The Data Protection Authority’s Temperature Checking Guidelines for the COVID-19 Pandemic

The Argentine Data Protection Authority (the “DPA” after its acronym in Spanish) acknowledged that during the COVID-19 pandemic, temperature checks are reasonable measures that both public and private entities can put in place to prevent the spread of the virus.

However, temperature checks can potentially impact privacy and data protection; thus, the data controller must pay special attention to Argentine Data Protection Law No. 25,326.

To that effect, the guide recognizes that when any public or private entity performs temperature checks ─be it using a digital thermometer, thermal cameras or similar equipment─, they are processing legally protected personal data.

In that sense, and while digressing slightly from the European Data Protection Authorities’  criteria, under the guide, the Data Protection Law applies regardless of whether the recorded temperatures are registered in a database or not.

As to specific recommendations, the guide provides that retail stores and employers in general are both authorized by law to perform temperature checks and that they are entitled to deny entry to its premises if a person’s temperature exceeds that authorized by the applicable health authorities.

The same applies to those visiting public agencies if the agency has a specific protocol in place in accordance with local sanitary and health regulations.

On the use of thermal cameras or similar equipment that enables automatic processing of personal data, the guide stipulates that human revision has to be guaranteed (even more so when that processing could have significant consequences on the data subject). In that regard, though not yet a formal requirement under Argentine law, the guide suggests conducting a privacy impact assessment before putting a system in place that enables automated processing, in accordance with the principles established in the joint Privacy Impact Assessment Guide issued by the Argentine and Uruguayan Data Protection Authorities.

In addition, the guide states that the data controller should take into consideration all applicable general principles concerning lawful data processing, including quality of the data, minimization, information of the data subject, deletion, and purpose (no personal data should be processed for purposes other than or incompatible with those on the basis of which it was collected). 

Regarding the information to be provided to the data subject, the guide lists essential information depending on whether the data is registered in a database or not, including clear information as to the data subjects’ rights and the fact that the Agencia de Acceso a la Información Pública is the controlling authority under the Argentine Data Protection Law before which the data subject can file any claims.