Part 1: COVID-19 Privacy Q&A with Jodi Daniels
July 21, 2020
Part 1: COVID-19 Privacy Q&A with Jodi Daniels, CIPP/US
Founder of Red Clover Advisors & Evident Advisor
Q: What’s the one thing that nobody is talking about when it comes to privacy during a pandemic?
A: I believe there are two, and one is more important than the other.
The big one is related to health monitoring which is being used to help employees returning to work safely. Most privacy and security experts are aware of this issue, but those who don’t work in that space may not realize that if they’re allowed to take their employees’ temperatures and ask them sensitive health-related questions to stop the spread of the virus, they need to know where they’re storing that data, how they’re going to protect it, and what they’re going to do with it long-term. I’ve had business owners ask me if they can store their employees’ health data in a random spreadsheet, and I have to ask them questions like:
- Where will this spreadsheet live?
- Who has access to it?
- Is it password-protected?
- Is it connected to a personnel file?
For someone who understands law, security, and privacy, it’s a no-brainer that you’d secure a document with sensitive health data, but for a regular business that’s overwhelmed with just trying to stay afloat – they’re considering PPE, they’re practicing social distancing, they’re just trying to get people back into the building safely – securing a spreadsheet is an afterthought.
The second big privacy concern involves tracking online searches. Consumers are starting to realize that anything they click becomes part of a larger digital profile. Now, if someone starts researching COVID-related terms for themselves or a family member – like “COVID and diabetes” for example – this will also be collected and connected to your digital footprint. This starts getting into the essence of the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and even Vermont’s Data Broker Regulation.
With these laws, individuals can say “This is my data, and you should inform me of what you’re doing and give me choices,” but what choices do we really have? Are the data-hungry companies that are collecting my search terms excluding my COVID-related searches, or are they connecting the dots? We’re so worried about contact tracers knowing if we have the virus, but what about everything else? The answer is that we don’t really know.
The idea of digital data privacy and what that means is eye-opening. Am I okay with someone collecting my COVID-related search terms for the greater good of public health? Am I okay with it, but only if it excludes my name? What about digital identifiers that tie my search terms directly to my digital identity? Laws like GDPR and CCPA ensure that a business has to tell you what they’re doing with your search data and the individual still has rights in the event of a data breach.
During a pandemic, all employees are at the forefront, and Americans will begin to wonder why they don’t have the same rights to access their data as Californians, or EU residents. A new national COVID law (CCDPA) was introduced back in May, but it’s now July, and still, nothing has passed, so it’s unclear if anything will ever happen to regulate how we’re being tracked online.
Q: What are the top privacy considerations for organizations using health monitoring to prevent the spread of COVID-19?
A: New guidelines, like the ones introduced by the EEOC, allow companies to ask their employees health questions and conduct non-invasive temperature checks to determine if an individual is fit to do their job, and to make sure they don’t have the virus because it’s considered harmful to others in the workplace.
If, for example, an employee opts out of health monitoring for religious reasons, the employer can get into a legal quagmire. The business has to balance which risk it wants to take, especially if the organization employs a lot of individuals who could be at risk because of the one individual who won’t consent to a health monitoring survey. We live in a ridiculously litigious society, and companies need to balance their legal risks. If an employee can prove that they contracted COVID on the job, they can sue the company for not taking the right precautions.
Companies do not need to require employee consent to conduct health monitoring, but it’s important to ask experts how your business can do this properly. California says you need to provide employee notice. Other states say that you need to provide EEOC, OSHA, or FFCRA notices to employees.
When it comes to privacy, you have to put employees first. Companies should consider having an employee privacy notice that explains how they’re collecting this type of information, what they’re doing with it, and how they’re protecting it. CCPA and GDPR both require employee privacy notices, but this should be considered best practice for employees regardless of where they live. Privacy notices should address employees’ concerns, which might include:
- I won’t be able to work if I provide certain health data, and I won’t get paid.
- I don’t want to get sick at work.
- I don’t want to be singled out or shamed in the workplace if I get the virus.
- I don’t want to lose my job if I don’t participate in health monitoring.
- I don’t want to share my health data with the rest of the company, especially if I test positive for COVID.
Organizations have an obligation to inform authorities of positive cases for traditional contact tracing purposes, but legally, companies can’t share the names of employees who test positive for the virus with the rest of the company, though some of the employee’s co-workers might notice if they’re not at work for a few weeks, and may deduce that that individual has been asked to quarantine.
Businesses also need to think about how they’re going to conduct temperature checks for health monitoring. If a thermometer flags an individual with a high temperature in front of a lot of people, that’s a huge violation that makes employees feel like the company is invading their privacy. We spend so much time focused on paper and digital privacy, but actual physical privacy matters too. Companies need to think about how they’re going to test and keep it private. It’s one thing to do it and not release that information to the public, but if it’s happening in the entrance to the workplace, everyone can see you.
The other consideration here is security. An employees’ health data needs to be separate from their personnel file, but could be added to their medical file. If an employee has a preexisting condition, HR can include it with that, and should only keep it until the business is able to get to a place where they can minimize risk… which could be awhile, but it should not be kept for years on end. Regular companies don’t need all of this information for data or research purposes, and they shouldn’t sell that data to a researcher either. If the CDC decides they want access to all of this information, that’s a different conversation, but right now, companies should not be sharing employee health monitoring and testing information with anyone else.