As much of America heads back to work in some manner, our clients, as prudent businesspeople and compassionate employers, have raised numerous excellent questions pertaining to the interaction of employment and privacy law as they seek to maintain a safe and healthy workplace.

 

In March, as the COVID-19 pandemic moved into the crisis phase and lockdowns began, we issued guidance on the FisherBroyles Employment blog about the privacy and data security considerations that should be taken into account. Now that many of the governmental directives and actions were modified or even withdrawn (in whole or part), a different set of considerations come into play: previously, the primary focus was on immediate steps to take to prevent the spread of COVID-19 within workplaces and communities. Now, as workers return to their workplaces, employers also must consider privacy obligations both to mitigate risk against aggressive litigation and, well, because the law requires it.

 

As non-essential businesses reopen, federal and state agencies recommend and/or permit health screenings, consistent with confidentiality obligations under the Americans with Disabilities Act (ADA), in order to prevent the spread of COVID-19 and keep the workplace safe and compliant with the Occupational Safety and Health Act (OSHA). After all, these workplaces closed upon governmental instruction in order to stop or at least try to contain the spread.

 

However, as our workplaces open for business, and workers return if they cannot telecommute, employers must heed and comply with their obligations under applicable privacy law, including:

 

• Existing Privacy Law Remains Unchanged. While there is some pending legislation, at present, the text of fundamental authorities such as the European Union General Data Protection Regulation (“GDPR”) , the California Consumer Privacy Act (“CCPA”), the Illinois Biometric Information Privacy Act, data breach notification laws of all 50 states, Federal Communications Commission rules (in pertinent part, governing GPS tracking), and Federal Trade Commission rules (requiring compliance with one’s own policies) remain the same and require compliance.

 

• Good Disclosure is Critical. A fundamental element of a privacy compliance strategy requires clear, written, non-legalistic, prior disclosure to individuals about whom is collecting data, what data is being collected, why it is being collected, and what may be done with the data, both inside and outside the organization. Today, this means advising employees before they return, about safety measures and protocols taken to mitigate the risk of virus spread, such as temperature and health checks.

 

• Consent. An equally fundamental tenet of privacy law compliance is individual consent to disclosure (which the GDPR requires and other laws strongly recommend). While a “check the box” form of consent is customary for privacy policies and terms of use, it is unlikely to be practical here. Rather, as business owners call employees back to work, they may consider including, in the aforementioned written notice to employees about safety measures being taken in the workplace, bold language stating that their resumption of duties in the workplace is their consent to these measures.

 

• New OSHA Obligations. As of May 26, 2020, the Occupational Health and Safety Administration requires employers to record confirmed cases of COVID-19, as defined by the Center for Disease Control (CDC) if the case is work-related, as defined by law, and the case involves one or more of the recording criteria set forth in 29 CFR § 1904.7 (e.g., medical treatment, days away from work). This places an affirmative obligation on business owners and managers to undertake a reasonable investigation based on the objective evidence available. Employers should document and maintain the documentation of such efforts, and if you conclude that a COVID-19 case is more likely than not work-related, it should be recorded (records must be maintained for five years). It’s a lot to think about.

 

• Information Sharing vs. Collection. With the understandable interest of public health authorities in contact tracing, another key element of privacy law comes into play, namely disclosure of contemplated information to others. Whether or not they intend to do so, employers should reserve their rights to provide information to governmental bodies in accordance with their understanding of directives. We suggest, however, that employers disclose only the information that they believe is absolutely required by such directives, even if the scope of consent received from employees contemplates broader disclosure. For example, if someone is sent home from the workplace because of an elevated temperature, that action should not customarily be reported to public health authorities absent a clear requirement to do so, and, even then, the issues should be specifically discussed with the affected employee(s) at such time. That said, an employer may disclose the name of an employee to a public health agency when it learns the employee has COVID-19.

 

• Keep Data Retention to a Minimum! In both the current and contemplated future situations, consider minimizing the data you retain to maintain privacy. Though employers may log results of temperature checks, consider whether you need to retain a log of normal temperatures. If not, then why maintain one? The Americans With Disabilities Act (ADA) requires storing separately all medical information about an employee from the employee’s personnel file. An employer may store all medical information related to COVID-19 in existing medical files, including an employee’s statement that (s)he has the disease or suspects (s)he has the disease, or the employer’s notes about an employee’s symptoms. If you ask about symptoms, the ADA requires retaining that information as a confidential medical record. However, don’t collect what you don’t need, and even if you did need it before, but don’t any longer, get rid of it in a secure manner.

 

• Be Careful with Commitments. Regulatory authorities routinely target companies that deviate from their own commitments—published in employee handbooks and posted in privacy policies—to maintain the confidentiality of employee data. It is not enough to have compliance policies; they must be enforced to be effective and compliant.

 

• Law vs. Direction. In both the privacy and employment areas, not all governmental direction is created equally. While federal recommendations, guidance, and other state options must be taken seriously, prioritize federal and state statutes that include private rights of action against organizations for penalties, fines, and even injunctive relief for noncompliance. Where authorities appear to be in conflict, we can assist with determination of what should be given precedence.

 

• State and Time-Specific: Check with Us. As law and guidance varies from state to state and is likely to vary over time, we encourage clients to check with us at each decision point to ensure the provision of advice which is optimal for each situation.

 

Our Employment and Privacy partners stand by to assist with efficient navigation through this confusing, unprecedented time.

 

For additional information, please contact any of the following: Kimberly Dempsey Booher

at [email protected], Amy Epstein Gluck at [email protected],

Martin B. Robins at [email protected] with any questions or more specific situations.