The landscape of data privacy and security laws in the United States is challenging in the best of times, as they change and shift frequently. I refer to data privacy and security laws as a patchwork quilt as they have been implemented by both the federal government and state legislatures in an ad hoc manner as technology advances and privacy concerns become more mainstream.
Most data privacy laws relate to personal information that is collected from consumers by companies, and there are limited data privacy laws relating to the collection of data from employees. Please note that this article only discusses the collection of information from employees from a data privacy perspective. It does not discuss other laws that may be applicable to the collection of data from employees, such as the Occupational Safety and Health Act (OSHA) and the Americans with Disabilities Act.
With the backdrop of the coronavirus pandemic, for the first time ever, many companies are collecting more private information, including health information such as temperature screenings and health questionnaires, from their employees to assist with a safe transition back to the workplace from work at home.
In doing so, there are several data privacy laws and principles that companies may wish to consider when determining how they will collect, use, disclose and maintain this employee data.
This article is designed to address the balance between collecting health information from employees to maintain a safe workplace with those employees’ privacy concerns. It is meant to challenge companies to treat this information in a different way and to be more strategic in how the information is collected, used and retained. Simply put, companies may wish to carefully balance the need to collect data from their employees to provide a safe workplace with protecting their employees’ privacy. I further posit that companies may wish to consider not retaining the coronavirus health screening information collected from employees in the employees’ personnel files.
Using a Privacy Impact Assessment
When determining what information an employer needs to obtain so it may provide a safe working environment for all employees as required by OSHA, employers can use a privacy impact assessment (PIA). A PIA is designed to assist with decisions around the parameters of collecting personal information in the minimal amount necessary to serve the purpose of the collection and correspondingly, to consider how the collection impacts the privacy of the individual whose information is being collected.
In this context, when an employer is deciding what information it needs to collect from its employees to transition workers from home to a safe work environment, employers should consider only collecting the minimum amount necessary to provide a safe work environment.
As an example, an employer may believe that a temperature screening is an appropriate data element to collect from an employee prior to allowing the employee to physically work in the workplace. When using a PIA, the employer considers different questions before it decides that a temperature screen is a data element that is necessary for its purpose (a safe work environment), and if the privacy of the employee is balanced with the need to obtain the information.
Some questions to consider when completing the PIA may include “How reliable is a temperature reading to predict if someone has COVID?” “How do I collect the temperature information?” “Do we take the temperature of the employee at the workplace, or do we allow the employee to take his/her own temperature at home before coming into the workplace?” “If we take the temperature at the workplace, is the information identifiable?” “What do we do with the information after we take it?” “Is it stored on a device?” “Is it shared with others?” “Is it aggregated with other information?” “Is it re-identifiable?” “How long should it be retained?”
Privacy from an Employee’s Viewpoint
From an employee’s perspective, this new collection of health information can be daunting and “big brotherish.” Most employees will voluntarily provide this type of information to their employers as good corporate citizens because they want to work in a safe environment and are relying on their co-workers to do the same.
Some questions employees may have about the collection of their temperature may include “Does my employer actually need to know what my temperature is on a daily basis or just know that I don’t have a temperature?” “Once they obtain my temperature, where is that information going?” “Is my employer disclosing that information to others in the company or to a third party?” “Where are they storing that information and for how long?” “Are they putting it in my personnel file? If so, why?” “Do they really need to retain it at all?”
These questions by both the employer and the employee assist the employer to determine whether the collection is necessary for the purpose, and how to collect, use, disclose and retain it.
Whatever decision the company makes, a reasoned approach should be taken to only collect the minimal amount of information necessary for the company’s purpose, and the information should only be retained for the time that it is necessary to be used for that purpose.
In addition to temperature information, many employers are requesting that employees complete a health screening questionnaire prior to physically arriving at the workplace. As with temperature scans, for many companies and employees, this is the first time employers have asked employees for health information on a daily basis.
Although this information may be important for assessing and maintaining a safe workplace, prior to deciding to use health questionnaires, employers may wish to consider applying a PIA to assist with determining the minimum amount of information necessary to obtain from the employee for the purpose of providing a safe workplace, and that it be retained only for the amount of time that is necessary for that purpose, consistent with the above analysis.
Many employees may be uncomfortable with providing health information, such as a daily temperature track or a health screening questionnaire to an employer and may see it as an invasion of privacy.
To make employees feel more comfortable with the collection of this sensitive data, it is important to be transparent with employees about why the information is being collected, how it will be used, that it will be kept confidential, and that it will be destroyed when it is no longer needed.
Return to Work Program
Documenting a return to work program to provide to your employees outlining the collection, use, disclosure and retention of the data collected from them will assist in making employees feel more comfortable that the employer has taken their privacy concerns into consideration. If a company has employees who reside in California, the California Consumer Privacy Act (CCPA) requires employers to notify employees about the categories of personal information that they are collecting from employees, the purpose for which the information is being collected, how it is used and disclosed, and how long it is retained. Health information is included in the definition of “personal information” in CCPA, so employers may wish to include COVID-19 screening information in their notices to California employees. Whether you have employees who reside in California or not, determining how much information you will collect, how you will use and disclose it, how you will store it, and how long you will retain it is important information to provide to your employees whether a law requires it or not.
In addition to completing PIAs to determine what information to collect from employees, when implementing a return to work program, care should be taken of how the company’s data retention and destruction program applies in the context of collecting health data from employees during the pandemic. This health information is being collected and used for one purpose: to maintain a safe workplace. A temperature taken today, if elevated, or a health questionnaire completed today may not be relevant tomorrow, or in 14 or 30 days in the context of maintaining a safe workplace.
I posit that companies take time to consider how this information fits into the existing data retention program and to not by default, include this data in personnel records. Consider keeping this information separate and apart from personnel records, as it is being collected for a limited purpose and used for only a short period of time. Unless a state or federal law requires that these records be retained for a specific purpose or amount of time (which as of this writing I am not aware of any), this information should be destroyed when it is no longer relevant. Destruction of the information protects the privacy of employees.
There are data retention laws that require personnel records to be kept for a substantial period of time. Obviously, it is important to comply with laws that may be applicable, and you should consult with your attorney to determine how to include these records in the company’s data retention program. Consider treating this information in the context of which it is being collected when determining how long to retain them. It is being collected for a limited purpose and is only necessary for a limited amount of time. Don’t just automatically include them in personnel files because you don’t know where else to put them and don’t want to take the time to consider the context of the limited collection purpose and the privacy concerns of employees.
In conclusion, when considering the collection of health information from employees during the pandemic, take the time to consider the minimum amount of information needed to maintain a safe workplace, be transparent with your employees about the purpose of the collection of the information, how it will be collected, used, disclosed and retained, and determine how the information fits into the company’s data retention and destruction program.
Everyone wants to be a good corporate citizen and assist with maintaining a safe working environment, but balancing employees’ privacy in a thoughtful way during this unusual time is worthy of consideration.
Linn Freedman is Chair of the Data Privacy + Cybersecurity Team at Robinson & Cole, LLP. She focuses her practice on compliance with all state and federal data privacy and security laws and regulations, as well as emergency data breach response, mitigation and litigation.