Deloitte in the News

“Antiviral” measures for business: work under quarantine and personal data in the face of a pandemic (Part 3)

This article reviews the responsibilities of employers and employees, remote work and flexitime options, personal data protection, global trends and path of Ukraine in this direction.

Work under quarantine

The quarantine tests the flexibility of employers who have to balance out their business interests and employment rights, the stability of their companies' operation and compliance with ever-changing laws. What rules can bring to such an equilibrium?

This article is also available in 

Keep calm and carry on with your duties

The quarantine has redefined the traditional responsibilities of employers. To illustrate, ensuring a safe and non-hazardous working environment (Art. 153 of the Labor Code) with adequate protection against COVID-19 now requires an increased workplace hygiene, surface cleaning, provision of disinfectants, personal protection equipment, etc.

Medical examination of those employees for whom such examination is obligatory (Art. 169 of the Labor Code, Art. 21 of the Law of Ukraine “On protection of the population against infectious diseases”) should be continued. Persons who refuse or avoid doing so should be suspended from work (Article 46 of the Labor Code), and brought to disciplinary responsibility (Article 26 of the Law of Ukraine “On ensuring sanitary and epidemic wellbeing of the population”).

Remind your employees of their responsibilities

The employees’ routine responsibilities should be extended to include COVID-19 prevention measures:

  • Contributing to the employer's efforts in ensuring a safe and non-hazardous working environment
  • Reporting a danger to a manager or official (Article 159 of the Labor Code)
  • Taking care of own health and that of colleagues, participating in sanitary and anti-epidemic measures, undergoing mandatory medical examinations (Article 5 of the Law of Ukraine “On ensuring sanitary and epidemic wellbeing of the population”)
  • By implementing WHO and MoH's recommendations (including handwashing, social distancing, seeking medical help when needed, etc.) and reporting disease symptoms, employees will contribute to their safety.

Take temperature as required by law

Companies that keep operating during the quarantine are striving to protect their personnel from getting infected, so they take the temperature of all employees. This should be done in accordance with the relevant regulation, which, however, contains a certain ambiguity.

If interpreted conservatively (and not employer-friendly), temperature measurement falls within the concept of a “medical examination” which is compulsory only for certain categories of employees. Formally, medical check-up of other employees does not comply with Article 169 of the Labor Code; consequently, it may give rise to disputes and result in penalties for labor law violations.

However, in our opinion, the systemic interpretation of the Labor Code, the Law of Ukraine “On protection of the population against infectious diseases”, and the new "antivirus" regulations is consistent with such measurements. To arrange for voluntary measurement of the employees' body temperature, there should be issued a company order containing a reference to the requirements of laws and the safety responsibilities of the employer.

An employee's refusal may be regarded as a failure to comply with internal rules and be followed by the explanation of the consequences, or, as the case may require, medical assistance should be sought or an ambulance should be called.

This is compliant with CMU Resolution No. 255 that says that any person showing any signs of COVID-19 disease is subject to mandatory medical examination and, based on its results, to self-isolation.

A fever alone or a refusal to measure the temperature is not a sufficient ground for suspension from work, while refusal to have a mandatory medical examination or having a highly infectious disease (including COVID-19) constitutes such a ground. These grounds apply only to those employees who are subject to mandatory medical examinations or who have obtained a doctor's opinion confirming the disease.

Suspension from work on the grounds not provided for by law may give rise to a dispute with the employee, a fine, and payment of the employee’s average wage for the period of forced absence.

Use old tools, such as job sharing/rotation, leaves, part-time or dead time

Decide on the employees whose presence in the office or at production site is essential. Consider job sharing for those who perform critical functions, thus reducing the risk of disease spreading.

Other options include:

  1. Paid and unpaid leaves (Article 84 of the Labor Code), subject to the employee’s consent. According to Law No. 530, the term of an unpaid quarantine leave is not included in the total leave period (up to 15 days a year).
  2. Part time or reduced working time. This option may be applied at any time, if and when requested by the employee, or introduced by the employer subject to two months’ prior notice. Hopefully, the quarantine will be lifted earlier. If these options suit both parties, you just need to formalize them (see below how to do this remotely).

