How to Guard Employees’ Data Privacy in the Age of Covid-19

Companies are eager to get back to business as usual and leave Covid-19 behind. But re-opening the doors to your business and welcoming back your employees won’t be so straightforward.

Covid-19 is causing a new data privacy conundrum for employers. You’re expected to keep your work environment safe for all employees while not overstepping the boundaries of data privacy.

Before your employees even set foot in the office, you’ll probably want to ask them a bunch of questions that, pre-pandemic, would have been considered none of your business:

• Did you follow the quarantine guidelines?
• Have you been ill?
• What were your symptoms?
• Did you get tested for Covid-19?
• Did you test positive?
• Have you been around anyone who had Covid-19?

Once employees return to the office, you’ll want to get regular updates on their health, the health of those close to them, and their whereabouts:

• Are you washing your hands?
• Do you have a fever?
• Do you wear a mask in public?
• Where have you traveled?
• Has anyone close to you tested positive in recent days?

These may sound like reasonable questions when you’re sharing office space, elevators, rest rooms, and a coffee machine. But are these questions inappropriate, or even illegal? And, how do you store information about your employee’s health? This is uncharted territory.

Let’s look at a few easy steps you can take to be proactive about employees’ data privacy in the age of Covid-19.

1. Consult COVID-19 Guidelines for Employers

If your offices are in the United States, these resources are good starting points:

• CDC’s Guidance for Businesses and Employers Responding to Covid-19
• EEOC’s Pandemic Preparedness in the Workplace and the Americans with Disabilities Act
• OSHA’s Guidance on Preparing Workplaces for COVID-19
• HHS’s information on HIPAA and Covid-19

While it’s not within the remit of these federal agencies to address employees’ data privacy rights, they do provide guidelines for maintaining employee privacy during Covid-19 screening at the workplace and the confidentiality of employees who report positive test results for Covid-19. In addition, the CDC states that the Covid-19 pandemic meets the “direct threat” standard.

This is important because it allows employers or health professionals to have access to some employee health data that would otherwise be prohibited unless it poses a “direct threat.”

While these are extraordinary times, regulators are continuing to signal that privacy and data protection laws still apply

California Consumer Privacy Act (CCPA) Guidelines

When asked by trade groups to relax the July 1, 2020 date for CCPA enforcement, the California Attorney General’s office dug in its heels and reiterated the importance of data privacy:

“We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

GDPR Guidelines

The European Data Protection Board (EDPB), which administers GDPR, recently issued a statement on the processing of personal data in the context of the COVID-19 outbreak. First, the EDPB reminds us that GDPR had the foresight to include language that directly addresses employees’ data privacy in cases of pandemics. Second, the EDPB offers an even-handed response to Covid-19:

“Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”

2. Follow Privacy-by-Design Principles to Build Privacy Into Your Practices

Collect employee Covid-19 data only when absolutely necessary and know where you’ve stored it.

In such an unprecedented situation, it might seem acceptable to gather and share your employees’ personal health data for the greater good. But it’s not the time to “overshare” others’ information.

For example, when informing staff about a colleague who has tested positive for Covid-19, don’t give out the name of the employee and don’t disclose more information than necessary. GDPR refers to this as the data minimization principle—and it’s especially apropos for the current situation.

Another GDPR concept especially relevant today is Data Privacy Impact Assessments (DPIAs). DPIAs are risk assessments that GDPR requires of businesses that plan to process data that could result in a high risk to the rights and freedoms of individuals. Although there’s no mandate for conducting DPIAs for employees’ Covid-related health data, this type of risk assessment makes a lot of sense in the current situation. DPIAs, or similar assessments, can help to minimize data privacy risks and assure that all parts of your organization are transparent in their compliance.

If your company finds itself in possession of new types of sensitive employee health information, you may need to figure out where to store it. This data may not have a designated “home” in any of your existing systems and you’ll need to choose the proper place to store it. Should you keep it in your HR records? Should you create a new database? Will you know where to find it if you need to access it in the future? Know where you’ve stored the data and ensure you have proper data security measures in place to protect it.

3. Update Your Privacy Policies and Consider Opt-Ins

Updating your employee data privacy policies to address the use of Covid-related data is another preemptive step you can take to protect employee privacy and preempt ambiguities. Give employees notice of the policies at the time any of their health data is collected. They should be informed of how the data will be used, and if it will be shared outside of the company. You may want to consider also implementing an employee opt-in process if sensitive medical data is involved.

Data privacy may not be top of mind for your organization at the moment, but a few proactive measures will go a long way toward ensuring your company remains on good terms with employees and regulators in the post-Covid era.

Demonstrating transparent stewardship of your employees’ Covid-19 data will help you build trust and start off on the right foot when you return to the office.