Sunday, January 24, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Reopening Well: Balancing Employee Privacy with Employee Safety

Privacy Considerations Are a Crucial Part of Return-to-Work Plans

by Elizabeth McGinn, Amanda Lawrence, James Chou and David Rivera
August 18, 2020
in Data Privacy, Featured
doctor wearing gloves, holding medical infrared forehead thermometer for screening body temperature with text Covid-19

Buckley LLP attorneys summarize key privacy issues employers face as they implement return-to-work plans and discuss how companies can minimize these concerns while maximizing workplace safety.

Consumer privacy has been a key area of focus over the past several years, but as companies begin return-to-work operations, they discover that employee privacy looms large as well. Well-intentioned companies seeking to keep employees safe risk incurring penalties from a variety of agencies based on a number of different statutes.

Employers must honor privacy rights when they obtain, use or disclose personal information of their employees and other data subjects, but there are steps companies can take to maximize workplace safety while also respecting employee privacy.

Local and Global Guidance

Regulators such as the California attorney general, the New York Department of Public Health (NYDPH) and the European Data Protection Board (EDPB) have consistently emphasized that privacy regulations remain in full force during this pandemic. As a consequence, every company needs to be careful about how it collects and shares personal information about its employee’s health, which could limit activities ordinarily deemed essential — such as contact tracing.

Even laws that were not designed to bestow privacy rights can frustrate a company’s efforts to keep employees safe. The Americans with Disabilities Act, for instance, might prevent it from disclosing when a certain co-worker presents symptoms of COVID-19. The Equal Employment Opportunity Commission updated its guidance on March 21, 2020 to permit companies to conduct certain medical examinations that detect potential COVID-19 infections, but still requires that any information obtained by the medical examination be kept confidential.

But many more privacy laws still proscribe the unilateral collection of certain personal information. For instance, under both the General Data Protection Regulation and the ePrivacy Directive, companies doing business internationally must obtain employee consent prior to the collection of any personal information; article 9 of GDPR only allows the collection of biometric and health information during public health situations.

Bottom line: a company likely needs to have certain processes in place if it wants to screen its employees’ health in the workplace.

Key Privacy Issues

There are key privacy issues at all phases of information management, including collection, retention, disclosure and use.

Collection and Retention

Certain privacy laws, such as the GDPR and the California Consumer Privacy Act, require a company to notify its employees of both the categories of personal information (including biometrical data) it collects and how it intends to use the information. The CCPA requires notification at or before collection. A return-to-work campaign that prompts employers to collect health information would trigger this “notice at collection” provision. Additionally, if the employer decides to repurpose previously collected employee information in order to use it to address the pandemic, that decision would trigger the need for additional disclosures to explain the new use of the previously collected information.

When in doubt, employers should err on the side of transparency regarding the purposes of collection, types of collection and the use of the information, consistent with the above objectives of workplace safety. Optimally, the scope of collection will be consistent with pandemic policies and procedures that were effective prior to return-to-work.

Companies may not be able to collect certain types of information. Many companies use questionnaires and temperature checks to screen returning employees. Under EEOC guidance, any logs of specific health information of employees are considered medical records that may be regulated under state and federal privacy and health laws, including the Health Insurance Portability and Accountability Act. Some jurisdictions, such as New York and Miami-Dade County, prohibit employers from collecting and storing specific temperature information on employees, in addition to other medical-related data.

States increasingly include biometric information among the personal data protected by their data breach laws. For example, employers seeking to capture infrared thermal scans as part of an automated screening system would need to safeguard those scans against unauthorized access (both internally and externally).

Employers should identify specific health information that is not essential to ensuring workplace safety and consider whether its collection will create burdensome compliance issues. For instance, a daily log of the exact temperature reading of an employee, or a detailed list of symptoms the employee has, is excessive documentation for purposes of verifying whether the employee meets the guidelines for suspected COVID-19. On the other hand, information about whether the employee passed or failed on a particular date and whether health authorities were notified is essential and relevant. By conducting consistent screenings based on applicable CDC guidelines and only storing essential information, such as whether the employee had reported in and passed or failed the test, companies can avoid the inadvertent collection of medical information.

Employers should maintain policies governing the secure storage of any records collected and restricting access only to those involved in the screening process. Any policy the employer maintains regarding pandemic response should also provide criteria for the destruction of retained personal information when it is no longer useful.

To minimize privacy and litigation risks associated with health screening while maintaining a safe workplace, employers should:

  • Maintain contact logs and evidence that screening and/or questionnaires were conducted daily.
  • Maintain the minimum information required to ascertain the employee’s condition (e.g., only note whether the employee passed or failed on a particular day, but not retain the specific temperature of the employee).
  • Restrict access to screening records and other logs to specific individuals responsible for monitoring workplace health.
  • Store health records in a confidential location or on a password-protected secured drive, separate from an employee’s file.
  • Retain information for only as long as needed to maintain workplace safety; securely dispose of any records that are no longer required.

Disclosure and Use

Privacy laws often limit an employer’s ability to contact trace and notify its employees of positive or suspected COVID-19 infections. Though these regulations may ultimately inhibit containment of the pandemic, the California attorney general has reminded consumers of their privacy rights under the CCPA during COVID-19. Additionally, international regulatory bodies such as the EDPB have reiterated the full force of the GDPR during the pandemic, particularly as it relates to biometric and health information under article 9. The EDPB’s guidance also directs companies to consult member states’ national law regarding any public health exceptions for disclosure (as permitted under GDPR article 9).

Under a “Safety First” directive, a company would announce which employees have tested positive for COVID-19 to prompt the rest of the workforce to evaluate their own past interaction with that carrier. However, the ADA generally prohibits employers from sharing the results of a medical examination or a health-related survey. Providing such notice would break the confidentiality of those individuals’ medical records, amounting to a violation of EEOC regulations.

