Bloomberg Law
May 11, 2020, 9:19 AM

ANALYSIS: Covid Safety Measures May Mask Worker Privacy Risks

Dori Goldstein
Dori Goldstein
Legal Analyst

Before the pandemic hit, high-profile data breaches and evolving state laws were forcing businesses to take a hard look at how they collect and protect employee data. Now, as the country moves toward reopening, it may be tempting for businesses to prioritize safety over privacy. But the privacy landscape hasn’t changed, which means that employers will have to find ways to protect both.

That won’t be an easy task for employers: The pandemic is forcing businesses to handle more information about employee health than ever before and manage untested tech solutions that promise to improve worker safety, all while somehow balancing federal laws and an increasingly complex patchwork of state laws that require businesses to protect worker privacy.

Health Information

Most businesses are doing their best to protect their workforce and, for many, that means requiring workers to undergo health screenings and to disclose if they show symptoms of Covid-19, as well as notifying workers if they’ve been exposed to the virus at work. These practices have undeniable benefits, but employers need to implement them with caution to avoid liability down the road.

Fairly early in the pandemic, the Equal Employment Opportunity Commission released guidance acknowledging that Covid-19 could create a direct threat as defined in the Americans with Disabilities Act and, thereby, give businesses a little more leeway in the health information they could require from employees. The guidance did not, however, allow employers to set aside the ADA entirely. The ADA’s provisions requiring employers to keep employee health information private and separate from other records remain intact.

This obligation means that employers implementing temperature screening need to implement practices and procedures to protect employees’ privacy and comply with the ADA. At the very least, temperature checks and other medical inquiries need to be private and records should be secured and kept separate from employee personnel files.

It also means that employers are required to keep employees’ symptoms and diagnoses private. Employers that want to comply with recommendations from the Centers for Disease Control have to walk a tightrope: They can tell their workforce that someone has Covid-19, but they can’t reveal that worker’s identity. It’s a solution that makes contact tracing difficult, and does little to protect the privacy of workers in smaller businesses.

Can Tech Save the Day?

Many businesses are considering using proximity-tracking wristbands and smartphone applications to help mitigate the spread of Covid-19. Contact tracing has long been a part of stopping the spread communicable diseases, and the tech solutions offer to do it better.

These tech solutions promise to vastly improve employers’ ability to keep employees informed about their virus exposure while limiting the amount of health information that employers have to manage. But they come with risks.

These tools work by combining public health information and unique Bluetooth identifiers associated with a device to notify people when they’ve been close to someone with the virus.

The risks? Initial versions of applications designed by Apple Inc. and Alphabet Inc.‘s Google have been released to health officials, but there isn’t a lot of transparency about how the data is protected. That uncertainty becomes even more problematic when you consider that most workers keep their phones with them all the time—not just when they’re at work—giving employers access to a host of information they wouldn’t otherwise have.

State Laws Add Complexity

Employers in some states, like California, New York, and Illinois, are facing additional legal stumbling blocks.

California employers must make careful decisions about the employee data they collect. While the state’s landmark privacy law, the California Consumer Privacy Act, exempts employers from most requirements relating to personal information collected in the employment context, it still requires employers to inform employees of the categories of personal information they collect.

Even more, if the CCPA’s employment exemption expires as scheduled on Jan. 1, 2021, all of the law’s provisions will apply to the collection of personal information in the employment context—including the 12-month “look-back” provision. So employers subject to the CCPA should be aware that any coronavirus-related information collected now, such as employee health information and employee proximity tracing, could potentially be subject to the look-back provision.

New York employers have to comply with the recently-effective SHIELD Act, which requires employers to implement administrative, technical, and physical safeguards to protect employee data. The law, which became effective in October 2019, now requires employers to implement cybersecurity programs.

Illinois employers have to contend with the state’s Biometric Information Privacy Act, which prohibits any private entity— including an employer—from collecting, storing, or using biometric identifiers or information without providing prior notice to and obtaining a written release or consent from the subject.

BIPA is tricky in the Covid-19 context. It prohibits employers from using facial recognition to improve security or ensure workers are wearing masks, and it raises questions for employers that might want to use thermal screening to check employee temperatures.

Finding the Balance

Most employers are doing their best to protect their workforce, but they can’t ignore employees’ privacy rights in the process. The pandemic doesn’t shield employers from liability if they collect or handle employee data incorrectly in the name of “safety first.”

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.