Offices around the world closed their doors more than one year ago as many sent employees to work from home while the COVID-19 pandemic unfolded. As vaccinations continue to progress at a steady pace, many employers and employees are eager to get back into the office.

As they contemplate how to best take that step, organizations are facing “a perfect storm of all the issues privacy officers should be thinking about,” said WilmerHale Cybersecurity and Privacy Practice Co-Chair Kirk Nahra, CIPP/US.

The number-one question for many companies, according to Littler Mendelson Shareholder and Privacy and Background Checks Practice Group Co-Chair Philip Gordon, an expert in workplace privacy, has been whether an employer can implement a mandatory vaccine policy.

“We are getting bombarded by our clients about vaccines, vaccine-related issues, and getting employees back into the physical workspace,” he said. “The privacy issues that we’re getting are, principally, can we collect employees’ vaccine status, if we collect it what do we do with it, can we disclose it to customers who ask, especially if we have clients who send employees on-site to do their job? Those are the issues that we’re seeing.”

New research from the Society for Human Resource Management shows employees might be in favor of employer-mandated vaccines, with 52% of respondents stating they would support their employer requiring all employees to get vaccinated as a condition of employment.

Regulatory guidance lacking, thus far

While regulators and government agencies around the world have offered guidance throughout the pandemic, it has focused on COVID-19 testing or efforts like contact tracing. And in the U.S., there isn’t existing legislation to turn to.

“What we’re finding is there isn’t much law on this. In that sense, it has been sort of perfect privacy thinking, in the sense that it’s a test case for privacy by design,” Nahra said. “You need to think about all the questions that you do in privacy by design. What are we collecting? What are we going to do with it? Who is going to have access to it? What are we going to use it for? Then, it’s driven by being smart rather than there’s a specific piece of legislation that says you do it this way or that way. We don’t have that legislation for the most part.”

Vaccine information, when in the possession of an employer, Gordon said, is not protected by the Health Insurance Portability and Accountability Act or the Americans with Disabilities Act — two principal statutes in the U.S. In the workplace, HIPAA applies only to a small group of employee health benefits, while the ADA applies to medical information employers receive in connection with either a medical exam or a disability-related injury, he said.

California and Connecticut do have laws that impose restrictions on disclosures of vaccine information, Gordon said, adding approximately 20 states have data breach notification laws that include health information as data that, if compromised, could trigger a notification obligation.

“So that provides an incentive to treat the vaccine information like other confidential medical information, even though technically under federal law and most state laws it’s not protected,” he said.

The U.S. Equal Employment Opportunity Commission recently issued guidance that employers may lawfully require employees to get a COVID-19 vaccine or show proof they already have, explaining the “vaccination itself is not a medical examination” within the meaning of the ADA.

Nahra said he believes guidance is moving in the direction of permitting more disclosures and collection of information to support public health, with the realization that the key consideration is not just protecting the data of the individual, but also the health and safety of those around them.

“That’s clearly relevant in the workplace; it’s clearly relevant when you go to a movie theater, a sports stadium or an amusement park, or get on a plane — all of those situations that’s going to be relevant,” he said.

In Europe, where personal data is subject to the EU General Data Protection Regulation, Deloitte Legal Partner Marta Dunphy-Moriel, CIPP/E, said unless there’s a legal requirement for a business to know vaccination data, it’s “pretty difficult to justify.” While employers can encourage employee vaccination, Dunphy-Moriel said until a regulator mandates vaccinations, employers should not.

“At the moment, what we are relying on is the guidance we have in general for processing this type of data. The interpretation of (the EU General Data Protection Regulation) is not clear. Because we are in a situation of a pandemic, it is very much regulator-led. We can give our opinions, for sure, and our interpretation based on employment requirements and limits with privacy, but, quite frankly, it will be the national regulator who will dictate the pace of what is acceptable and what is not acceptable,” she said. “It’s just something that we can sort of do the best we can to justify it, but it will be very difficult to justify unless there’s a requirement to do it.”

So what to do?

Mathieu Gorge, CEO of VigiTrust and author of “The Cyber Elephant in the Boardroom,” based on a framework of five pillars of security — physical security, people security, data security, infrastructure security and crisis management — urges businesses to examine those pillars when considering how to move forward. Doing so can help to mitigate risks, handle data with care and according to appropriate data protection regulations and prevent potential breaches, he says.

“I would urge any organization that’s wanting to embark on an employee vaccination plan to use the five pillars as an initial very simple benchmark,” he said. “If we go back to the basics and look at the concepts of cyber-accountability, they need to understand they are held accountable for making sure they take appropriate security measures to protect their good name, the reputation of the company, the data, the employees, third parties and so on.”

In a traditional office environment, Gordon said, the least complicated choice for businesses is to make vaccinations voluntary and ask employees to continue to engage in established safe practices, like wearing masks and social distancing.

“Big picture, it’s almost like any other data collection issue,” Gordon said. “The first question is do you really need the information? If the business does need the information, what’s the business purpose and collect only vaccine status information from those employees where you have a business need to do so. Then treat the information appropriately.”

Nahra is advising clients to be “thoughtful, smart and responsible.”

“Do what you need to do but think it through carefully,” he said. “Be thoughtful. What’s your experience? What’s your judgment? What is a regulator going to think about it? All that kind of stuff.”

Patience is a virtue, Dunphy-Moriel said, and working from home is not going to go away any time soon. She recommends businesses reinforce investments in ensuring employees have the option to work remotely.

“It’s very frustrating to have to sit and wait and plan, but unfortunately, this is a sit-wait-and-plan situation. Jumping the gun can actually be a compliance nightmare. If you get it wrong, the reputational damages can be absolutely dreadful,” she said. “It’s never a good time to take on a ridiculous amount of risk. This is just not worth the risk right now.”

Photo by Israel Andrade on Unsplash