Antibody tests and GDPR

More and more employers now offer their employees antibody tests for the purpose to find out whether the employees have been ill with covid-19 or not. The tests are often carried out by a private care provider, even so the employer may come to process personal data on employees’ health. This article briefly guides you on what employers should have in mind in such situation.

What is health data?

All data related to the state of an individual’s past, current or future physical or mental health constitute health data. “Health” shall therefore be interpreted broadly and includes everything from illnesses to broken joints and vitamin deficiency. According to the GDPR, health data merit specific protection.

The following are examples of personal data that, directly or indirectly, constitute health data:

  • Result from an antibody test that indicates if a person has or lacks antibodies against covid-19.
  • Data from a survey in which the employee answers questions regarding its health, such as questions on symptoms or if the employee belongs to a risk group.
  • Data that is not by itself a health data but linked to a health data.

When can I process health data?

The main rule is simple, processing of health data is prohibited, however there are a number of exceptions. An employer may for instance process health data if necessary to fulfil its obligations under the Swedish employment legislation. The employer’s work environment responsibility entails, for example, that they shall investigate possible risks for employees to be exposed to infection as well as prevent infection and spread of infection.

An employer shall in accordance with the principle of data minimisation only process relevant personal data and within the scope of the purpose. The employer should, if not necessary, avoid using the names of employees that have tested positive for antibodies against covid-19. If an employee is working from home due to the result of the antibody test, the employer should avoid informing internally about the reason why the employee does so.

What information should I give to the employees?

Employers have an extensive responsibility to provide information. Data subjects shall amongst other have been informed of the processing, its reason and how the data is processed. If the employer wishes to process personal data for a purpose other than it was originally obtained, employees must usually be informed of this before this second processing is carried out.

Some practical tips

  • Inform about the processing of personal data.
  • Have routines for how health data should be processed, e.g. who can access them.
  • Instruct those who process health data on how to treat such data.
  • Ensure safety during the processing, e.g. note that health data may not be sent over open networks in unencrypted e-mail.

If necessary, carry out an impact assessment before initiating the processing.

Back to news