As coronavirus disease 2019 (COVID-19) continues to spread, employers have been trying to strike a balance between safety and privacy as they apply their own policies and attempt to follow laws such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act of 1996 in the United States. Health data is often granted greater protective status under data-privacy laws and is subject to additional specialized laws. Most data-protection laws specify health- and safety-related exceptions that allow for more data collection and processing, with the GPDR citing “the prevention or control of communicable diseases and other serious threats to health” as one reason for such derogation.
A guiding principle of the GDPR is to avoid collecting, processing, or disclosing data unnecessarily and to maintain employee privacy—even during a global public health emergency. It is worth considering the purpose of a contemplated measure and whether that measure would reasonably accomplish its purpose based on the facts known at the time. Similar principles apply to transferring personal data. Whenever an employer processes its employees’ personal data, employees must be on notice about what the data will be used for as well as the consequences of nondisclosure.
A good first step is to look to governmental or other authoritative guidance, (such as in the United States, the Centers for Disease Control and Prevention (CDC) guidelines for businesses and employers. On February 27, 2020, the World Health Organization issued guidance for employers regarding COVID-19. For example, following the CDC’s recommendation, many U.S. employers are asking employees who are ill or experiencing symptoms of COVID-19 to work from home for two weeks, or even placing them on leave if their jobs cannot be done remotely. However, because new information about a potentially longer incubation period has emerged, as well as the possibility of asymptomatic transmission, employers may want to reconsider that length of time. They may also want to consider whether requiring those employees whose jobs cannot be done remotely to go on extended leave—especially if it’s unpaid leave—would do more harm than good by incentivizing employees to hide symptoms or withhold information about possible exposure to COVID-19.
The risk calculus will differ for each company and each position. Here are some of the more common privacy-implicating scenarios, which are complicated by the lack of definitive information about the transmission of this virus.
Employees’ Personal Travel
Due to the coronavirus situation, almost all employees would probably disclose high-risk travel to their employers. But can employers require employees to disclose the details of their travel? In countries where there is a constitutional right to a “private life,” employers may want to tread lightly. As long as areas of heightened epidemic concentration exist, employers can articulate a legitimate interest in asking employees about their travel to those areas in the name of keeping their workforces safe. But employers may want to keep in mind that at some point COVID-19 may reach community spread on a global basis and holding some areas as “higher risk” than others and requiring disclosure accordingly could be an obsolete designation. What about asking about employees’ family members’ travel? Where can employers draw this line? One approach: track and link to the applicable government site and encourage employees to disclose any potential heightened risk of exposure.
Employees’ Medical Information
At present, someone who tests positive for COVID-19 will likely be required by applicable health authorities to disclose that to his or her employer. But can employers actively seek this type of information from their employees? Some companies have contemplated mandating routine temperature screenings or asking for results of medical examinations. In many jurisdictions (including the United States and Europe), there are laws limiting requiring medical examinations without specific reasons. What happens if an employee overhears someone else’s cough and reports it? The employer would likely investigate and take some followup action, but with a view toward doing so discreetly so as to avoid stigmatization or unnecessary alarm.
Identifying Specific Employees Following a Positive Test or Exposure
If an employee tests positive for COVID-19, how should his or her employer alert its other employees and keep them safe? The GDPR encourages anonymization in appropriate circumstances, but a general disclosure that someone in the company has tested positive may cause paranoia and panic, which may lead to even more stress and harm. And what about secondhand or thirdhand exposure? Once an employer becomes aware of a potential connection or even a remote or theoretical risk, it may want to exercise extreme caution when crafting the communication in order to avoid unnecessary alarm and/or privacy intrusion.
Privacy-related concerns surrounding COVID-19 abound. One problem is that current information about incubation and transmission leaves employers in a position where they cannot easily convert employee personal data into measures reasonably likely to prevent spread and keep their workforces safe. Employers that collect relevant personal data may want to consider (1) if certain data is no longer useful to collect or if it should be collected in a different way; and (2) creating incentives to encourage employee disclosure and the seeking of medical treatment, such as allowing employees to work remotely and providing paid sick leave where possible so that employees will stay home when sick.
Finally, striking a balance between maintaining employees’ privacy and safeguarding their health is quite difficult. Measures that might violate privacy laws (including those viewed in hindsight) but are reasonably tailored and motivated by employee safety based on reliable sources may be worth the front-end risk of implementing. Data privacy regulators may be open to understanding why data controllers acted in the way they did; thus, they are slow to impose penalties where a reasonable risk assessment (sometimes called a “data protection impact assessment”) has been completed. Employers that are concerned that their measures overreach from a privacy perspective may want to consider handling concerns on a case-by-case basis through reasonable enforcement.