As the COVID-19 pandemic continues its tragic path, many jurisdictions are beginning to ease stay-at-home restrictions, meaning employees who have been working from home will soon be asked to return to the office. Employers will consequently have a significant role in preserving the physical well-being of their workforce and the broader public. Either on their own or at the behest of public authorities, employers will implement multiple health and safety checks at the office, including appropriate social distancing, capacity restrictions, and cleaning protocols. Employees may be checked for symptoms of the virus, and if infected, required to be quarantined and, via contact tracing, have those they have been in contact with informed and quarantined as well.
Employers are likely to wonder what is acceptable with respect to personal information collected from employees. Can they require employees to report on their medical condition or the medical condition of their family members or other social contacts? Can employers share the identity of an infected employee with other employees? Can employers track symptoms and trace contacts and still be in adherence with ADA, OSHA, GDPR, or the host of other privacy regulations out there? Do employees have rights regarding this data collection? What should employers being doing to prepare for a return to the office?
This article considers current and potential contact tracing methodology in light of privacy regulations. It examines what regulations have to say regarding virus tracking and similar situations. Finally, it presents guidelines for best privacy practices in implementing contact tracing and symptom tracking of employees.
Methods of Contact Tracing and Symptom Tracking
Contact tracing is a tried-and-true method that involves identifying individuals who have contracted a virus and identifying and notifying individuals who have been in contact with that person during the time they were infectious. Notified individuals are advised of this contact (without identifying the infected individual by name), and provided with safety guidelines (self-quarantine, testing, etc.).
Contact tracing has been employed by public health officials (e.g., the Center for Disease Control) for decades, and typically involves a team effort of human intervention, with a “spider web” of evolving interviewing and warnings taking place, as contact is traced in all its extensions.
The coronavirus pandemic has created intensified interest in digital contact tracing solutions as well. For example, the German public health authority has employed the voluntary use of the Corona Datenspende (Corona Data Donation) app that allows individuals to voluntarily contribute health and location tracking information via fitness trackers. Apple and Google are currently engaged in a joint effort to develop contact tracing technologies that facilitate Bluetooth-enabled, anonymized, rapid exposure tracking and notification, with privacy protection by design. Contact tracing functionality will likely be built into forthcoming operating system updates to facilitate the accompanying apps.
While the digitalization of contact tracing holds much promise for future use in the general population, its adoption in the workplace in the immediate present is unlikely. Employers need immediate information about specific employees and the ability to trace their contacts in the event of infection. Personal data elements such as temperature, oxygen levels, family sickness, travel history, and contact history are needed in real time to facilitate work while maintaining the safety at the physical office location. Both employers and employees need this information for work to continue safely. The gathering of this information will be done, of necessity, on a human level, and some personal data related to the health of an employee will be collected and used by the employer and by public health authorities.
This raises some critical questions for employers about the lawfulness of virus-related personal data processing: Is it lawful to collect this personal information? What obligations do employers have to protect the individual’s privacy?
What the Current Regulations Say
The opinion of the European Data Protection Board (EDPB) and EU Data Protection Authorities is that the EU’s omnibus privacy law (the General Data Protection Regulation, or GDPR) is broad enough in scope to cover the lawful collection of personal information from individuals, including employees, for the limited purpose of containing the spread of COVID-19. The EDPB has indicated a general willingness to understand the uniqueness of the current situation, and to allow for contact tracing and associated tracking as related to the needs of the pandemic. It has stressed the need for voluntary user cooperation (consent), and the need for the data collection to be specific to pandemic-related concerns. In other words, the EDPB does not see a conflict between the requirements of the GDPR and the collection of virus-related data as long as employers and other organizations apply the Article 5 principles of data protection that underpin this regulation: Lawfulness and transparency, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability.
The U.S. has a considerably more fragmented landscape of privacy regulation when compared to its counterparts in the EU and many other countries around the globe. The landscape includes federal regulation for certain sectors (e.g., healthcare, finance, and education), while at the state level privacy regulation is just beginning to pick up momentum as more and more states have drafted privacy bills similar to California’s recently enacted CCPA. While some of these state and federal regulators have issued some pandemic related guidance, there has not been a great deal of guidance addressing an employer’s privacy obligations as they prepare to return to work.
Nevertheless, there is some federal guidance that employers can rely on as they prepare a return to the office. For example, a federal definition related to the severity of a pandemic-like event does appear in the American With Disabilities Act (ADA). The ADA provides for allowances with respect to privacy and data collection in the context of a “direct threat, i.e., a significant risk of substantial harm, to the safety of employees.” Moreover, the U.S. Equal Employment Opportunity Commission (EEOC) has indicated that ADA guidelines likely consider the COVID-19 pandemic to fit this direct threat definition, and as such, companies may gather certain pertinent data about employees. This may include data on symptoms (such as fever, chills, cough, shortness of breath, or sore throat), but must refrain from information on chronic conditions, as this would violate laws regarding discrimination. Similarly, the EEOCC indicates that employers may not take preventative action based on age, pregnancy, or similar factors.
In addition to the federal guidelines from the ADA and the EEOC, the Occupational Safety and Health Act (OSHA) demands that employers ensure that work environments are “free from recognized hazards that are causing or are likely to cause death or serious physical harm. The guidelines are implemented and enforced on a state by state level. For example, the California division of OSHA maintains an Aerosol Transmissible Diseases standard that can likely be applied here.
In general, US law seems to indicate that data can be gathered for the purpose of protecting the work environment for employees. All federal and local state laws, however, demand that protections and limitations be put in force.
