The new coronavirus outbreak has understandably prompted corporate assessments of data security safeguards when employees are working from home, but employers should not lose sight of privacy obligations related to employees’ health information.
Lawfulness, transparency, confidentiality, and data minimization certainly come into play, but recent guidance from regulators on both sides of the Atlantic have recast those concepts in a new light.
Do you ‘need’ to collect coronavirus-related information from your workforce?
Some may think that collecting only what’s necessary is nothing more than a restatement of the purpose limitation principle, which provides that the processing of data must be limited to the purposes for which it was collected. But “necessity” takes on more significance in the face of a global pandemic.
Unlike employee data you may “need” in order to fulfill the requirements of a contract or to comply with a legal obligation, health data that can and does affect society at large transcends business operations.
Perhaps providentially, the European Union’s General Data Protection Regulation (GDPR) has incorporated the concept of necessity under these very circumstances, and European data protection authorities (DPAs) have seized upon those provisions when issuing relevant guidance. The GDPR is the EU-wide law that repealed and replaced the 1995 Data Protection Directive and entered into effect in 2018.
GDPR Art. 9 expressly addresses the processing of heath data, which falls within the “special” categories of personal data for which processing is generally prohibited. However, Art. 9 makes exceptions when the processing of such data is “necessary,” specifically for “reasons of substantial public interest” (Art. 9(2)(g)), for “purposes of preventive or occupational medicine” (Art. 9(2)(h)), or for “reasons of public interest in the area of public health” (Art. 9(2)(i)).
The DPAs note, however, that necessity has its limitations.
The Italian DPA (Garante) has warned employers and other businesses not to engage in do-it-yourself (DIY) data collection. In response to questions from some employers as to whether they may obtain a “self-declaration” from employees about the absence of any signs of the virus, the Garante has said: “[E]mployers must refrain from collecting, in advance and in a systematic and generalised manner, … information on the presence of any signs of influenza in the worker and his or her closest contacts ….”
Citing emergency legislation recently adopted in Italy, the Garante noted that the duty to inform the local health authority rests with the individual. Employers, however, may invite employees to initiate contact with the local authority and may even help facilitate those communications.
The French DPA (La Commission Nationale de L’Informatique et des Libertés, or CNIL) has said that employers may not take body temperature readings from each employee or distribute medical questionnaires to the entire workforce. Much like the Garante, CNIL said that employers may educate and invite employees to notify the relevant health authority about possible exposure, and employers may help facilitate the transmission of such information by setting up, for example, a dedicated channel.
The Irish Data Protection Commission has noted that the legal obligation to protect employees’ health, together with GDPR Art. 9(2)(b), provides a legal basis for employers to process health data “where it is deemed necessary and proportionate to do so.” (emphasis in original). The Irish DPC cautions, however, that any such data must be treated in a confidential manner, noting specifically that “any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.”
The U.K. Information Commissioner’s Office has also emphasized proportionality in conjunction with necessity: “It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary, then data protection law won’t stop you from doing so.”
Does a law or regulation ‘apply’ to the collection of coronavirus-related information from your workforce?
Without a comprehensive privacy law in the U.S., collection and disclosure of health-related data in America is a bit more nuanced, but the lawfulness principle—i.e., the requirement that data be processed in a lawful manner—includes the applicability of specific laws.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently issued a bulletin in the wake of the coronavirus outbreak, reminding companies that the HIPAA Privacy Rule applies only to “covered entities” (health plans, health care clearinghouses, and those health care providers that conduct covered health care transactions electronically) and their “business associates” (entities that perform certain functions, activities or services on behalf of covered entities).
While emphasizing that “the protections of the Privacy Rule are not set aside during an emergency,” OCR reiterated that the Privacy Rule permits covered entities to disclose protected health information without individual authorization to a public health authority, to a foreign government agency, and to persons at risk—all under certain conditions.
Indeed, HHS has created a flowchart explaining acceptable disclosures of protected health information in the event of a public health emergency.
Moreover, recent COVID-19 guidance from the Occupational Health and Safety Administration is a good resource for employers, as is its page on Preparing Workplaces for an Influenza Pandemic, although neither specially addresses privacy concerns.
The Equal Employment Opportunity Commission (EEOC), however, has touched on workplace privacy issues in a pandemic preparedness resource from 2009 that addresses the scope and applicability of the Americans with Disabilities Act. Significantly, that resource notes that, during a pandemic, employers may ask employees if they are experiencing flu-like symptoms, but employers “must maintain all information about employee illness as a confidential medical record in compliance with the ADA.”
As to whether employers may take employees’ temperatures, the EEOC’s guidance states: “If pandemic influenza symptoms become more severe than the seasonal flu … or if pandemic influenza becomes widespread in the community …, then employers may measure employees’ body temperature.”
Employers struggling with the implementation of the California Consumer Privacy Act (CCPA) are reminded that while AB25 (2019 Cal. Laws ch. 763) exempts most of the CCPA’s provisions from personal information collected in the employment context, the obligation to inform employees of the categories of personal information to be collected still applies.
Furthermore, given that the exemption will expire Jan. 1, 2021 (if not amended), all of the CCPA’s provisions will apply to the collection of personal information in the employment context—including the 12-month “look-back” provision. So employers subject to the CCPA should be aware that any coronavirus-related information collected now could potentially be subject to the look-back provision.
As scientists seek to develop a vaccine for the coronavirus, employers must develop internal policies for the effects of the virus in the workplace.
Is the collection of data from employees necessary?
What law or regulation applies?
The answers to these questions can help frame a policy to address the current crisis and unforeseen challenges to come.
If you’re reading this on Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.