Data Protection in France during Covid-19

Published on 18 May 2020 | Reading time approx. 3,5 minutes

The French data protection authority (the CNIL) has edited recommendations for employers about what they can do and what they cannot do in accordance with the GDPR and the French data protection act and in order to respect the employees’ privacy. 

 

Information about employees’ health are classified as “sensitive personal data”, in the sense of article 9 of the GDPR, and the processing of these data is particularly supervised.

 

Employers can process health data relating to a data subject where it is necessary for the employer to comply with its legal obligations in relation to health and safety. 

 

Even in case of an epidemic, key principles of the GDPR must apply.

If contamination is reported, employers can collect some data such as:

• the date and the identity of the person suspected of having been exposed;
• the organizational measures taken (containment, teleworking, orientation and contact with the occupational physician, etc.);

Employer will thus be able to communicate to the health authorities, at their request, the information relating to the nature of the exposure necessary for any health or medical care of the exposed person and also to limit contamination.

According to the CNIL, it is not possible to collect data in a systematic and generalized manner, or through individual inquiries and requests, to seek possible symptoms presented by an employee or his/her relatives. 

 

For example, it is not possible to:

• take daily temperature readings of its employees or visitors;
• ask its employees for their medical records; 
• collect and process information about the health of the relatives of employees.
  

These recommendations are likely to change as the spread of the virus progresses. In this regard, it is recommended to keep informed through the Government’s website and to be attentive to officials guidelines. 

The health crisis linked to Covid-19 has led several companies to set up, sometimes in a hurry and in a disorganized manner, telecommuting in order to preserve at least part of their activity. An uncontrolled implementation of telework accentuates the risks in terms of security for the companies that resort to it (information theft, fraud, ransomware, etc.). 

This can go as far as putting the company in pure and simple danger in regards to cybercriminals who try to take advantage of a vulnerability and the dematerialization of nearly all of the company's internal procedures.

• Phishing: These are messages (emails, SMS, etc.) that aim at stealing confidential information (passwords, bank details, etc.) by impersonating a trusted third party (colleague, superior, etc.). This practice can lead to the hacking of e-mail accounts, access to information systems, false orders or false transfer orders, etc. For example, on the 21st of March, a French wholesaler working for pharmacies was offered an order of more than 6 million euros in hydro-alcoholic gel and masks by swindlers posing as a supplier known to the company. 
• Hostage-taking of information systems or ransomware: This type of attack consists in encrypting or preventing access to the information system of the company in exchange for a ransom payment. This type of attack may be accompanied by data theft or prior destruction of backups, as well as by suspending affected company's activity. As an example, on March 22nd, the Paris Hospitals (AH-HP) were fell victim to a cyber-attack by a massive connection on their servers. Although the attack was brought under control by the AH-HP, this type of attack is likely to become widespread and concern both public institutions and private companies. 
• Data theft: This type of attack consists of breaking into the company's information system in order to steal data with the aim of blackmailing it by threatening to resell it or distribute it to third parties in order to harm the company. This can lead to a suspension or even a total halt of activity, depending on the data concerned, as well as damage to the company's image and reputation. 

As the activity of most companies is already impacted by the health crisis, preserving the security of the information system, which is at the heart of their operations, must be a priority.  

You will find below a non-exhaustive list of recommendations and good practices, which will have to be adapted on a case-by-case basis: 

• Reinforcement of security measures to detect or prevent cyber-attacks: Each company should work with its CIO and/or CISO and/or IT service provider to strengthen authentication procedures (stronger passwords, double authentication if possible) and check that all security updates are carried out, etc. 
• Use of professional tools: It is advisable for each company to provide as far as possible professional tools to teleworking staff and avoid the use of personal equipment (mobile phones and computers) whose security level is often faulty or difficult to control.
• Awareness raising of teleworkers: The following recommendations, among others, should be communicated to staff:

In case of fraud or a financial scam, the company must act quickly and contact its bank in order to block the last transfer made, within 24 to 48 hours.

Any fraud or financial scam making use of the internet must be reported on the PHAROS platform set up by the Government.

Finally, in case of data violation (breach, hacking, etc.), companies must notify the CNIL within 72 hours.

The CNIL has announced, through a communication of 17th  April, that its activities were not suspended despite the situation and that it intended to minimize the slowdown.

The CNIL has indicated that it will give priority to dealing with cases related to the COVID-19 epidemic. It has indicated that it will nevertheless carry out all of its missions and minimize the slowdown in its activities. Lastly, it indicated that most of the time limits granted to its users to respond to its requests or decisions are extended to take account of this exceptional context.