Across the board, when permitted, data collected on individual employees must be:
- Limited to data directly related to symptoms (and not age or chronic conditions)
- Disclosed only on a need-to-know basis (e.g., to public health authorities)
- Stored separately from existing employee records
- Kept secure throughout the life cycle
- Retained only for a specified period of time
- Disposed of securely when no longer needed
Further, as related to contact tracing:
- Contact tracing must be performed on an opt-in basis; i.e., employees must willingly provide information, and not have it automatically traced against their will
Employee Privacy Rights
What about employees? What are their rights with respect to the collection of their data related to the pandemic? Do they have rights to access, amend, or delete the personal information their employer collects from them? Do employees have a private right of action if they can demonstrate harm from misuse of the data or from a data breach?
On a basic level, employees have a right to a clean and healthy work environment, and per many implementations of OSHA law (e.g., Cal/OSHA), have a right to access information about a company’s injury and illness prevention programs, as well as exposure records, examination results, etc. When sought to investigate possible employer misdeeds or negligence, employees can request certain information, and not be discriminated against for making that request.
During normal circumstances, employees have a “right to access” under GDPR [effective 5/25/18] and CCPA [effective 1/1/21]. Right to access gives employees the right to request categories of personal data the company maintains about them. However, during a pandemic (e.g., an emergency situation) it’s unclear if employers will be given exemptions for fulling the request as well as meeting the required deadlines.
As for employees’ private right of action, this largely depends on the state in which they are employed. For example, New York does not have a private right of action, though the NY Attorney General may bring an action on behalf of employees. An employee in Michigan does not have a private right of action, but Washington State does. California employees do have this right under the CCPA, with damages amounting to anywhere between $100 to $750 per consumer per incident, or actual damages, whichever is greater. The ability to sue for damages resulting from data misuse or breach would have to be examined on an individual basis.
That being said, congressional discussion is underway regarding a drafted COVID-19 Consumer Data Protection Act. Among other features, this act would require employers to:
- Reduce data collected to the minimum level of “what is reasonably, necessary, proportionate and limited”
- Delete or de-identify personally identifiable information that is no longer used
- Ensure that collected information is protected against risks regarding confidentiality, security and integrity
- Not collect, process, or transfer geolocation, proximity, and personal health information without prior notice and express consent (individuals would be able to opt-out as well)
This legislative effort does not specifically address employee data subject rights outside of notice and choice, or private right of action, or even if the legislation will preempt existing state laws. It does, however, put into view a set of safeguards employers can take to be on the right side of regulatory expectations.
Best Pandemic Data Privacy Methods for Employers
Despite the lack of formal legislation specific to the issue of data collection (tracking and tracing) of employees during the pandemic, certain outlines seem to be emerging. While not guaranteed, following these guidelines are likely to protect employers in their efforts to protect their employees at the workplace, and protecting themselves from being on the wrong side of the regulatory equation.
In tracking employee COVID-19 related data, use the following guidelines:
- Plan ahead – Devise policies that will, to the best of your abilities, not conflict with existing employee data protections. Use privacy by design, privacy impact assessments, and related tools and strategies to ensure that policies and procedures are thought-through, efficient, effective, and compliant with existing and likely regulations.
- Be transparent – Explain the purpose and reasoning behind data collection. Explain the methodology in clear terms. Explain that personal data be protected and will not be used in a prejudicial manner. Explain how and where data will be kept, and who will be privy to it. Explain what rights employees have regarding the data.
- Get opt-in – Gain explicit employee permission to gather specific data, this is especially important for contact tracing.
- Minimize data collection – Make sure to only collect the minimum amount of information needed (e.g., symptoms, exposure to carriers, testing results, etc.), and to refrain from collecting other unnecessary information. Refrain from collecting information that may be considered discriminatory (e.g., pre-existing conditions).
- Separate data – Make sure to keep employee pandemic-related records completely separate from other employee data (e.g., work history, salaries, legal documentation, etc.). Further, ensure that pandemic-related employee data is stored securely, using strong technical and administrative safeguards.
- Have data retention/disposal rules – Limit the retention of data to specified time periods. Make sure to have a comprehensive and secure data disposal/destruction policy as well.
- Manage third parties – Use the same policies in dealing with physical workspace contact with third-party employees at your establishment. Convey the need for similar policies and procedures at theirs.
- Convey safety as a priority – Cooperation of employees and employers is crucial in ensuring maximum levels of workplace safety. Clearly expressing the priority of safety in this effort will go a long way toward gaining compliance and good will in this necessary effort.
Employee Rights to Health and Privacy
In these difficult and unusual times, having the health to return to a place of work, and having a place of work to return to, are cause for gratitude in themselves. Preserving physical and economic health are priorities.
Faced with the need to maintain the health of their employees and their businesses, while still maintaining the data privacy rights of employees, employers are faced with a challenge. While specific federal or state guidelines have not been explicitly detailed for the situation, understanding existing legislation as well as legislation under consideration, can provide a sense of best practices.
Returning to an office environment with the coronavirus defeated, vaccinated against, and ultimately eliminated will be the ideal end situation. Until that point, ensuring employee health, in an effective manner consistent with regulatory data privacy practices, is an admirable and achievable goal.
ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address operational challenges created by this pandemic. Visit our COVID-19 Resources page to access all of the resources we've developed that may help your firm navigate through the restrictions in place to curb the pandemic.
To learn more about data privacy concerns for CCPA enforcement and the return to the office, you may also be interested in watching our on-demand webcast How to Manage Privacy Concerns When Returning to Work.
How We Help
ACA offers the following solutions that can help firms enhance their cybersecurity in light of COVID-19 related cybercrime and maintain data privacy
- CCPA Resources
- GDPR Resources
- Free Online Cybersecurity Training
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Threat intelligence
- Cyber incident response planning
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.