Buckley LLP attorneys summarize key privacy issues employers face as they implement return-to-work plans and discuss how companies can minimize these concerns while maximizing workplace safety.
Consumer privacy has been a key area of focus over the past several years, but as companies begin return-to-work operations, they discover that employee privacy looms large as well. Well-intentioned companies seeking to keep employees safe risk incurring penalties from a variety of agencies based on a number of different statutes.
Employers must honor privacy rights when they obtain, use or disclose personal information of their employees and other data subjects, but there are steps companies can take to maximize workplace safety while also respecting employee privacy.
Local and Global Guidance
Regulators such as the California attorney general, the New York Department of Public Health (NYDPH) and the European Data Protection Board (EDPB) have consistently emphasized that privacy regulations remain in full force during this pandemic. As a consequence, every company needs to be careful about how it collects and shares personal information about its employee’s health, which could limit activities ordinarily deemed essential — such as contact tracing.
Even laws that were not designed to bestow privacy rights can frustrate a company’s efforts to keep employees safe. The Americans with Disabilities Act, for instance, might prevent it from disclosing when a certain co-worker presents symptoms of COVID-19. The Equal Employment Opportunity Commission updated its guidance on March 21, 2020 to permit companies to conduct certain medical examinations that detect potential COVID-19 infections, but still requires that any information obtained by the medical examination be kept confidential.
But many more privacy laws still proscribe the unilateral collection of certain personal information. For instance, under both the General Data Protection Regulation and the ePrivacy Directive, companies doing business internationally must obtain employee consent prior to the collection of any personal information; article 9 of GDPR only allows the collection of biometric and health information during public health situations.
Bottom line: a company likely needs to have certain processes in place if it wants to screen its employees’ health in the workplace.
Key Privacy Issues
There are key privacy issues at all phases of information management, including collection, retention, disclosure and use.
Collection and Retention
Certain privacy laws, such as the GDPR and the California Consumer Privacy Act, require a company to notify its employees of both the categories of personal information (including biometrical data) it collects and how it intends to use the information. The CCPA requires notification at or before collection. A return-to-work campaign that prompts employers to collect health information would trigger this “notice at collection” provision. Additionally, if the employer decides to repurpose previously collected employee information in order to use it to address the pandemic, that decision would trigger the need for additional disclosures to explain the new use of the previously collected information.
When in doubt, employers should err on the side of transparency regarding the purposes of collection, types of collection and the use of the information, consistent with the above objectives of workplace safety. Optimally, the scope of collection will be consistent with pandemic policies and procedures that were effective prior to return-to-work.
Companies may not be able to collect certain types of information. Many companies use questionnaires and temperature checks to screen returning employees. Under EEOC guidance, any logs of specific health information of employees are considered medical records that may be regulated under state and federal privacy and health laws, including the Health Insurance Portability and Accountability Act. Some jurisdictions, such as New York and Miami-Dade County, prohibit employers from collecting and storing specific temperature information on employees, in addition to other medical-related data.
States increasingly include biometric information among the personal data protected by their data breach laws. For example, employers seeking to capture infrared thermal scans as part of an automated screening system would need to safeguard those scans against unauthorized access (both internally and externally).
Employers should identify specific health information that is not essential to ensuring workplace safety and consider whether its collection will create burdensome compliance issues. For instance, a daily log of the exact temperature reading of an employee, or a detailed list of symptoms the employee has, is excessive documentation for purposes of verifying whether the employee meets the guidelines for suspected COVID-19. On the other hand, information about whether the employee passed or failed on a particular date and whether health authorities were notified is essential and relevant. By conducting consistent screenings based on applicable CDC guidelines and only storing essential information, such as whether the employee had reported in and passed or failed the test, companies can avoid the inadvertent collection of medical information.
Employers should maintain policies governing the secure storage of any records collected and restricting access only to those involved in the screening process. Any policy the employer maintains regarding pandemic response should also provide criteria for the destruction of retained personal information when it is no longer useful.
To minimize privacy and litigation risks associated with health screening while maintaining a safe workplace, employers should:
- Maintain contact logs and evidence that screening and/or questionnaires were conducted daily.
- Maintain the minimum information required to ascertain the employee’s condition (e.g., only note whether the employee passed or failed on a particular day, but not retain the specific temperature of the employee).
- Restrict access to screening records and other logs to specific individuals responsible for monitoring workplace health.
- Store health records in a confidential location or on a password-protected secured drive, separate from an employee’s file.
- Retain information for only as long as needed to maintain workplace safety; securely dispose of any records that are no longer required.
