As COVID-19 becomes our new normal, we increasingly see the tension between protecting the public’s health and privacy rights. Employers are faced with providing a safe work environment while complying with applicable privacy laws. Regulatory agencies and data protection authorities have issued guidance to help employers navigate these issues (see the DPA Guidance on COVID-19 collected by the IAPP).
The situation for employers is made more challenging because it is fluid: Each day there is new information about the disease, what protections are appropriate and the level of infection in a particular community. All these factors potentially impact the analysis of how much personal information should be collected and shared by employers.
European Union
For EU countries, the General Data Protection Regulation informs this analysis. The European Data Protection Board has adopted a statement regarding the processing of personal data during the COVID-19 outbreak that specifically addresses the employment context.
As Jennifer Baker recently reported, the EDPB guidance recognizes “the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.” At the same time, it discusses the core principles of purpose limitation, transparency, and integrity and confidentiality, emphasizing proportionality and data minimization in collecting employee health information.
The EDPB statement defers to national laws with respect to questions about whether employers can perform medical checkups on employees or require employees or visitors to provide specific health information. Bird & Bird recently published a chart outlining the specific rules in these areas by EU member states. The EDPB guidance does confirm employers should tell staff if a colleague is infected with COVID-19, communicating only necessary information, and, in fact, recognizes there may be some cases where the infected employee’s name may be disclosed. “In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.”
EU countries are taking different approaches to the issue of employers processing personal data during the COVID-19 pandemic.
In Ireland, the Data Protection Commission acknowledges taking steps to contain the spread of COVID-19 may involve processing sensitive personal data but reminds organizations of their legal obligations under the GDPR and Ireland’s Data Protection Act 2018. “Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate” and “informed by the guidance and/or directions of public health authorities, or other relevant authorities.” It reviews the obligations of lawfulness, transparency, confidentiality, data minimization and accountability in this context.
For employers, this means they would be justified in asking employees and visitors to inform them if they are experiencing COVID-19 symptoms or have traveled to an affected area. Anything more, such as requiring a detailed questionnaire, “would have to have a strong justification based on necessity and proportionality and on an assessment of risk.” Employers can require employees to inform them if they have been diagnosed with COVID-19 and may inform staff of potential exposure, but the identity of the affected individual should not be disclosed unless such disclosure is required by public health authorities.
Like the DPC, Spain’s DPA, the AEPD, issued a report discussing the application of Spain’s data protection law to measures taken in the employment setting, noting data protection principles still apply. The FAQs issued by the AEPD advise employers they can ask employees about symptoms, whether they have COVID-19, and if they are subject to quarantine. The guidance reminds employers that processing employee health data needs to follow the principles of data minimization and purpose limitation. Information regarding workplace exposure generally should be provided without identifying the person infected. Employers also are permitted to have medical staff take the temperature of employees, again with the caveat the data must be treated according to data protection regulations.
France and the Netherlands take a much more restrictive approach. Guidance from the CNIL precludes employers from collecting information regarding COVID-19 symptoms or taking employee temperatures. Employees, however, are required to inform their employer if they believe they have been exposed to COVID-19. If an employer receives a report of potential exposure, it is able to record the date and identity of the person suspected of having been exposed and the measures taken with respect to the employee, such as teleworking or referral to an occupational doctor.
Similarly, workplace guidance from the Dutch Data Protection Authority advises employers “you are not allowed to process medical data of your personnel.” Employers cannot ask employees about their health or keep track of the reason someone reports in sick.
United Kingdom
The U.K. approach recognizes the pandemic may impact privacy rights to protect the health and safety of employees but asks for a proportionate response. In guidance from the Information Commissioner's Office, it states employers are allowed to “collect health data” about employees or visitors, such as whether they have COVID-19 symptoms. It cautions employers to only collect what is necessary and safeguard the information collected. It also advises employers that while they should inform staff if a colleague may have COVID-19, the names of those individuals probably do not need to be disclosed.
United States
The federal guidance in the U.S. is similar to the U.K.'s approach. In the U.S., the Equal Employment Opportunity Commission enforces workplace anti-discrimination laws, including the Americans with Disabilities Act. Generally, the ADA prohibits employers from making disability-related inquiries and requiring medical examinations, except under certain limited circumstances. On March 19, the EEOC updated its pandemic guidance from the 2009 H1N1 outbreak to include specific COVID-19 information consistent with current guidelines from the Centers for Disease Control and Prevention and public health authorities, issuing "What You Should Know About the ADA, the Rehabilitation Act, and COVID-19" and "Pandemic Preparedness in the Workplace."
Importantly, the EEOC guidance states COVID-19 currently meets the “direct threat” standard in the ADA, meaning “a significant risk of substantial harm would be posed by having someone with COVID-19” or its symptoms in the workplace. Based on this guidance, employers can implement additional measures to promote health and safety during this pandemic, including:
- Asking employees if they are experiencing symptoms of COVID-19 (any medical information collected by employers needs to be kept confidential).
- Taking employees’ body temperature.
- Asking employees about travel for business or personal reasons.
- Requiring employees to wear personal protective equipment and adopt infection-control practices.
In addition, the CDC’s Interim Guidance for Businesses and Employers on COVID-19 recommends employers inform employees if they have been exposed to COVID-19 in the workplace but maintain confidentiality.
The EEOC guidance emphasizes the need for employers to follow current directives from the CDC and other public health authorities, noting this information “will change as the COVID-19 situation evolves.”
There also may be state laws and regulations that impact privacy rights in the workplace.
Going forward
As the U.S. EEOC guidance makes clear, directives to employers regarding privacy issues during COVID-19 are likely to change. If COVID-19 is less of a threat to public safety and the workplace, certain types of data collection, like taking an employee’s temperature, may no longer be warranted. At the same time, we can expect public health officials and employers to be concerned about safety as employees transition back to the workplace.
New information about disease transmission or the development of a vaccine also may raise new issues for employers to consider. We will be monitoring these issues closely and reporting out any developments.
Photo by LYCS Architecture on Unsplash