    Law No. 540 introduced partial unemployment allowance to be paid during the period of forced suspension of / reduction in production and the working hours of the employees. However, such allowance is applicable only to those employees who take measures to prevent and curb the spread of the epidemic, thus implementing the relevant decision of the local state administration.
  3. Dead time (whole or partial). This option does not require the employee's consent as the quarantine became one of the legal grounds for dead time, effective 2 April 2020 (Law No. 540). At least 2/3 of the salary should be paid during the dead time due to quarantine. The Law contains no provisions prohibiting the companies from supporting the critical categories of their employees during the dead time.

Do not ignore new tools, such as flexitime and remote working

Law No.540 proposes (or rather, makes formal) two new tools: flexible working hours and remote working. These progressive practices have long been applied by the employers (including Deloitte) in pre-quarantine times, but they were based on informal trust.

Employees working flexitime are still expected to stick to regular working hours. They decide themselves on when to work and when to make a break for lunch. Part of their time may be fixed hours, during which they must be present at their workplaces.

Remote working has been finally given a definition: a work performed by the employee (including using IT tools) either at the place of his/her residence or at any other place of his/her choice, other than the employer's premises. This redefines the employer's obligation to provide the employee with all necessary means he/she needs to adequately perform his/her job tasks (Article 29 of the Labor Code).

These means now also include corporate IT infrastructure which is expected to meet the needs of the remotely working stuff.

The standard internal policies and procedures do not apply to remote workers: they can plan their working time as they may deem fit.

Both options may be applied simultaneously. Amid quarantine, all that is needed for a company to switch to one or both of these options is to issue a relevant order; otherwise, it would be required to make changes in the employment contract.

However, even during the quarantine period, any changes in the terms and amounts of remuneration are subject to the employee's written consent.

Keep HR records remotely

The quarantine has propelled the digitalization of all employment documentation high on agenda. Until now, it remained in the talking stage. However, the quarantine caught the companies in a double bind, making them choose between the employees' safety and administrative rules compliance, on the one hand, and traveling to the office to sign a routine document, on the other hand.

If you opt for safety, you should immediately implement the electronic document management. A mail or a courier service may only be used for special and urgent tasks because, in addition to questionable hygiene of the process, it means a longer delivery time and extra costs that are so unwanted today.

The documents should be exchanged electronically:

  • Hand written applications or hand signed agreements may be scanned or photographed.
  • The employees may confirm that they have read and understood the orders via corporate email (authentication in the corporate network may override a handwritten signature).
  • Videoconferences or other practical actions may be used to confirm the implementation of new arrangements and rules (subject to documentation of all legal deeds as soon as possible, meaning right after the quarantine).

Although orders of the Ministry of Justice on recordkeeping and archiving do not allow us to completely switch from using paper-based HR documents so far, however, in our opinion, this is quite possible if supported by clear and creative formalization of new remote procedures.

As people are more important than outdated paperwork traditions, the state should immediately develop new rules.

Global challenge vs privacy: Personal data in the face of a pandemic

Over the last decades, the civilized world has been focusing on the development of legal systems that are centered on humanistic values, an individual, one’s rights and freedoms. In the age of global digitalization and transparency, these systems enabled the development of personal data protection environment, which has resulted in the adoption of the General Data Protection Regulation (GDPR). Today, data protection is being faced with an unprecedented challenge posed by COVID-19 pandemic at the level of the states and business employers.

Global trends

Smartphone has become a key source of personal data. The GPS, Wi-Fi, Bluetooth, and mobile data make it possible to pinpoint the exact location of a person. Amid a pandemic, the governments use these data differently for the analysis and forecasting purposes.

The UK regulator, known for its conservative views, has approved only the use of anonymized smartphone geolocation data to monitor the compliance with the quarantine rules. A similar decision was made by Germany, Italy and Belgium. In technical terms, the anonymization means the removal of pieces of information that allows to associate data with a specific person. In legal terms, anonymized data are not considered personal, thus putting such data outside the scope of the GDPR regulation and most national laws. However, the anonymization is quite a risky method, because in combination with other data a person can sometimes be identified. For example, anonymized data from the 2017 Strava fitness tracker allowed to reveal the location of several US military bases.

