The European Data Protection Supervisor states its position on taking temperatures to combat the coronavirus

Early September has seen movement at European level on data protection, one example being the European Data Protection Supervisor (EDPS) publishing orientations on body temperature checks in the return to the office (the “Orientations”). Although the EDPS is the competent authority in relation to the institutions and, accordingly, it has issued this report for these institutions, its instructions can also guide private companies.

These Orientations are particularly relevant in distinguishing between two types of temperature checks:

1. basic temperature checks performed manually and with no record or documentation of the individual’s personal data, such as using analog or digital thermometers without subsequently recording the temperature; and
2. other temperature checks, both those operated manually followed by registration, documentation or other processing of personal data (for example, if the temperature read with an analog or digital thermometer is recorded) and those operated automatically with advanced temperature measurement devices (for example, using thermal scanners or cameras).

According to the EDPS, basic checks are not subject to the existing data protection regulations for the institutions (i.e., Regulation (EU) 2018/1725, of October 23, 2018, whose regulation is similar to Regulation (EU) 2016/679, of April 27, 2016) or the GDPR but focused on European institutions and agencies, while the other checks would be subject to it under article 2(5) of Regulation (EU) 2018/1725 (equivalent to article 2(1) of the GDPR).  

This is because, under these articles, the data protection regulation only applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data that are part of a filing system or are intended to be part of a filing system.” Therefore, insofar as basic manual temperature checks do not entail automated processing and, if data are not recorded, they “are not part of” and are not “intended to be part of a filing system,” they would not be included in the definition and application of these regulations.

In contrast, when using automated means (thermal scanners or cameras) or operating manually but recording or documenting the visually obtained data, the regulation will be fully applicable. This will constitute processing personal data concerning health, requiring enhanced protection, i.e., the existence of a legal basis and an exception allowing their processing. The EDPS believes it could be the institutions’ obligation to guarantee the safety of their employees, as well as the application of specific protection measures.

Furthermore, the EDPS considers that the systems for taking and recording temperatures by automated means without (meaningful) human intervention could be classified as an “automated individual decision.” Since there is no law authorizing this processing, it would not be legitimate, except with the data subjects’ free, explicit consent. Therefore, to use it with regard to employees, based on the obligations to protect employees’ health, it recommends identifying and documenting the human intervention in the process and the competence to change or decide if the temperature check is positive and results in refusing access. The EDPS gives the example of a second or third check by a doctor or nurse.

The EDPS lists a series of recommendations for temperature checks to which the data protection regulations apply. These notably include that the system should operate independently from other systems, in real time, and it should not record the thermal images or readings taken; staff should be trained; and the accuracy of the systems or whether the device manufacturer can access the information should be verified regularly.  

In summary:

In any case, the EDPS stresses that, for both types of temperature controls, it is essential

1. to regularly analyze the legality, need and proportionality of these temperature control measures in view of how the pandemic evolves and scientific advances, as well as in accordance with any ruling from the European Data Protection Board (which has not issued any to date);
2. to inform people entering; and
3. to implement the monitoring or “second chance” procedures when the initial check is positive. It is also recommended to offer a third check performed by a health care professional and using another device.

Author: Adaya Esteban