We are two months into the declaration of the COVID-19 pandemic, and a handful of states are starting to ease restrictions. With relaxation of the rules, employers are developing plans to re-open and bring employees back to the workplace. As this flurry of planning takes place, the focus (rightfully so) will be on keeping employees healthy, safe, and productive. What may not be getting as much focus right now is how to keep not just employees but their privacy safe as well.
You are likely thinking through plans to test, trace, and mitigate the spread of COVID-19 among your employees. This may include measures such as mandatory temperature checks, stricter sign-in/sign-out procedures, and even requiring employees to download apps that will track their movements throughout the day. While your intentions are good – for example if an employee tests positive, you can track exactly who else they came into contact within the days preceding the positive test – the results will include employers having responsibility for an enormous amount of personal data. Not only do employers have an obligation to keep employees safe, but they also have a legal obligation to properly handle this data too.
Is There an App for That and Should You Use It?
As with many business problems, lots of employers are looking to technology for a quick-fix solution. Some employers are considering electronic check-ins in which employees report that they feel fine or have begun exhibiting COVID-19 symptoms. The EEOC says such medical inquiries are acceptable (at least while COVID-19 poses a direct threat to health and safety) so the key will be to keep the collected information secure. Some employers are going a step further and considering apps that track an employee’s movements to help identify people who might have been exposed when someone tests positive. Whether you can require your employees to download an app to trace movements implicates all kinds of legal issues that are well beyond the scope of this post and will likely be addressed in legislation. If you can, here are some things we think you should consider.
First, employers should weigh the pros and cons of taking such a measure. The pros include enabling a much more detailed contact tracing of the virus if necessary. The cons include possibly risking employee privacy. Could you accomplish your goal with an old-fashioned sign in/sign out process? Do you need to track all employees or just some? Each employer will need to assess its particular situation.
Second, should you get employee consent rather than mandate tracking? Many states have passed laws that require an employer to get employees’ consent to track employee movements. Check to see if your state requires consent; even if it doesn’t, getting consent from employees is a good practice, just in case.
Third, you will need to consider if the device the employee is using is company-owned or personal. An employer has wide discretion to track activity on a company-owned device. Things get murkier on a personal device. If the personal device – for example a phone – is not used at all for work purposes, there is virtually no argument you can make for tracking employees using that device. If, however, you allow personal devices to be used for work, you may want to consider what is known as a Bring Your Own Device Policy (BYOD) that outlines what devices are being used, by whom, when, and where. With a BYOD in place, you can likely track employees’ activities outside of the office on personal devices, but that will depend on both your state’s law and getting the employees’ consent.
Finally, with all of these things in mind, you must consider the privacy aspects of the data you collect, whether in medical questionnaires or employee tracking. How will you ensure that employee data is securely stored? And what about medical information? Are you making sure any medical records are stored separately from individuals’ personnel files? Apps may seem like an “easy” fix to a hard problem, but they come with additional challenges that must be considered when creating re-opening policies.
Testing and Tracking
Many employers are opting for temperature checks as employees arrive to the workplace each day. Others are taking it a step further and planning for COVID-19 or anti-body testing of their full workforce. Regardless of your chosen testing and tracking plans, you need to be sure you are balancing the need to protect employees’ health and well-being with the need to implement effective testing and tracing that risks running afoul of not only employment discrimination laws, but data security laws too.
For example, imagine one of your employees tests positive for COVID-19. You send him or her home. Now what? You cannot disclose that person’s name (at least not without consent), but you want to be sure that you are protecting the safety and well-being of anybody that person has come into contact with in the past two weeks. This is where your contact-tracing plan kicks in. You need a way to effectively track the positive employee without disclosing their identity and while maintaining consistent security measures to protect the employee’s data. How are you storing that data? Where are you storing that data? What is your data retention policy for these types of records? Who has access to the data? Make sure you can answer all of these questions before implementing testing or tracking measures.
Additionally, you should be careful about treating that employee differently in the future because of the positive diagnosis. For example, after they have returned to the workplace with a clean bill of health, can you reassign them to a position that is less “social” or more “solitary” as a result of the prior positive test? On the flip side, given that they have already had the virus, can you treat them better than employees who have not tested positive? This would be tantamount to discrimination based on a medical condition. Is the fact that the person had COVID-19 a disability? Is the fact that someone has not had it a perceived disability? Do you want to be the company to test that theory in court or do you want to avoid such perceived discrimination?
If you aren’t convinced yet, it’s worth noting that even the federal government has begun to weigh in on how to protect the mountains of personal data being gathered in the process of fighting COVID-19. On April 30, Congress announced its plan to introduce a bill aimed at protecting consumer personal data. The bill will include measures requiring, for example, that companies receive affirmative opt-ins and allow individuals to opt-out of programs that collect, process, or transfer information regarding consumers’ personal health, geolocation, or proximity information. Additionally, the bill will require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency. Such measures, while aimed at protecting consumers, should be considered when dealing with employee data as well.
So, what now?
The bad news is that there is no silver bullet. The good news, however, is that there are proactive steps that you can start taking right now to create thorough re-opening plans that also protect employee data and privacy.
- Encourage voluntary participation in contact-tracing programs. Rather than immediately mandating employees download an app (for example), pitch contact-tracing programs to employees as voluntary. Most of your workers are just as worried as you are about getting sick and, when given the chance, may gladly participate in programs to mitigate risks for themselves and their coworkers.
- Build ownership over the plan you create. Rather than forcing a top-down approach, consider surveying your employees to determine what they are most worried about when coming back into the workplace. Perhaps their worries and yours are different – this might create an otherwise invisible opportunity to cultivate trust (while protecting physical health and data privacy to boot).
- This is a time to over communicate with your employees. Make sure they understand the policies and procedures you have created before they come back to the workplace. Offer the ability for questions and answers, host a webinar, post videos, schedule trainings, send carrier pigeons – just make sure you are communicating early and often about what is expected.
At the risk of repeating every article online, these are unprecedented times. While it can be tempting to go back to “business as usual,” it will be up to employers to create a “new normal” that protects not just employees’ health, but also their privacy.