by Chris Bowen
Chief Privacy & Security Officer and Founder
As employers begin the cautious steps to reopen their doors to employees, we hear and see many suggested practices that should be reviewed under the lens of privacy, security, and ethics, in addition to employment law and HR.
As an employer, do I have the right to require that you, as an employee, submit to thermal temperature scans before coming into the office each morning? Probably. Can I use data from your phone for contact tracing to see where you have been on weekends? Probably not, unless I bought your phone and you are an on-call 24/7 employee, and I own that data. What if you don’t agree? Consider that many states provide employers with the right to fire/hire “at-will,” provided they are not infringing on protected status under the law. Even so, an unhappy employee who believes they have been wronged may still bring a lawsuit. These issues can get complicated quickly.
Sorry, but I'm just getting started on the complexities. As an employer, am I governed by HIPAA in handling an employee's temperature scan records? Probably not, because I'm likely not a "Covered Entity" under HIPAA. The employee temperature scan data is not likely part of his/her healthcare treatment, payment for healthcare services, or part of healthcare operations. Regardless, employer and privacy laws protect personally identifiable information (PII) - a fact that will cause an employer big problems if ignored.
Employment law covering PII, as well as state laws addressing data breach notification, vary state-by-state. If you don’t know yours, here’s a shout out to the Mintz privacy law tracker available online to get you started on the path to learning more.
Most employers realize their employees are their most valuable asset, and there are things employers can do to convey that during this unprecedented turn of events.
A great company will engage their privacy, HR, and legal resources to protect their employees from the spread of the virus and the spread of their PII while protecting the good health of all of those in their office space.
Before any employer embarks on a program like this, they should communicate clearly and effectively to their employees with transparency about the “data lifecycle”, including:
- What the process is, what data is collected and when will it be collected
- Why the data is being collected
- Who will have access to the data (minimum necessary rule applies)
- How the information is being stored and shared, and with whom is it shared
- How the information is being secured
- When and how the information will be destroyed (Again, state laws may apply).
The entire program should be centered around disclosure and consent. It should involve privacy and HR leaders to ensure the data isn’t just being placed in a file on a desk or a storage bucket in the cloud with improper security to protect privacy. Sadly, I think we are going to see news stories of compromised employee information due to misconfigurations, criticality analyses, restriction, and identity access management, and other principals of good security and privacy that were overlooked.
But we’re not done once we address the legal questions. Next, the ethical questions that come into play rise as quickly as the number of COVID-19 cases. What if an employee is taking medication that may alter their ‘standard’ temperature? Are they now obligated to share personal health information to explain the abnormal temperature?
Employers and employees want to get back to work together and collaborate face-to-face. While intentions might be good in putting measures in place to monitor employees' conditions, it's important to make sure respect for employees' privacy is taken into account. Where possible, it’s also good to implement alternatives to protect the group health should one measure feel invasive to a specific individual.
Then, there is the most important privacy question...can an employer require an employee, even if asymptomatic, to divulge whether he/she has tested positive or if they have been exposed to someone who has? At this point, the employee has an opportunity to do the right thing. The COVID-19 pandemic has killed nearly 700,000 people worldwide to date. Privacy rights aside, the employee has a duty to humanity to disclose a positive test result or whether they have been exposed to someone who has. Regardless, the employer has a right to require disclosure under the Americans with Disabilities Act.
Epstein, Becker, and Green summed up the legal issue on this topic well, here. It’s worth taking a moment to read through this brief document and share it with your HR team.
The bottom line is, these are complicated scenarios for complicated times, but the basic privacy and security tenets that have been applied to PHI and PII for some time still stand the test. Follow the best practices, and you, as an employer, are better prepared to protect your talent and your organization. Let's be safe, let's value health AND privacy, be secure, and in our haste to stop spread let's not throw caution to the wind when it comes to the ethics of protecting each individual's privacy rights.