Under the EEOC guidance, only those who need the employee’s diagnosis to prevent the direct threat of COVID-19 to others in the workplace are authorized to be informed of the medical finding. For example, the person in charge of contact tracing will need to know the identity of the infected employee. Employers can also alert health authorities. By contrast, a supervisor should only be told that the employee is on leave without any further detail. In sum, a company must draw the line at medical confidentiality in its efforts to defend itself against the coronavirus.

The ADA’s rule largely prohibiting disclosure in these circumstances presents a challenge for employers who want to notify people about their potential exposure to COVID-19 but cannot do so without revealing the infected employee’s identity. As an example, a company may want to notify a client if the contact person with whom they interacted has subsequently tested positive for the virus. If only one employee interacted with the client, disclosure of a possible exposure necessarily also discloses the identity of the infected employee.

In its guidance, the EEOC recognizes that sometimes people will guess who the infected individual is, and advises that, even if the guesses are correct, the company should not confirm the person’s identity.

Companies could consider obtaining consent from the infected employee to share their name, but the ADA, however, does not list the employee’s consent as a legitimate exception or defense. If the employer feels strongly about getting in touch with the client, it should consult with counsel beforehand to discuss steps to mitigate the risk of relying on the employee’s consent to the disclosure.

Still, express consent remains the best course for companies seeking to share information regarding an employee’s health status. Additionally, sharing and cooperating with health authorities is strongly encouraged and can shift contact-tracing responsibilities to those authorities.

Third-Party Contact-Tracing Applications

Several companies, including Apple and Google, have announced plans for the deployment of anonymized contact-tracing applications for business and personal use. In theory, deployment of anonymized contact tracing can resolve some of the issues related to privacy in the workplace. However, serious questions remain, both around the strength of anonymity and security and from a policy perspective. Some businesses may choose not to contact trace and, instead, opt to notify the appropriate state regulators. For example, in its recently released “first-in-nation” emergency workplace COVID-19 safety standard, Virginia made clear that there is no duty for employers to conduct contact tracing. Companies seeking to encourage employees to employ third-party applications for contact tracing must balance privacy risks with the potential benefits to the workforce.

Health Questionnaire and Temperature Screenings

The EEOC has temporarily allowed temperature monitoring and other medical screening of employees (which are considered “medical examinations” and not generally permitted) in light of the CDC’s issued precautions to do so. Most states have also either required or recommended that employers monitor the temperatures of its employees during this pandemic. For example, all Kentucky companies must test employees daily, and those with a fever above 100.4 degrees may not report to work. New York does not require direct temperature screenings, but does require that employees respond to a daily questionnaire (which may require employees to certify that they took their own temperature before reporting to work) as part of the screening process.

Although the EEOC and many state and county jurisdictions permit (if not require) health screenings, they often recommend no criteria or guidelines for administering any COVID-19-related examination other than each test must be “accurate and reliable.” Some states have offered more in-depth guidance. New York’s Interim Guidelines for Office-Based Work During the COVID-19 Public Health Emergency outline several suggestions and practices, including the use of thermal cameras at entrances to detect potential employees for referral.

Employers should consult state-specific guidance regarding whether temperature screenings are mandatory and comply with any state notification requirements with respect to temperature screenings. Further, employers should ensure that third parties that conduct temperature checks on their behalf comply with applicable privacy requirements within their respective state.

It is also best practice to notify employees in advance of screening procedures and make available a documented process for conducting, accounting for and reviewing screening results regarding any symptoms associated with the virus. Employers should test consistently and deny entry based on the established COVID-19 indicators.

Conclusion

In these extraordinary times, the pressure to “get back to the office” may tempt some companies to reopen as soon as their city or state allows. Those companies should pause and take inventory of their privacy obligations along with medical precautions for the workplace.


Tags: ADACoronavirus/COVID-19Data Privacy
Previous Post

Changing Social Norms Are Expanding the Compliance Officer’s Role

Next Post

ACA Compliance Group Launches ComplianceAlpha® App for Mobile Devices

Elizabeth McGinn, Amanda Lawrence, James Chou and David Rivera

Elizabeth E. McGinn, a partner at Buckley LLP, focuses her practice on assisting clients in identifying, evaluating and managing the risks associated with cybersecurity, internal privacy and information security practices, as well as those of third-party vendors. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent data security breaches and responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues.
Amanda R. Lawrence is a partner at Buckley LLP, where she assists clients in managing cybersecurity, privacy, information security and vendor risks and compliance, as well as evaluating and addressing potential data security incidents, including drafting consumer and regulator notifications. She is a frequent author and lecturer on litigation and compliance issues in financial services, including privacy, cybersecurity, data breach, mortgage origination enforcement and litigation, RMBS, class actions and FTC and other regulator priorities.
James C. Chou is an associate at Buckley LLP. He assists clients in a broad range of transactional and regulatory matters with a focus on cybersecurity and privacy issues, which include security incident management and response. Previously, he was a Defense Analyst and Senior Operations Research Analyst for the U.S. Army.
David Rivera is a regulatory attorney at Buckley LLP. His practice includes assisting clients with privacy, data security and information governance issues, as well as compliance with the California Consumer Privacy Act, the European Union’s General Data Protection Regulation, the New York Department of Financial Services Cybersecurity Regulation, the Children’s Online Privacy Protection Rule and state breach notification and security laws.

Related Posts

illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
miniature airplane on global currency

FinCEN’s Proposed Changes to the Recordkeeping and Travel Rule Thresholds

January 20, 2021
Next Post
woman using smartphone in the street, city lights in background

ACA Compliance Group Launches ComplianceAlpha® App for Mobile Devices

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights