Pandemic Planning: But What About the Other “P Word” in Your Re-opening Plans? (Hint: It’s Privacy)We are two months into the declaration of the COVID-19 pandemic, and a handful of states are starting to ease restrictions. With relaxation of the rules, employers are developing plans to re-open and bring employees back to the workplace. As this flurry of planning takes place, the focus (rightfully so) will be on keeping employees healthy, safe, and productive. What may not be getting as much focus right now is how to keep not just employees but their privacy safe as well.

You are likely thinking through plans to test, trace, and mitigate the spread of COVID-19 among your employees. This may include measures such as mandatory temperature checks, stricter sign-in/sign-out procedures, and even requiring employees to download apps that will track their movements throughout the day. While your intentions are good – for example if an employee tests positive, you can track exactly who else they came into contact within the days preceding the positive test – the results will include employers having responsibility for an enormous amount of personal data. Not only do employers have an obligation to keep employees safe, but they also have a legal obligation to properly handle this data too.

Is There an App for That and Should You Use It?

As with many business problems, lots of employers are looking to technology for a quick-fix solution. Some employers are considering electronic check-ins in which employees report that they feel fine or have begun exhibiting COVID-19 symptoms. The EEOC says such medical inquiries are acceptable (at least while COVID-19 poses a direct threat to health and safety) so the key will be to keep the collected information secure. Some employers are going a step further and considering apps that track an employee’s movements to help identify people who might have been exposed when someone tests positive. Whether you can require your employees to download an app to trace movements implicates all kinds of legal issues that are well beyond the scope of this post and will likely be addressed in legislation. If you can, here are some things we think you should consider.

First, employers should weigh the pros and cons of taking such a measure. The pros include enabling a much more detailed contact tracing of the virus if necessary. The cons include possibly risking employee privacy. Could you accomplish your goal with an old-fashioned sign in/sign out process? Do you need to track all employees or just some? Each employer will need to assess its particular situation.

Second, should you get employee consent rather than mandate tracking? Many states have passed laws that require an employer to get employees’ consent to track employee movements. Check to see if your state requires consent; even if it doesn’t, getting consent from employees is a good practice, just in case.

Third, you will need to consider if the device the employee is using is company-owned or personal. An employer has wide discretion to track activity on a company-owned device. Things get murkier on a personal device. If the personal device – for example a phone – is not used at all for work purposes, there is virtually no argument you can make for tracking employees using that device. If, however, you allow personal devices to be used for work, you may want to consider what is known as a Bring Your Own Device Policy (BYOD) that outlines what devices are being used, by whom, when, and where. With a BYOD in place, you can likely track employees’ activities outside of the office on personal devices, but that will depend on both your state’s law and getting the employees’ consent.

Finally, with all of these things in mind, you must consider the privacy aspects of the data you collect, whether in medical questionnaires or employee tracking. How will you ensure that employee data is securely stored? And what about medical information? Are you making sure any medical records are stored separately from individuals’ personnel files? Apps may seem like an “easy” fix to a hard problem, but they come with additional challenges that must be considered when creating re-opening policies.

Testing and Tracking

Many employers are opting for temperature checks as employees arrive to the workplace each day. Others are taking it a step further and planning for COVID-19 or anti-body testing of their full workforce. Regardless of your chosen testing and tracking plans, you need to be sure you are balancing the need to protect employees’ health and well-being with the need to implement effective testing and tracing that risks running afoul of not only employment discrimination laws, but data security laws too.

For example, imagine one of your employees tests positive for COVID-19. You send him or her home. Now what? You cannot disclose that person’s name (at least not without consent), but you want to be sure that you are protecting the safety and well-being of anybody that person has come into contact with in the past two weeks. This is where your contact-tracing plan kicks in. You need a way to effectively track the positive employee without disclosing their identity and while maintaining consistent security measures to protect the employee’s data. How are you storing that data? Where are you storing that data? What is your data retention policy for these types of records? Who has access to the data? Make sure you can answer all of these questions before implementing testing or tracking measures.

Additionally, you should be careful about treating that employee differently in the future because of the positive diagnosis. For example, after they have returned to the workplace with a clean bill of health, can you reassign them to a position that is less “social” or more “solitary” as a result of the prior positive test? On the flip side, given that they have already had the virus, can you treat them better than employees who have not tested positive? This would be tantamount to discrimination based on a medical condition. Is the fact that the person had COVID-19 a disability? Is the fact that someone has not had it a perceived disability? Do you want to be the company to test that theory in court or do you want to avoid such perceived discrimination?

If you aren’t convinced yet, it’s worth noting that even the federal government has begun to weigh in on how to protect the mountains of personal data being gathered in the process of fighting COVID-19. On April 30, Congress announced its plan to introduce a bill aimed at protecting consumer personal data. The bill will include measures requiring, for example, that companies receive affirmative opt-ins and allow individuals to opt-out of programs that collect, process, or transfer information regarding consumers’ personal health, geolocation, or proximity information. Additionally, the bill will require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency. Such measures, while aimed at protecting consumers, should be considered when dealing with employee data as well.

So, what now?

The bad news is that there is no silver bullet. The good news, however, is that there are proactive steps that you can start taking right now to create thorough re-opening plans that also protect employee data and privacy.

  • Encourage voluntary participation in contact-tracing programs. Rather than immediately mandating employees download an app (for example), pitch contact-tracing programs to employees as voluntary. Most of your workers are just as worried as you are about getting sick and, when given the chance, may gladly participate in programs to mitigate risks for themselves and their coworkers.
  • Build ownership over the plan you create. Rather than forcing a top-down approach, consider surveying your employees to determine what they are most worried about when coming back into the workplace. Perhaps their worries and yours are different – this might create an otherwise invisible opportunity to cultivate trust (while protecting physical health and data privacy to boot).
  • This is a time to over communicate with your employees. Make sure they understand the policies and procedures you have created before they come back to the workplace. Offer the ability for questions and answers, host a webinar, post videos, schedule trainings, send carrier pigeons – just make sure you are communicating early and often about what is expected.

At the risk of repeating every article online, these are unprecedented times. While it can be tempting to go back to “business as usual,” it will be up to employers to create a “new normal” that protects not just employees’ health, but also their privacy.

Print:
EmailTweetLikeLinkedIn
Photo of Rachel M. LaBruyere Rachel M. LaBruyere

Rachel LaBruyere is a privacy and litigation associate in Bradley’s Charlotte office. She regularly advises clients on CCPA and GDPR compliance issues. Before joining Bradley, Rachel served as a Legal Intern in the United States Attorneys’ Office and an Appellate Litigation Intern in…

Rachel LaBruyere is a privacy and litigation associate in Bradley’s Charlotte office. She regularly advises clients on CCPA and GDPR compliance issues. Before joining Bradley, Rachel served as a Legal Intern in the United States Attorneys’ Office and an Appellate Litigation Intern in the Office of the General Counsel at the Equal Employment Opportunity Commission. Prior to law school, Rachel spent more than five years managing digital strategy for technology companies.

While in law school, Rachel gained a breadth of litigation experience working for the ACLU of North Carolina, the U.S. Attorney for the Eastern District of North Carolina, and the Equal Employment Opportunity Commission’s trial and appellate practices. View articles by Rachel.

Photo of Erin Jane Illman Erin Jane Illman

Recognized as a Board Certified Specialist in Privacy and Data Security Law by the State of North Carolina, Erin Illman is an experienced thought leader in privacy, security, and the integration of technology into business practices. Erin is co-chair of Bradley’s Cybersecurity and…

Recognized as a Board Certified Specialist in Privacy and Data Security Law by the State of North Carolina, Erin Illman is an experienced thought leader in privacy, security, and the integration of technology into business practices. Erin is co-chair of Bradley’s Cybersecurity and Privacy Practice Group and leads the Firm’s Fintech team. After practicing in Silicon Valley and the San Francisco Bay Area for over a decade, Erin uses her deep experience with California state regulations to help clients navigate privacy and security concerns, consumer protection laws, as well other challenging legal matters that arise in the privacy space. She regularly advises clients on CCPA, GLBA, GDPR, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws.

Photo of Anne R. Yuengert Anne R. Yuengert

Anne Yuengert works with clients to manage their employees, including conducting workplace investigations of harassment or theft, training employees and supervisors, consulting on reductions in force and severance agreements, drafting employment agreements (including enforceable noncompetes) and handbooks, assessing reasonable accommodations for disabilities, and…

Anne Yuengert works with clients to manage their employees, including conducting workplace investigations of harassment or theft, training employees and supervisors, consulting on reductions in force and severance agreements, drafting employment agreements (including enforceable noncompetes) and handbooks, assessing reasonable accommodations for disabilities, and working through issues surrounding FMLA and USERRA leave. When preventive measures are not enough, she handles EEOC charges, OFCCP and DOL complaints and investigations, and has handled cases before arbitrators, administrative law judges and federal and state court judges. She has tried more than 30 cases to verdict. View articles by Anne