COVID-19 Contact Tracing Apps and Employee Privacy
The corporate world is slowly returning to normal as businesses reopen around the world. However, for the workplace, it is a “new normal” as employers are faced with the need to remodel the workplace to safeguard employee health in these unprecedented times. One of the measures businesses and employers are adopting to curb coronavirus transmission in the workplace is with contact tracing applications. However, with these digital platforms come the need to protect employee privacy.
In the wake of the coronavirus pandemic, tech giants and researchers adopted contact tracing applications as one model to help curb transmission of the virus. These applications track physical proximity between individuals, notifying anyone who comes in contact with another user who later tests positive for COVID-19. The individuals who may have been exposed to the infected individual are then advised to self-isolate and take measures to protect the health of others.
Adopted in the workplace, these applications are an effective way of early identification of at-risk employees or those who may have been exposed to the virus. This, in turn, helps to prevent the spread of the virus to the rest of the workforce. But the main concern employees have about this technology is the safety of their health information.
Given the high threat COVID-19 poses to the health of employees, the Equal Employment Opportunity Commission (EEOC), Occupational Safety and Health Administration (OSHA), and the Americans with Disabilities Act (ADA) allow employers to implement robust measures to provide a safe environment for their employees - and this also includes the use of contact-tracing apps.
According to these regulations, protecting the workforce against COVID-19 is a valid business reason to adopt contact-tracing apps that capture relevant employee health data. Many of the privacy laws have been relaxed to allow employees to access even the most personal data, such as an employee’s location. However, there are issues of data privacy and security employers must acquaint themselves with before using these tools.
Consent and Disclosures
First, employers must have a clear COVID-19 policy that states what type of contact tracing application will be used in the workplace, what data are stored in the app, and what such information will be used for.
Most contact tracing apps use Bluetooth or Wi-Fi signals to collect user data and transmit an anonymous ID to other mobile devices near it. When two users come in close contact, the app generates a digital token, which helps to trace people who have been exposed to the virus after a matched user gets the infection. Some apps also use geolocation to track where an employee is and with whom they have had contact. Others send questions to users to report if they have any COVID-19 symptoms.
In some states, employees are required to give consent before these apps can obtain these data.
Under California law, for instance, both app developers and employers must separately provide notice to and obtain consent from users about data the app collects. Laws such California Consumer Privacy Act (CCPA) require employers to provide specific notice before collecting data with consent to use the information. The Illinois Biometric Information Privacy Act also provides strict rules that regulate what data employers can collect through these applications.
However, the US still lacks comprehensive federal legislation on data privacy regarding information collected and stored by contact tracing apps, although a few have been introduced.
In early June, some Senators introduced the Exposure Notification Privacy Act, which would regulate the use of contact tracing apps in the workplace. The bill prohibits the use of contact-tracing applications that are not operated in collaboration with public health authorities and limits the kinds of data such apps can collect. Further, the Act empowers users to control their engagement in such apps, such that they can withdraw their participation or delete their stored data at any time.
Other Senators also introduced related bills, such as the Public Health Emergency Privacy Act and the COVID-19 Consumer Protection Act, which guide consent, use, and enforcement of contact-tracing applications.
Although none of these bills have been passed, employers need to closely watch if that changes to ensure their contact-tracing policies are consistent with federal laws.
Storage of Health Data
Different applications store data in different ways. Some apps are cloud-based, storing information in a central location accessible to individuals with the password, while others store the information on the device itself. Further, while some apps have a fixed retention period, others could be stored on the app for as long as possible. Employers need to understand how these applications work to choose the one with the least impact on employee privacy.
The Centers for Disease Control and Prevention (CDC) recommends that the data should be encrypted and stored only on a user’s device before voluntary sharing with public health authorities. The data should also be stored with multi-factor authentication to reduce privacy risks.
Further, how much information an app collects is also a valid privacy concern. Applications that store volumes of personal data may be less likely to protect employee data privacy. Employers should opt for the app that collects and stores the minimum required amount of data.
Another concern regarding how these apps store data is how long these data stay on the app. Employers should opt for apps that allow storage of data for only as long as they are relevant. For instance, if an individual reports no symptoms on a workday, such information may be discarded at the close of work as a “no-symptom” data may not be relevant for COVID-19 monitoring after that day.
Access and Use of Data
Although the data the app collects are anonymized, employees should treat these medical records as confidential. Access to employee health information should be limited to authorized personnel who need to track COVID-19 exposure in the workplace. Further, If an employee tests positive for COVID-19, such information should remain confidential and employees who had contact with that individual should be notified via the app without revealing his or her name.
According to the EEOC, ADA, Family Medical Leave Act (FMLA), and California’s Fair Employment and Housing Act (FEHA), medical information collected by the application should not be used in discriminatory ways against an employee and should not be divulged to a third party without express consent obtained from the affected employee.
Nonetheless, employers are encouraged to share employee medical information captured in the app with medical authorities. This is necessary to ensure the affected workers are following quarantine orders and are receiving treatment when necessary. However, within the workplace, information collected by these platforms should not be shared beyond the designated COVID-19 monitoring team.
Contact-tracing applications offer an innovative and effective way to curb COVID-19 transmission within the workplace; however, they come with privacy risks that may cost an employer greatly. Employers, therefore, are advised to understand applicable privacy laws and regulations, and how they impact the deployment of COVID-19 digital tracking in the workplace.