Taking customers temperature as COVID-19 prevention: What you need to know
At this point in 2020, thorn between our daily obligations and the COVID-19 outbreak, it’s safe to affirm that we have all been there: 6 feet apart from each other, waiting in a line to get inside the supermarket, slowly advancing towards one of the employees to have our forehead scanned by an almost futuristic device and be checked for fever, one of the main symptoms of the virus.
The device beeps, the employee checks your body temperature at the device’s screen and you’re free to go.
While this is an attempt of many businesses to increase safety for their customers, the question comes up how this is in line with data privacy regulations and how customers and business owners alike can check whether or not the business complies with the GDPR.
Luckily, the European Data Protection Supervisor (EDPS) threw light on the subject and has recently published an orientation for the European companies to comply with the privacy regulations under the GDPR when performing body temperature checks on its customers and staff.
According to the EDPS, the question about whether body temperature is considered to be personal data under the scope of the GDPR depends on the measurement’s scenario context and the means used by the company to guarantee no data will be stored, shared, or be able to be linked to an individual.
Body temperature checks won’t be subject to the scope of the GDPR when they are operated manually with a thermometer and aren’t followed by registration, storage, or processing of the collected data, the data isn’t shared with third parties and it is not possible to identify the individual with the information. In this case, the data is simply read and deleted after the responsible employee checks the individual’s absence of a feverish state.
On the other hand, the body temperature data will be subject to the scope of the GDPR if they are done with other systems to do a temperature check, such as electronic devices, manually or automatically operated, and followed by registration, sharing, and storage of the collected data in the company’s or third party’s database.
This type of personal data is categorized under the GDPR as a special category of personal data, or sensitive personal data that can only be treated under specific legal circumstances, as it’s delicate information about someone’s health that could result in stigmatization and even discrimination in the context of a global pandemic.
Because of the number of people coming and going every day in urban sites and the easiness of using an electronic device to safely measure body temperature from a distance, this is the scenario that most companies will fall into, and that means they now have to guarantee the protection of their customers’, visitors’, partners’ and staff’s body temperature data when testing them.
Fortunately for companies and for the public interest, the GDPR allows collecting and processing health data such as body temperature whenever there is explicit consent from the individual being tested or to protect the individual’s and society’s health, safety, and life, and, of course, when the company adopts privacy protection measures, such as:
- Keep the temperature data collection and storage to the minimum necessary and guarantee that it is only performed when necessary to ensure general health safety;
- Make it independent: don’t link the scanning device by internet, cable, or Bluetooth to any internal or external databases, IT systems, or other devices. This avoids data from being shared and linked to an individual, keeping the data anonymous;
- Avoid placing CCTVs (Closed-circuit television cameras) near the place of the collection inside the company’s facilities to avoid capturing images from individuals being tested and their further identification.
- Buy scanning devices from trustworthy suppliers and always calibrate them to be as accurate as possible;
- Be transparent: always inform the individuals that their health data is being collected by the scanning device, explain to them the purpose of performing temperature checks, and the maximum temperature allowed to get inside the facility, be it verbally or by placing visible and easy to understand signs within the building;
- Train the personnel who will be in charge of the temperature checks to understand the importance of privacy and to interpret results;
- Always stay updated with the latest privacy and trustful global health news and orientations and review your safety measures if necessary.
Last but not least, be aware that although we are living an atypical and uncertain period regarding the way the COVID-19 outbreak develops, the EDPS’ guidance on the subject will certainly be a precedent for future global discussions about how to stay compliant with privacy regulations regarding the special categories of sensitive personal data, especially medical and health information.