Several months ago, the chief information officer of one of my clients died suddenly at a cycling event in the mountains of Virginia. The CIO and I had started cycling together after work when the COVID-19 pandemic began. Because of the lockdowns, our rides on the Blue Ridge Parkway and beyond became an important forum to review the details of various projects that required his expertise. In addition to working closely, we had become friends, and his death was both professionally and personally devastating.
When an employee dies, everyone in their business or organization will need to talk about it. Especially when it happens abruptly. It is simply human nature to seek companionship and process heartache together.
In addition to processing information about a deceased employee for the central and human need to address grief, businesses and other organizations will need to process the information for a variety of reasons. Depending on the circumstances of the employee's death, these range from assessing the safety of other employees and the public — due to a communicable illness, for example — processing claims and payments, and communicating with employees, customers and vendors.
Unfortunately, there are few privacy resources to consider upon the death of an employee. Hopefully this provides a starting point for the conversation among privacy professionals.
Do privacy laws apply to dead people?
Because the EU General Data Protection Regulation's definition of personally identifiable information only applies to living people, technology and other professionals sometimes infer that privacy laws do not apply to the deceased. Since the GDPR is foundational to the privacy laws of other jurisdictions, this inference is amplified outside Europe.
Something similar happens in the U.S. in connection with California's Consumer Privacy Rights Act, which is arguably a foundational law for the privacy laws of other states.
However, this inference is misleading. The universe of privacy laws is broader than the GDPR and the CPRA. Currently, privacy in the U.S. is largely governed by a combination of federal sectoral laws and comprehensive state laws. The Health Insurance Portability and Accountability Act, a federal law that mainly covers health care providers and insurers, expressly extends protections to the personal health information of dead people — and for 50 years after their death.
It could be tempting to assume sectoral laws like HIPAA do not apply to businesses and other organizations outside of a health care context. But that is not necessarily the case. Elements of PHI maintained by organizations outside of a health care context could be subject to HIPAA. For example, human resources and information technology departments may routinely handle PHI in connection with health insurance matters, exposing them to compliance with HIPAA.
In addition to state and federal privacy laws, other laws and common law precedents in areas like copyright, rights of publicity, survivor privacy and property rights may apply to PII upon the death of an employee. As our lives play out more in digital spaces, our PII will increasingly be considered a property right, multiplying claims to it after death.
Consent and other practical considerations
As I mentioned earlier, talking about deceased employees is necessary. Not only to carry out the HR and legal requirements that need to be completed with diligence but also to support healing and resiliency. For example, after his death, my client held a virtual "town hall" meeting with all employees to honor his memory of the CIO, who cared deeply about developing career paths for young technology professionals, and to offer emotional support services.
The disclosure of PII and PHI may arise in an unexpected context. Key employees who die suddenly, for example, may have accrued know-how and other valuable but "soft" intellectual property that requires interviews with subordinates to draw out. These subordinates, often mentees whose professional development was intertwined with their mentors' roles, will likely want more details about the circumstances of their deaths. These details may be important not only for handling grief, but also for maintaining the trust needed to retain employees whose career aspirations may suddenly seem threatened.
However, how can businesses and other organizations reconcile the need to disclose PII or PHI with legal restrictions?
Most privacy laws, including sectoral laws like HIPAA, include the concept of consent to justify disclosures of PII or PHI. Obviously, employees cannot grant consent after they die. Also, certain principal-agent instruments, such as powers of attorney, expire upon the death of the principal. However, legal representatives can grant consent as a function of trusts and estate laws and via instruments such as wills.
I believe consent is the starting point for the conversation about privacy considerations upon the death of an employee among privacy pros. The question we need to address is: What is effective consent to disclosures of PII or PHI about a deceased employee that balances respect for deceased employees and their loved ones with the continuity needs of the business or other organization?
This conversation needs to recognize businesses and other organizations may need to work closely with the deceased employee's family and other personal representatives, and consider overlap between the deceased employee's professional and personal life, such as their use of personal electronic devices in the workplace.
HR departments typically do a good job of recording employees' emergency contacts in their systems, but have they considered recording legal representatives, especially for key employees? In cases where an employee's consent is extinguished by their death, it may be helpful to contact a legal representative for several reasons — from supporting a memorial service to accessing the employee's personal email to find a needed password or document.
However, it is important to consider that trusts and estate matters, such as wills, may be sensitive topics to employees and storing PII related to their representatives introduces additional privacy considerations.
Businesses and other organizations can also address property rights through contractual arrangements. They can address business continuity risks by increasing the maturity level of their business processes, such as through documentation.
Increasing the maturity level of business processes is particularly important as soft intellectual property developed by employees, such as know-how, has become increasingly valuable to businesses and other organizations. For example, understanding nuances of business processes, such as details about the configuration of a customer's accounts payable system that reduces rejected invoices, can be particularly valuable.
Just as trusts and estate attorneys counsel individuals about developing a strategy for inheriting digital assets, privacy pros need to counsel clients about developing a strategy to address privacy considerations related to preserving soft intellectual property following the death of an employee.
From a privacy management perspective, as always, the key consideration is the availability of resources and their prioritization. Accordingly, first steps for privacy pros addressing privacy considerations upon the death of an employee should include:
Adding the death of an employee as a privacy tracking topic and assigning responsibility for it.
Conducting an inventory of existing HR and other business processes related to deceased employees and identifying gaps relating to privacy.
Identifying personal representatives for key employees, while considering the privacy considerations of the representatives' PII.
My goal was to provide a starting point for a conversation among privacy pros about privacy considerations that should be addressed upon the death of an employee.
I hope this establishes a foundation on which practical, but also standardized, processes to address this topic effectively and with utmost respect for the rights and sensibilities of the deceased employees' survivors can be built.
Alex Ferraté, CIPP/E, CIPM, FIP, is a commercial attorney in the Washington, D.C., area. This article is for informational purposes only and does not contain legal advice.