As for Europe, it has opted for a liberal approach allowing to process mostly anonymized data subject to compliance with the principles of purpose limitation and proportionality set out in Article 5 of the GDPR. The latter directly points to the possibility of processing personal data for the epidemic monitoring purposes: “(…) processing may serve both important grounds of public interest and the vital interests of the data subject as for instances when processing is necessary for (…) monitoring epidemics and their spread" (clause 46 of the Preamble).

One of the most concise descriptions of the EU privacy policy is reflected in a quote by Věra Jourová, Vice-President of the European Commission for Values and Transparency: “We definitely will not follow the path of China or Israel, where the use of technologies to track people goes beyond what we want to see in Europe.”

What technologies have led to the emphatic statements made by Věra Jourová, who was listed in the Top 100 Most Influential People in 2019 by Time magazine for promoting GDPR?

China and Israel use mobile applications to track and monitor population movements. The Israeli Security Service uses personalized geolocation data from smartphones to identify people who were in contact with the infected persons, and the Ministry of Health sends text messages to such individuals informing them of the contact being recorded and ordering them to self-isolate.

Personal data processing policy of China deserves special attention. Methods that are ambiguous in terms of privacy are not something new to the residents of the Celestial Empire. One of the striking examples is the social credit system. Under this system, people are required to use a mobile application that analyzes the user's movement history and assigns a QR code of corresponding color – green, yellow or red – to inform people about their probable state of health. The QR code serves as a type of additional ticket to access the subway or other public places. If you do not receive a much “desired” green QR code, you will not be able to move freely, and the results will be sent to the police for monitoring.

Could the preventive measures involving control and monitoring be still considered as democratic and non-excessive? Every society and government has to answer this question based on their own value systems. It is necessary to consider the threat level faced by a particular state and to comply with the principle of data minimization. However, if the government takes responsibility for the entire population’s data and refrains from abusing its powers, the question may sound differently. Isn’t it in each person's own interest to be aware of the risk of being infected, for example, in the event of a contact with an infected person?

What path did Ukraine take?

The Ministry of Digital Transformation of Ukraine has launched a mobile application to monitor the compliance with self-isolation rules by the citizens who are required to do so. Using the application, a person registers at the place of self-isolation. After this, a person receives messages sent several times a day with the request to download confirmation of his/her staying at home (FaceID, selfie, geolocation data). The data received are then validated using artificial intelligence.

According to the Ministry of Foreign Affairs, the concept of the Ukrainian mobile application is based on the experience of China and Israel (the countries where “the use of technologies to track people goes beyond what we want to see in Europe”) as well as South Korea, Poland and Georgia. It is interesting to note that the download of application is not mandatory.

Challenges faced by Ukrainian employers

In the fight against coronavirus and the economic crisis, the business, as always, has to rely on itself. Moreover, it has to take care of people: ensuring of safe working conditions for employees is a direct responsibility of an employer (Article 153 of the Labor Code). However, the legislation does not specify measures that can be taken to fulfill this obligation. The limitations of the Data Protection Law (hereinafter, the “Law”) only adds to the uncertainty. The Law makes it possible to process employee health data when it is necessary “to exercise the rights and duties of an owner in the field of labor relations in accordance with the law and to ensure an adequate level of protection” (Article 7). The regulators have not specified what kind of data processing is required in order to fulfill the employer's obligation to provide employees with safe working conditions amid fighting the spread of coronavirus. So for now, business has to act at its own discretion.

In terms of compliance with the laws, it is relatively easier for the companies that opted for stringent quarantine measures. However, many businesses continue to work, including manufacturing sector companies. Regular measuring of the employees’ body temperature, monitoring of other symptoms, and mandatory completion of questionnaire about staying abroad are just some of the most common measures taken by the employers. Most of such measures require data processing the legality of which still remains an open question.

