The Italian Government has undertaken several measures over the last month to ensure a snappy re-start of strategic productive activities against the threat and challenge of Covid-19. Building on the practical hints and tips we provided on workplace safety measures (the Protocol), we hereby gave a brief summary of what to expect in the near future as well:
On 24 April, the Protocol was updated in some crucial areas:
- As a general point – all companies that fall short of providing the organizational measures and conditions to comply with the Protocol are to remain shut at least until such measures can be ensured. Although this could be potentially painful (meaning no income), it is still deemed as one of the primary defences against the spread of Covid-19 in workplaces. Furthermore, a specific committee is to be set up to verify the compliance of the stakeholders with the Protocol.
- Complete and up-to-date information will be provided to the workforce, also for data processing (i.e. a complete privacy notice).
As to entry/exit in premises
- Any worker previously tested positive with Covid-19 will provide a "Coronavirus pharyngeal swab certification- result negative", in order to be granted permission to access the premises. Such certification is issued by the local health authorities
- Such certifications provided by the workforce may constitute data processing in its own right.
- This would in turn undergo the same conditions, obligations of notice, data storage terms and general precautions as already detailed by the Protocol (and the applicable privacy framework) for any processing of personal data by employer in relation to Covid-19 containment.
- Ensure maximum collaboration from the employers in case any local health authority commences a testing campaign if the relevant territory is struck by an outbreak;
External suppliers/contractors
- In the event that any contractor's employee is diagnosed with Covid-19, the contractor will disclose such to the customer and both will collaborate with the health authorities to track who have come into close contact with the contractor's employee (including the customer's workforce). We can speculate whether this involves processing of personal data as well. The contractor should disclose to the customer the amount of data necessary for the sole tracking of its Covid-19-positive employee contacts (no other data – which would be a breach of the minimization principle). This data is to be stored and kept under the general conditions set forth by the Protocol itself.
- What about privacy roles? Such mutual collaboration with authorities could involve the processing of personal data (including the sensitive data of the Covid-19-positivity of the contractor's employee). We can assume that both parties respectively delegate to one another the processing of the personal data necessary for the virus tracking, as the authorities are expected to match and cross-reference such data.
- What about the privacy framework? It is highly advisable to set up an adequate framework with the contractor, either by inserting a specific mutual data processing clause in the service agreement or by undergoing specific in-writing data processing. The contractor and the customer should contemplate this specific processing in the privacy policy provided to the respective employees and third parties accessing the premises under Covid-19 restrictions.
Noteworthy updates
The heavily-struck fashion sector did not just lay there and watch events unfolding, as new measures to loosened up restrictions, it meant (like the sectorial contagion containment protocol – updated on 2 May last) an opportunity to get back sooner to production.
Flagship brands like Prada re-opened its manufacturing facilities in Tuscany following the adoption of specific internal protocol with even more restrictive measures, if compared to Government standard. Prada pursued workers' safety through social distancing, turnover and protection equipment, along with a serological testing campaign (roughly 1,000 per week) scientifically validated by the main hospital in Florence.
- From a privacy standpoint, it is worth to point out that such an extensive testing entails the processing (also) of sensitive data related to workers' health status. One can argue which could be the most viable and compliant processing method and, whether this would be managed directly by the fashion house or through the occupational physician and/or other dedicated personnel operating on-premises for such a scope (since all the testing will be performed into specific areas by appointed individuals).
- Similar initiatives are being pursued by Valentino ("Valentino people care") in collaboration with the University of Brescia through the adoption of re-enforced internal safety rules, along with specific advice and training for the workforce, social distancing, on-premises temperature scanning and testing. Marzotto Group is moving towards the same direction, through specific internal rules under the validation of the University of Padua. The company tried to take into account all relevant material aspects of company life (e.g. from break areas to the periodic disinfections of environments and provision to workers of protective devices), along with the constant liaising with competent authorities also to ensure safety on public transports for commuters;
- The initiative by Brunello Cucinellii in collaboration with the University of Perugia to carry out medical research on the best diagnosis and organization strategies to ensure safety for workers is also worth mentioning. The research is to gather data on potential new virus hotspots and how to react accordingly once detected, so as to mitigate production/occupation levels while ensuring the ongoing safety of the workforce.
The Italian Data Protection Authority (Garante Privacy)
Garante Privacy issued official FAQs on privacy implications of Covid-19. The document is constantly updated and ranges from data processing in schools, biomedical research all the way to other specific areas, this in order to shed some light on the multiple facets of this trending topic.
With specific reference to private employers' field, Garante Privacy provided guidelines the same rut of the Protocol, e.g. on temperature scanning. Two quite clear "no-no" stand out, namely on the disclosure of Covid-19-positive workers to the rest of the employees (this with the exceptions of appointed authorities under the current national framework and the on-site responsible for health and safety).
Worth a special mention is the specific section dedicated to contact tracing apps, a further technological aid while being effectively governed from a data protection perspective to bear fruitful (and privacy compliant) results, something we have already discussed.
Always on Garante Privacy's side
Garante Privacy made clear in the last few days through a short public notice that, for health and safety purposes within workplaces:
- The employer may not ask to the workforce to undergo serological testing; while
- Mastering the recommendation of diagnosis means and/or other anti-Coronavirus clinical methodologies shall rely solely upon the occupational physician, who shall deem such actually useful as a containment effort, having regards to the specific conditions/context of the workplace at stake from time to time.