Employers all over the world are grappling with how to balance considerations of workplace privacy and safety amidst the implementation of new practices aimed at preventing the spread of COVID-19. Although it is not the first time individual privacy has been curtailed in favor of public safety, brand new questions arise in the context of an individual’s health privacy. Amidst all the uncertainty, the classic privacy principles of notice, consent and data minimization can supply a reliable foundation for creating or updating work-from-home policies and procedures.
Whether an employer is reaching out to the employee for personal information or wondering whether to disclose a case of COVID-19 exposure or infection, a guiding principle should be that if information is not really necessary, then it shouldn't be collected or disclosed. Even if it may be appropriate to collect or use the information internally, employers must then wrestle with whether or not to disclose certain information about a colleague or family member.
To help guide employers through these challenging issues, we surveyed multinational approaches being developed under the most restrictive laws and regulations applicable to privacy in the workplace. Our review included, for example, recent statements issued by regulators in countries operating under the EU’s General Data Protection Regulation (GDPR) and the confidentiality restrictions in the Americans with Disabilities Act (ADA).
Absent consent as the basis for collecting and/or disclosing health information, there is no harmony about the issue across the European Union. Italy and France are generally opposed to collection and disclosure, while Ireland is more flexible. We are still waiting for the European Data Protection Board to weigh in.
Under the ADA, the employer should make every effort to protect the individual’s medical confidentiality while still providing sufficient information to the workplace for other employees to take appropriate steps. In almost every case, this can be done without sharing the name of the person who was infected.
The general rule (except in cases of express employee consent) is that an employer should not disclose the identity of an employee diagnosed with or suspected of having coronavirus. The ADA requires employee medical information to be kept confidential, and it may only be shared in very limited circumstances. Moreover, an inaccurate or false disclosure of someone’s coronavirus status could potentially subject an employer to common-law defamation or invasion of privacy claims.
Many emerging privacy laws also generally require companies to undertake impact assessments to identify what information they hold and the risks of maintaining or disclosing that information. While not specific to the collection of health information under the conditions of a global pandemic, the underlying principles of a privacy impact assessment can be applied to help businesses respond to the novel issues posed by their coronavirus response efforts.
Last, even though employees and contractors are exempt from the protections of the California Consumer Privacy Act (CCPA), their personal data (including health data) will be protected starting in January 2021—unless the exemption is extended or the CCPA is permanently amended to exclude employees and contractors. Employers are advised to act conservatively, keeping in mind that their information collection practices will come under scrutiny by regulators in California and any other state that passes a similar law during the pandemic.
Given the lack of uniform positions among regulators and lawmakers on these issues, we advise employers to only collect and disclose COVID-19–related information from employees or contractors under circumstances of “notice and consent.” In the FAQs below, we discuss various circumstances under which notice and consent would be appropriate.
Further, even if some global or domestic laws do not apply to your business, we suggest undertaking a privacy impact assessment as a best practice to help identify unique privacy risks arising under circumstances of a global pandemic.
We coordinated the above global compliance frameworks with U.S. law to answer some of the most frequently asked questions arising under these circumstances.
Can I issue a survey requesting health data in relation to COVID-19 from employees or from visitors to my business?
You have a legitimate business reason to gather COVID-19–related health information from your employees to fulfill your obligation to protect your employees’ health. However, that doesn’t necessarily mean you need to gather lots of information about them. A best practice for respecting the privacy of this information is to request all employees to sign and return a survey to HR that provides notice, and obtains consent, for information to be collected about COVID‑19 symptoms or a positive diagnosis. The notice and consent should also address your business’s practices of disclosure as required or allowed by law.
The survey approach should help you minimize the information you need to collect. For example, it’s reasonable to ask employees and contractors to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms, or have tested positive.
If that’s not enough—if your customers and/or the nature of your operations (e.g., food delivery services) requires you to collect specific health data—then practice data minimization and do not collect more than you need. For example, health information about anyone whom the employee or contractor lives with should only be collected on a voluntary basis.
Once the data has been collected, make sure that it is treated with the appropriate controls and is not accessible to those who do not have a need to know.
Can I tell my staff that a colleague may have contracted COVID-19?
Yes. You have a duty of care and an obligation to ensure the health and safety of workplace employees and contractors, as well as those who make contact with persons in your place of business. Therefore, you should keep staff, and customers with whom they regularly make contact, informed about cases in your company. However, you needn’t reveal the employee’s identity, and you shouldn’t provide more information than necessary.
An additional notice and consent form should be used to request disclosure of additional specific information, such as the employee’s or contractor’s identity, on a case-by-case basis. Decisions about enhanced information disclosures should be centralized, to ensure consistency throughout your business and to make sure that disclosure is reasonable and proportionate in terms of which information is disclosed and to whom.
When a central decision has been made to make enhanced disclosure, your HR department should, as a best practice and as a matter of courtesy, let the affected employee know of such disclosure in advance.
Can I share employees’ health information to authorities for public health purposes?
Generally, yes. It’s unlikely your business will have to share information with authorities about specific individuals, but if it is necessary, then you should check to be sure that an exception applies allowing for disclosure of additional specific health information to protect against serious threats to public health.
Michael Best & Friedrich’s COVID-19 Task Force is standing by to assist you in navigating these workforce privacy issues while maintaining workforce safety and health. Please reach out if we can help with privacy compliance or other issues during the ongoing challenges caused by COVID-19.