Up Again UAE: Privacy and Data

IPT

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Temperature checks are mandated and any employee or visitors showing possible symptoms must be refused entry to the workplace. Any suspected cases of COVID-19 must be reported to the relevant health authority immediately. This is a general reporting obligation on any adults who come into contact with a suspected case of COVID-19, not only for employers.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Employers can ask their employees and visitors to complete a questionnaire, but there is no obligation on employees or visitors to respond.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Currently, it is not possible for employers to require this.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

It is only permitted for an employer to tell their employees a colleague has potentially contracted COVID-19 if that individual consents. Employers may wish to inform their employees without identifying the relevant individual, and indeed may be required to do under their duty to ensure the health and safety of their employees, as required under Federal Law No 8 of 1980.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

An employer can share information with a health authority, but we recommend only doing so with the express consent of the individual.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

An employer can send employees’ health data to one of their affiliates outside the EEA or in another jurisdiction, but we recommend doing so only with the consent of the individual.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Consent of the individual is recommended, although there is a fair argument that this could be considered a necessary measure to comply with the guidance issued by the Ministry of Health and Human Resources which requires businesses to take necessary measures to limit the spread of epidemics in private sector organisations.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

As per Article 379 of the UAE Penal Code, consent of the individual is recommended – see below.

Under Article 18 of Federal Resolution No (38) of 2020, there is a general prohibition against, collecting, copying, broadcasting, disclosing, publicising, transmitting or circulating health data or information about individuals who have tested positive or are undergoing treatment or examination with the health authorities; and against cancelling, deleting, destroying, or altering any such data or information. There is also a broadly worded prohibition against failing to comply with or violating “information security standards approved by government or private health facilities.”

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Article 379 of the UAE Penal Code prohibits a person who, by reason of their profession, craft, situation or art, is entrusted with a "secret" from using or disclosing that secret without the consent of the person to whom the secret pertains, or otherwise in accordance with the law.

There is no definition of the term “secret", but it is generally considered broad enough to cover the general concepts of personal data, as defined in many data protection laws (for example, name, date of birth, sex, religion).

There is also no definition of the terms "use" or "disclose," but the terms are again generally considered broad enough to cover respectively the concepts of "processing" and "transfer.” Transfer can be to a third party or another entity within the UAE or outside the UAE.

Article 379 of the UAE Penal Code allows for the use or disclosure of a secret (i.e. personal data) with the consent of the person to whom the secret pertains. Therefore, to minimise the risk breaching of Article 379 of the Penal Code, it is generally advisable to obtain consent prior to the use or disclosure of personal data.

This can be done in a number of ways, depending on the specific context of how the data is collected and used, for example by signature against a paper consent form, or by electronic signature/tick box against an electronic consent form.

As there are no specific requirements relating to the form of the consent, it can be broad in nature, and exist for an indefinite period.

A breach of Article 379 is punishable by criminal penalty of imprisonment of a minimum of one year or a fine of a minimum of AED20,000, or both.

As Article 379 of the Penal Code is a criminal offence, it generally contemplates that the person being prosecuted is an individual. However, Article 65 of the Penal Code also allows for a form of corporate criminal liability to apply to private juridical entities.

Such juridical persons are responsible for any criminal act committed, for their own account or in the names by the entity’s representatives, directors or agents. A criminal court judge hearing a prosecution over an alleged breach of Article 379 may, however, only issue fines, confiscations and criminal penalties.

If the law inflicts a principal punishment besides the fine (e.g. imprisonment), the punishment shall be restricted to a fine not exceeding AED50,000. This does not prevent the individual offender from also being held criminally liable.

Article 65 of the Penal Code does not apply to governmental agencies and their official departments, or public organisations and establishments.

A fine of AED5000 is applicable to those who fail to meet the security requirements referred to under Article 18 of Federal Resolution No (38) of 2020.

A fine of AED20000 applies in respect of the prohibition against collection and disclosure of health data and other related information, as described in further detail in question 8 above.