Thermal cameras are taking on a major role in temperature monitoring at workplace or shop entrances. Although their preventative value in monitoring the temperature of those accessing busy places is clear, we cannot forget that taking images, even when they are not stored, of people who want to access a building has data protection implications.
Furthermore, body temperature is health data and, therefore, must be stringently protected, as the Spanish Data Protection Agency (AEPD) warned in a recent statement.
In any case, temperature data collecting must be governed by the principles stipulated in the General Data Protection Regulation (GDPR), including the principle of lawfulness. This means that this processing must have a lawful basis as set forth in data protection legislation on special categories of data (articles 6.1 and 9.2 of GDPR).
Thermal cameras in the return to the office
In a workplace setting, a possible lawful basis could be the obligation of employers to ensure the health and safety of their workers in matters relating to their job. This obligation would also serve as an exception that would allow the processing of health data and as a lawful basis for processing.
However, GDPR also requires in such cases that the regulation that permits this treatment must establish appropriate safeguards. These safeguards must be specified by the data controller.
How to ensure regulatory compliance
What can you do to ensure data protection if you use one of these cameras in a business, an office building, or any other setting? We recommend you follow these steps:
- Update your record of processing activities.
- Advise that the camera is being used.
- Analyse the need for a privacy impact assessment (PIA).
- Conduct a PIA if the analysis gives a positive result or signals risks.
- Set up a data disclosure protocol and another concerning the right not to be subject to automated decision-making.
- Ensure security measures comply with article 32 of GDPR.
- Establish procedures for data processing in accordance with article 5 of GDPR.
Rights and safeguards
When using this type of system it is very important to remember that data subjects still have the same rights under GDPR and the other requirements of the Regulation, whilst adapted to the specific conditions and circumstances of this type of processing, are still applicable.
Accordingly, measures concerning providing workers, clients, and users with information on this processing (particularly if their data is to be recorded and stored) must be considered. Likewise, other measures allowing those who record a higher than normal temperature to respond to the decision to refuse them access to a specific site (for example, by stating that their raised temperature is due to other reasons) should also be established. Staff must, therefore, be qualified to assess these additional reasons or a procedure must be implemented that ensures the appeal is handled by someone who is capable of, where applicable, granting access.
It is similarly important to establish data storage periods and criteria for cases which are recorded. In principle, given the purposes of processing, this recording and storage should not occur, except when it can be justified by the need to contest any possible legal actions arising from the decision to deny access.
We can help you
If you are thinking about installing one of these thermal cameras or already have one but are not sure you have followed these steps properly, remember that at Sothis we want to help you drive forward your business with data protection guidance from our specialist Information Governance and Security department.
Tell us about your case and we can help you.