Disclosure and Use
Privacy laws often limit an employer’s ability to contact trace and notify its employees of positive or suspected COVID-19 infections. Though these regulations may ultimately inhibit containment of the pandemic, the California attorney general has reminded consumers of their privacy rights under the CCPA during COVID-19. Additionally, international regulatory bodies such as the EDPB have reiterated the full force of the GDPR during the pandemic, particularly as it relates to biometric and health information under article 9. The EDPB’s guidance also directs companies to consult member states’ national law regarding any public health exceptions for disclosure (as permitted under GDPR article 9).
Under a “Safety First” directive, a company would announce which employees have tested positive for COVID-19 to prompt the rest of the workforce to evaluate their own past interaction with that carrier. However, the ADA generally prohibits employers from sharing the results of a medical examination or a health-related survey. Providing such notice would break the confidentiality of those individuals’ medical records, amounting to a violation of EEOC regulations.
Under the EEOC guidance, only those who need the employee’s diagnosis to prevent the direct threat of COVID-19 to others in the workplace are authorized to be informed of the medical finding. For example, the person in charge of contact tracing will need to know the identity of the infected employee. Employers can also alert health authorities. By contrast, a supervisor should only be told that the employee is on leave without any further detail. In sum, a company must draw the line at medical confidentiality in its efforts to defend itself against the coronavirus.
The ADA’s rule largely prohibiting disclosure in these circumstances presents a challenge for employers who want to notify people about their potential exposure to COVID-19 but cannot do so without revealing the infected employee’s identity. As an example, a company may want to notify a client if the contact person with whom they interacted has subsequently tested positive for the virus. If only one employee interacted with the client, disclosure of a possible exposure necessarily also discloses the identity of the infected employee.
In its guidance, the EEOC recognizes that sometimes people will guess who the infected individual is, and advises that, even if the guesses are correct, the company should not confirm the person’s identity.
Companies could consider obtaining consent from the infected employee to share their name, but the ADA, however, does not list the employee’s consent as a legitimate exception or defense. If the employer feels strongly about getting in touch with the client, it should consult with counsel beforehand to discuss steps to mitigate the risk of relying on the employee’s consent to the disclosure.
Still, express consent remains the best course for companies seeking to share information regarding an employee’s health status. Additionally, sharing and cooperating with health authorities is strongly encouraged and can shift contact-tracing responsibilities to those authorities.
Third-Party Contact-Tracing Applications
Several companies, including Apple and Google, have announced plans for the deployment of anonymized contact-tracing applications for business and personal use. In theory, deployment of anonymized contact tracing can resolve some of the issues related to privacy in the workplace. However, serious questions remain, both around the strength of anonymity and security and from a policy perspective. Some businesses may choose not to contact trace and, instead, opt to notify the appropriate state regulators. For example, in its recently released “first-in-nation” emergency workplace COVID-19 safety standard, Virginia made clear that there is no duty for employers to conduct contact tracing. Companies seeking to encourage employees to employ third-party applications for contact tracing must balance privacy risks with the potential benefits to the workforce.
Health Questionnaire and Temperature Screenings
The EEOC has temporarily allowed temperature monitoring and other medical screening of employees (which are considered “medical examinations” and not generally permitted) in light of the CDC’s issued precautions to do so. Most states have also either required or recommended that employers monitor the temperatures of its employees during this pandemic. For example, all Kentucky companies must test employees daily, and those with a fever above 100.4 degrees may not report to work. New York does not require direct temperature screenings, but does require that employees respond to a daily questionnaire (which may require employees to certify that they took their own temperature before reporting to work) as part of the screening process.
Although the EEOC and many state and county jurisdictions permit (if not require) health screenings, they often recommend no criteria or guidelines for administering any COVID-19-related examination other than each test must be “accurate and reliable.” Some states have offered more in-depth guidance. New York’s Interim Guidelines for Office-Based Work During the COVID-19 Public Health Emergency outline several suggestions and practices, including the use of thermal cameras at entrances to detect potential employees for referral.
Employers should consult state-specific guidance regarding whether temperature screenings are mandatory and comply with any state notification requirements with respect to temperature screenings. Further, employers should ensure that third parties that conduct temperature checks on their behalf comply with applicable privacy requirements within their respective state.
It is also best practice to notify employees in advance of screening procedures and make available a documented process for conducting, accounting for and reviewing screening results regarding any symptoms associated with the virus. Employers should test consistently and deny entry based on the established COVID-19 indicators.
In these extraordinary times, the pressure to “get back to the office” may tempt some companies to reopen as soon as their city or state allows. Those companies should pause and take inventory of their privacy obligations along with medical precautions for the workplace.