points out some basic guidelines to be followed:
a. The temperature is a specially protected personal data: the body temperature is a sensitive data per se and also, it allows to infer if a person suffers or not from a specific disease, as it is in this case Covid-19.
b. Implementation criteria: taking temperature would require a prior determination by the competent health authority (Ministry of Health) of its suitability and usefulness in preventing new infections. In addition, the temperature from which a person would be considered to be infected by Covid-19 would have to be set, taking into account the scientific evidence available; as well as, taking into account that many people are asymptomatic. It should not be a decision taken by each company that implements these practices, as this would imply a heterogeneous application that could lead to unjustified discrimination.
c. Principle of legality: The AEPD rules out the possibility that the legal basis for taking temperatures may be, in general, consent, as this would not be done freely (the persons affected cannot refuse without losing, at the same time, the possibility of entering the workplace). The measure could be justified by the obligation to comply with the Prevention of Occupational Risks Act (the obligation of employers to ensure the safety and health of the workers in their service). However, this action should be subject to an appropriate balance between the impact on users' rights of these measures and the impact on the level of protection of employees.
d. Purpose limitation and accuracy of data: on the one hand, (temperature) data can only be obtained for the specific purpose of detecting possible infected persons and preventing their access to the workplace. Such data must not be used for any other purpose. On the other hand, the measuring equipment used must reliably measure the temperature. If the measurement proves to be wrong, the impact on the affected person is very high.
e. Rights and guarantees: data subjects continue to maintain their rights in accordance with the General Data Protection Regulation (GDPS). In particular, the information provided to workers in relation to the processing of their sensitive data is of paramount importance.
Finally, the AEPD refers to thermographic cameras, highlighting the relevance of the principles of purpose limitation and minimisation of data, to the extent that the use of new technologies for temperature taking poses the risk of using the data obtained for additional purposes not linked to temperature taking.
Throughout the month of May 2020 there have been no new developments in this respect by the health authority, therefore, we understand that temperature taking is not a recommended prevention measure until there is a solid and reliable scientific basis.