CNPD Guidelines in Times of Covid-19
Given the current situation of public health crisis, which has led to the widespread use of teleworking and distance learning, the protection of personal data is particularly relevant. For this reason, the Portuguese National Data Protection Commission (“CNPD”) has published several relevant guidelines in the employment, educational and Public Administration context, which aims to ensure the collection and processing of personal data in compliance with the legislation in force:
Below you can then find the answers, in accordance with the above guidelines, to the questions that are often asked on this subject. We point out that the answers provided herein do not constitute a legal advice.
IN THE EMPLOYMENT SECTOR:
A. Remote control during teleworking
- Are remote surveillance tools to monitor the employee’s performance allowed?
Although maintaining his powers of direction and control of the work performed by teleworking, the employer cannot resort to means of remote surveillance.
In particular, the employer cannot use software to monitor working time and inactivity, the web pages visited, which capture images of the working environment, or which monitor and record when an application is accessed (such as TimeDoctor, Hubstaff, Harvest or Toggl), as the collection and processing of this type of data is considered to violate the principle of data minimization.
Moreover, the employer cannot oblige the employee to keep the video camera on, nor can he/she record teleconferences.
- Thus, what control measures can the employer undertake?
The employer may set objectives, create reporting obligations and schedule meetings by teleconference, for example.
- Can the employer resort to time recording technologies?
Yes, provided that such technologies merely reproduce the record made at the employer’s premises (i.e., record of the start and end of the activity and lunch break).
In the absence of such specific technologies, the employer may, inter alia, control the working hours and availability of the employee by creating an obligation to send an email, SMS or telephone contact.
- Can the employee use the work tools for personal purposes?
If the employer has made available information and communication technology tools (such as computers) for the purpose of teleworking, the employee should only use them for the work performance.
B. Collection of health-related data from employees
- Can the employer measure the body temperature as a precautionary measure of the spread of the virus in the workplace?
According to recommendation of the CNPD, employers may not collect and record the temperature of their employees or other health information or any potential risk behaviors.
Nevertheless, the Portuguese Government approved the Decree-Law no. 20/2020 (of May 1), which expressly authorizes the measurement of the employees’ body temperature for the purpose of access and permanence in the workplace, forbidding, however, its registration.
- Who can collect and process such data?
Since these are sensitive data and therefore subject to an enhanced protection regime, their collection and processing can only be carried out by health professionals in the context of occupational medicine.
- When returning to work at the employer’s premises (post-confinement), how can employees’ health data be collected?
When returning to the work premises, the collection of health data can be done by the employee by filling in questionnaires about health-related information or health-related private life data (e.g., if he/she has been in contact with people infected with the virus).
However, it should be noted that the collection of health data is only legitimatized if it is carried out directly and exclusively by the occupational health professional.
- What can employers do to prevent the new coronavirus from spreading to employees in the workplace?
Employers can intensify the hygiene care of employees (e.g., with regard to hand washing and disinfection) and adopt organizational measures with regard to the distribution in the workspaces or employees’ physical protection and some surveillance measures, according to the guidelines of the General Health Directorate.
IN THE EDUCATIONAL SECTOR:
A. Guidelines on the use of distance learning technologies
- What precautions should educational establishments adopt in the context of distance learning?
There are several CNPD recommendations on the use of distance learning platforms (such as Zoom, Microsoft Teams and Moodle). In particular, educational institutions should:
- Prefer platforms that have well-defined personal data processing purposes;
- Evaluate their technical means for implementing these platforms in order to avoid tools that overload their systems, making them unsafe and prone to cyber-attacks;
- Inform the professors on the correct use of the platforms in order to avoid certain risks for the users’ privacy; and
- To raise awareness in the school community about good practices and precautions to be followed in the use of these technologies.
- Can educational establishments use videoconferencing tools?
Yes, educational establishments can use videoconferencing tools. However, they should opt for technologies that involve less exposure of the student and his/her family environment whenever possible (e.g., through the use of discussion forums).
- Can educational establishments resort to learning analytics platforms?
The use of learning analytics platforms, i.e., platforms that provide pedagogical content adapted to each student through automated decision making based on artificial intelligence systems, is legitimate as long as students give their explicit, free, informed and specific consent. Additionally, the student’s right to obtain human intervention in this process must be guaranteed.
IN THE PUBLIC ADMINISTRATION SECTOR:
- Disclosure of information related to people infected by COVID-19
- Can a Municipality or Local Authority disclose personal data of those infected by COVID-19?
No, local authorities are prevented from disclosing identification or contact data of persons infected by COVID-19, as there is no legal basis for this, which specifically protects the rights and interests of the data subjects.
- What if the Municipality or Local Authority only discloses data concerning the number of infected people in that territorial area without disclosing their identification?
It depends. In cases where the disclosure of such information would easily allow the identification of infected people, namely when the geographical area is inhabited by a small number of people, such information should not be disclosed.