COVID-19: Balancing Employee Privacy and Protection
After several months of closure, businesses are beginning to resume on-site operations, and employers are implementing return-to-work plans to safeguard the workplace amid the coronavirus pandemic. However, in achieving maximal workplace safety, employers are faced with the hurdle of ensuring their health safety measures do not violate employee privacy.
As part of plans to safeguard the workplace and limit the spread of coronavirus in the workplace, employers leverage employee health data, including temperature checks, medical history, and COVID-19 test results, to track and prevent the spread of the disease. Well-intentioned employers who seek to optimize workplace safety using these data may risk incurring penalties if privacy laws are breached, even if such breaches maximize workplace safety. It is imperative, therefore, for companies to acquaint themselves with relevant data privacy regulations to minimize the privacy impact of workplace COVID-19 preventive measures.
Privacy issues arise in each phase of data management, including data collection, storage, and use. These elements pose concerns to employees and must be consistent with applicable guidance.
Data Collection and Storage
Some privacy regulations, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), require an organization to notify its employees of the types of information it will collect and how it intends to use it. If employers would repurpose previously collected information, according to the CCPA, employers must also explain how the information will be re-used.
Essentially, these policies limit the scope of data collection’ for instance, temperature screenings. The Equal Employment Opportunity Commission (EEOC) permits employers to conduct daily temperature checks as a vital step to identify potentially infected persons, but this is prohibited in some states. In New York and Miami Dade County, for instance, employers are not required to collect specific information such as specific temperature readings or blood pressure readings.
In these jurisdictions, a daily log of workers’ temperature readings is considered excessive documentation for identifying individuals with suspected COVID-19. Employers can simply note if the employee passed or failed a temperature check for that day, based on a set temperature indicator.
In contrast, all companies in Kentucky, New Hampshire, and Vermont are allowed to measure and store exact temperature readings, and those with a fever above 100.4 degrees would be asked to work from home and visit their healthcare provider.
Employers must also ensure data minimization when preparing questionnaires. Avoid screening workers with questions that are too broad and reveal sensitive data that may be irrelevant for workplace safety. These surveys should also be anonymous and voluntary unless local guidance recommends otherwise.
For companies seeking to use third-party contact tracing applications, data privacy regulations also apply. Tech giants Apple and Google have announced plans to deploy anonymized contact tracing applications for corporate and individual use; however, concerns about data security have limited the use of these apps. Many countries have discontinued the use of these contact-tracing apps after cases of data breaches were reported. If a company wishes to use such an application in the workplace, it must ensure they meet data privacy requirements or risk incurring penalties.
Employers should ensure that data storage is in line with current guidelines. Store health records in a confidential location, protected with a password and other authentication measures. Storing health screening or COVID-19 test data in email strings or shared drives risks data privacy compromise. For employers using contact-tracing applications, a device’s location data may be de-identified and encrypted to protect the user.
Further, employers should disclose explicitly to their workers how these data would be stored and for how long. Only retain collected information for as long as it is useful to safeguard the workplace, and securely dispose of them when they are no longer needed.
Data Use and Disclosure
Even after employees consent to the collection of their data, they still worry about who has access to these data and with whom the data is shared. For instance, an employer may decide to announce which employees have tested positive for COVID-19 to protect the rest of the workforce and identify those who might have had exposure to the infected individual; however, the Americans with Disabilities Act (ADA) prohibits this.
Under the EEOC guidance, only persons that need the employee’s health status to protect others in the workplace should be informed about the test result. This means, for instance, that only the person in charge of health monitoring and contact tracing should be aware of who may have tested positive for COVID-19. Management staff and supervisors may only be informed that the affected employee is on medical leave, but the reasons for the leave should not be divulged.
This is similar to COVID-19 data policies in Mexico, New Zealand, and Denmark, which also prohibit disclosure of employee COVID-19 information.
However, this rule poses a dilemma for employers who want to notify the rest of the workforce or a client about possible exposure to an infected employee without identifying the person. In this situation, employers may obtain consent from the affected employee before notifying other workers. However, the ADA poses a barrier to this; according to ADA, employee consent is not a defensible factor in disclosing the employee’s data to other employees. For companies that use contact-tracing apps, users can simply be notified that they had just being exposed to an infected employee on the same app, without mentioning any names.
Further, employers are encouraged to share employee COVID-19 data with health authorities to ensure the employee is taking necessary steps to access care and follow quarantine orders. However, within the workplace setting, an employer risks privacy breaches if such data is shared beyond the designated response team.
For survey and questionnaire data, access should only be limited to a designated response team, who will decide if to isolate an employee for further evaluation and investigations without the rest of the workforce knowing.
Employers are eager to get their workers back to the office as coronavirus restrictions are being lifted in many parts of the world. However, introducing the “new normal” of work involves taking steps to safeguard workplace safety. This involves measuring, tracking, and using patient health data to make decisions to protect the workforce. This is where employers must be careful to ensure that the collection, use, and disclosure of employee health data do not compromise employee privacy.