The ways of combating the spread of the virus without violating the employees’ right to privacy
  1. Choosing the right legal basis for data processing

    The law allows an employer to choose from the two legal grounds for processing health data: consent of an employee or, if required, fulfillment of an employer’s obligations in the field of labor relations (Article 7). In the context of a relationship with an employee, a consent may be invalidated due to a “conflict” between an employer who requests such a consent and an employee who may feel forced to provide it. Moreover, the consent can be withdrawn at any time, which could be a barrier to the implementation of measures. Therefore, we recommend processing employee data in instances where the law clearly defines the employer’s rights or obligations that cannot be exercised or fulfilled without such data processing. This is where the labor law provisions will prove useful. For example, if an employer is required to ensure safe working conditions (Article 153 of the Labor Code).
  2. The stuff but not the fluff

    The business should analyze, on case-by-case basis, whether the planned measures are an excessive intrusion on the employees’ privacy or not. It should only collect the minimum amount of data required to achieve the specific purposes, look for ways to achieve the purposes with less intrusion on the employees’ privacy, and to immediately delete data that are no longer needed.
  3. Informed means armed

    An organization has to inform its employees about the type and content of data collected, their rights, the purpose of data processing, and the persons to whom the data will be transferred (Article 12 of the Law). The law does not define any specific requirements to the format of notification. In practice, such notifications can be made via corporate emails, sign off on the employees’ acknowledgement of the preventive measures or in other ways. Proper communication will help to clarify the need for preventive measures, such as measuring of body temperature, self-reporting of symptoms or trips to the countries with high virus incidence. An organization needs to build partnership with its employees to combat the spread of the virus. This has even been enshrined in the Labor Code, which imposes an obligation on employees to cooperate with an owner to ensure safe and non-hazardous working conditions (Article 159).
  4. Medical examinations

    The law defines the categories of employees for whom medical examinations are mandatory (Article 169 of the Labor Code, Article 21 of the Law on Protection of the Population against Infectious Disease). For other employees, there is a possibility for conducting voluntary examinations, especially if such employees do not work remotely. This is also consistent with CMU Resolution No. 255: if a person has signs of COVID-19 disease, such a person is subject to mandatory medical examination, which may result in self-isolation. Moreover, the Kyiv City State Administration (KCSA) has obligated all businesses that receive visitors (for example, companies in food trade sector) to measure body temperature of all employees on a daily basis.

    If medical examinations are conducted by a third party (health care provider), such a party shall not have the right to disclose the medical examination results to an employer. This may be a surprise to many, but medical information is deemed a medical secret. The law prohibits the disclosure of such information at the place of work without the consent of an employee (Art. 39-1 of the Fundamentals of Legislation on Healthcare). To obtain this information legally, an employer is required to obtain a consent from an employee, which will expressly permit the disclosure of the examination results.

    Therefore, an employer has to strike a balance between the right to privacy and the fulfillment of an important duty – to protect the health of all employees and people around. To do this, an employer needs to follow the law: obtain an employee's consent to the disclosure of medical information, conduction of voluntary medical examinations, etc.

Will the privacy “recover” from restrictions?

The governments and businesses around the world use personal data to fight the pandemic. It is not always the case that they want to (or even can) respect the right to privacy, given the unprecedented situation and the measures being taken. Most of these (sometimes dubious in terms of privacy) measures are justified by the need to protect the vital interests and public health.

Human rights are undergoing one of the most trying and challenging times since they have been enshrined in the Universal Declaration of Human Rights (1948) and the European Convention on Human Rights (1950). Now it is difficult to predict how the COVID-19 outbreak will affect the right to privacy, as it is the first pandemic of this scale since the adoption of the above documents.

Will the situation return to normal after the pandemic is over? How will the world and the attitude to human rights change? We hope that the pandemic will end soon and the privacy will recover from the restrictions, at least in the developed democracies (and in Ukraine, which strives to join the list of such countries).

In collaboration with Dmytro Pavlenko, Tax & Legal Director at Deloitte Ukraine, lawyer, PhD in Law.



Did you find this useful?