In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs.
The French government has strongly recommended that companies set up a plan for the continuity of their businesses in case of pandemic flu. Indeed, in case of pandemic, the French authorities anticipate significant degrees of absenteeism among employees and a possible paralysis of certain companies if they are not sufficiently prepared.
Such plans of action may contain various measures so that employees may work from to avoid having to take public transportation to commute to work. In this context, companies may need to collect personal data that they do not normally collect such as cell phone numbers, home phone numbers, private email addresses as well as the kind of transportation means that employees use to come to work.
In order to minimize the risks related to such collection of private data, the CNIL reminds employers that the collection of personal data must comply with the European and French data protection requirements.
The Agency said that such collection does not raise any particular legal issues as long as:
- the employees are well informed of the end-purpose of the collection (in this respect, the CNIL provides on its website a sample notice to be disclosed to employees when collecting personal data: www.cnil.fr);
- the employees communicate their personal data on a voluntary basis;
- the companies take all the necessary steps to safeguard the confidentiality of the collected data (i.e., by having their employees send the data directly by mail or email to the individual appointed by the human resources department to collect the data);
- the access to the data is exclusively restricted to employees of the human resources department duly identified by the employer, or employees belonging to the crisis unit specially set up for the pandemic flu; and
- the employees continue to benefit from their rights to access their data and rectify inaccurate data about them.
If the collection is limited to the employee’s personal contact information and means of commuting to work, the CNIL stated that companies do not need to "declare" (under French data protection law, companies are required to notify the French data protection authorities of ("declare" to them) the databases they maintain containing personally identifiable information) the databases to CNIL as long as they have:
- already appointed a data privacy officer (i.e., generally an employee specifically hired to ensure that the company complies with the French data protection law); and
- already declared their human resources databases.
Aware of the seriousness of the business impact of the flu and of the necessity to ensure the continuity of the businesses of companies located in France, the CNIL has decided to cooperate with the French Labor Ministry in order to specify further its recommendations to better combine the protection of personal data and an efficient management of the risks linked to the pandemic flu.
Further recommendations will be issued in September.