Collecting data on coronavirus: Legal limits

The idea is, of course, captivating: simply to be able to give a wide berth to those people who have become infected with the coronavirus. But how do you know who carries the virus but shows no signs of illness? How do you recognise someone who is immune? And in general: Which transmission routes does the virus take in the population? Not only are many experts currently debating these questions, but various technological applications are also being tested which should help to answer these questions. The crux of the matter is that this involves health and patient data. These are considered to be particularly worthy of protection in terms of data protection. And data worthy of protection may not be passed on without the consent of the person concerned. This now seems to be in conflict with many of the measures that have been adopted within the framework of the Covid 19 Ordinance of the Federal Council or are recommended by the FOPH. A Weblaw AG webinar on April 21, 2020 addressed practical issues surrounding coronavirus from a legal perspective. We have compiled a few discussions in the following sections.

Data protection in the company

In the wake of the Covid 19 pandemic, issues surrounding occupational health management are literally becoming more virulent. Employers are dependent on not having too many employees absent due to illness. Preventative measures such as split work, home office where possible, or even shutting down operations entirely seem to have worked well so far. But what if a Covid 19 case actually occurs in a company now? What health information may, indeed must, be disclosed by employers and affected employees? In principle, these questions are regulated by Art. 328b of the Code of Obligations as well as by the articles in the Labour Code relating to health protection. "What is required by labor law does not require consent," explains lawyer Dr. David Vasella, partner at the law firm Walder Wyss AG in Zurich. Accordingly, employees must inform their employer within the scope of their duty of loyalty if they suffer from Covid-19. They must provide information regarding the duration of their inability to work, possible infections of third parties, or if they have recently been in a risk area or if a person living in the same household has contracted Covid-19. By providing this information, employees contribute to the employer's risk assessment for the entire company. Conversely, the employer must inform the employee how it will use this information. In connection with its duty of care, the employer must also inform other employees of suspected cases and infections. So here too, the disclosure of health data is permitted, "within reasonable limits and after giving notice to the employee concerned," explains David Vasella. "In principle, however, such information must be provided without naming the employee," the expert continues. Unless it is a matter of checking contacts with other employees, who may then have to be sent into quarantine.

Covid-19 testing by employers?

In China, many companies that have resumed operations after the complete shutdown have taken to testing employees for symptoms before they start work. Would this also be permissible in Switzerland from a data protection perspective? Is an employer allowed to ask about symptoms? "Yes," says expert David Vasella. Taking a temperature and using thermographic cameras is also permissible, "as long as it makes sense," he adds. Saliva and blood tests would also be permissible if this method is more suitable than taking a temperature. However, these tests may only be carried out by trained personnel. However, the Data Protection Act sets limits here when it comes to passing on personalised information. This would be the case, for example, if such tests had to be evaluated in foreign laboratories. For this purpose, the data must be anonymised, for example by means of a barcode.

But what about the data that the FOPH publishes daily as "case numbers"? Is this not also patient data that is subject to data protection? The answer to this question is provided by the Epidemics Act (EpG). This law obliges doctors and laboratories to forward clinical findings to the FOPH via a reporting form. The aim behind this is the early detection and monitoring of communicable diseases. For this purpose, the disclosure of personal data is permissible in the sense of an exchange of information between authorities (EpG Art. 59).

Contact tracing apps: "Emotionally charged topic"

The possible use of so-called contact tracing apps is controversial - and not only in Switzerland. Epidemiologists such as Marcel Salathé from EPFL see this as a suitable means of better identifying the ways in which the virus spreads. There are already a number of providers of apps that warn against contact with people who may be infected. EPFL and ETH Zurich are also working on such a solution, but recently dropped out of an international project due to a lack of transparency about what will happen to the data that will necessarily be collected. And it is precisely this question that makes the discussion about such apps "emotional", as lic. iur. David Rosenthal, secretary of the Association for Corporate Data Protection (VUD), notes. He refers to recent articles in the daily press about the danger of possible attacks on people who are reported as "infected" via an app. And the question of whether such broad surveillance possibilities would not open the door to further abuses also divides supporters and opponents.

Technically, there are two approaches: South Korea, which is often cited as an example, practices GPS location tracking. There, the whereabouts of people who declare themselves as "infected" or "not infected" via an app are recorded. This information can be used, for example, to generate maps with "danger points", i.e. places where an infected person might be. The solution approach favoured in Europe is based on Bluetooth technology. The tracing app sends out an anonymous, changing identifier to all mobile devices in the vicinity. If the identification of an infected person is in the vicinity, a warning is issued. The prerequisite, however, is that persons who have tested positive report this finding to a central server.

Whichever solution is propagated: It must be "data protection compliant". According to David Rosenthal, this is largely the case, because in most cases there is no personal data at all. This means that the Data Protection Act would not apply here at all. However, the "perceived data protection" is different: here it is essentially a question of how comfortable the users are with the matter and how likely they consider abuse by the providers of the app to be. This is what the experts are currently arguing about. "And that is poison for the perceived data protection," emphasizes David Rosenthal.

Voluntariness sets limits

For contact tracing apps to be of any use at all, over 60 percent of the population would have to participate as users. Whether this can be achieved through voluntary participation is doubtful. The fact that people voluntarily install an app may not be a problem. But who wants to voluntarily report a diagnosis? And who voluntarily goes into quarantine on it, especially if they don't feel sick? Here, only an authoritarian solution "à la chinoise" would be practicable ... And who sets the parameters and operates the central infrastructure? What kind of protection against so-called trolls, i.e. users who operate on a whim with false information? Such questions still need to be clarified.

The question of whether such contact tracing apps are medical devices has also not yet been clarified. If so, they would have to undergo an approval or certification process. This means that an app manufacturer would first have to submit a corresponding application to Swissmedic. Given the current situation, however, such a process would probably be quite unbureaucratic and approval would be granted quickly.

"There is no shortage of technical solutions and experts," concludes David Rosenthal. "People are looking for the perfect solution, but this will not be found. There is a danger of overengineering," the expert continues. What is needed is a reality check that also provides for plausible abuse scenarios. Rosenthal does not really consider legal data protection to be a problem. "The Federal Council must now get its act together, otherwise it will remain a mere gimmick," he warns. Because the longer it is discussed, the greater the mistrust. At the time of going to press, the following was known: According to information from the FOPH, an in-house development of the ETH is to be introduced in Switzerland from 11 May.