Companies are working hard to balance the privacy of their employees and the need to keep employees informed and safe. Many have encouraged employees and visitors to report if they experience COVID-19 symptoms or have otherwise been exposed to the virus through travel or their communities. They have collected this information by asking employees and visitors to complete questionnaires and used the information to manage risk, including by making decisions about access to clients’ facilities. When companies find an employee experienced symptoms or was otherwise exposed to the virus, they have balanced the affected employee’s privacy with the need to notify others who had been in contact with the employee and to assure the workforce that measures are in place to mitigate risk.
Keep in mind that individuals affected by the virus are colleagues, teammates, friends and their families who need support in moments of hardship. The support colleagues and communities provide to affected individuals should include protecting those individuals’ privacy.
Generally, because there is no comprehensive privacy legislation in the US, privacy requirements reflect various federal and state laws that govern the collection, use, disclosure and safeguarding of personal information in a variety of circumstances.
Here are several key privacy and cybersecurity considerations companies should keep in mind:
- There may be differing approaches to privacy in Europe. See our posts on European and UK guidance.
- Observe data minimization principles. Companies should collect only the personal information they deem necessary for managing COVID-19 risks and use and disclose the information for those limited, finite purposes.
- To communicate with employees or affected individuals by text, employers should try to obtain the recipients’ consent. If consent is not feasible, limit communications to what is relevant to the individual, and avoid texting general information.
- Handle health information with care. The information individuals provide about their health and the health of others is sensitive, so companies should have dedicated means to collect this information and a dedicated location to store the information (e.g., a single dedicated mailbox, database or shared folder). They should use and share the information only for the intended purposes of risk management and appropriately secure the information (e.g., using at-rest encryption).
- Limit data retention. Companies should securely delete the health information they collect when it is no longer necessary for COVID-19 risk mitigation purposes (unless there is a non-privacy legal requirement to retain the information longer).
- Do not disclose the affected employee’s identity unless absolutely necessary. When informing employees of a possible case of COVID-19 within the organization, it is prudent to avoid identifying the affected employee. The United States Equal Employment Opportunity Commission has provided guidance that employers should keep medical information (such as a positive diagnosis) confidential. We expect state and local regulators (including in California and Washington) to follow the EEOC’s lead. For employees who were not in the proximity of the affected individual, the identity of the individual is likely not relevant for risk mitigation. Even if the affected individual is unable to identify the employees with whom the employee was in close contact, the organization should be able to identify those employees through the analysis of the office’s geography.
- Verify resources to which you direct employees. When directing employees to COVID-19 resources, check the links you provide to make sure they are legitimate. There have been reports of hackers using COVID-19 to spread malware, including by using compromised COVID-19 maps to launch phishing attacks.
- Encourage employees to remain vigilant. Remind employees to remain vigilant in responding to emails from outside the organization and be on the lookout for phishing attempts. It is always prudent to remind employees that – even when they work from home – the company will not ask employees to provide their user names and passwords over email. As employees transition to work-from-home arrangements, they may increasingly rely on IT support and become desensitized to requests for credentials. There is a rise in cyber scams/phishing campaigns related to the coronavirus with hackers posing as the CDC, for example, in addition to the malware issues. There is also greater risk of executive impersonation scams with personnel not working in the office together and relying more on emails, which carries the potential for increased risk of payment fraud.
- Consider enhancing information security controls. Companies should consider providing employees with a VPN and deploying multifactor authentication and other technology for employees working from home.
- Can we circulate a questionnaire to visitors asking them travel history and if they are experiencing flu-like symptoms?
Yes. The questionnaire should only be available to those who need to review the information, and it should be deleted/destroyed as soon as it is no longer required for the business purpose of risk mitigation. Consider creating an interactive webform on a secure platform for visitors to complete the questionnaire or directing visitors to send completed questionnaires to a designated email address. Mind the tone of the questionnaire, as appropriate.
- Can we take the temperature of employees entering our building?
The EEOC guidelines for pandemic preparedness allow employers to conduct medical examinations of employees when the individual poses a “direct threat” in the workplace. Each employer will need to conduct a balancing test to determine whether a direct threat exists, balancing (1) the duration of the risk, (2) the nature and severity of the potential harm, (3) the likelihood that potential harm will occur and (4) the imminence of the potential harm. Employers should keep confidential the results of any medical screenings.
- Can we tell employees the name of someone who has tested positive for COVID-19?
Avoid identifying the individual who has tested positive. As we explained above, the identity of the affected individual should not be relevant to other employees, even those who were in the proximity of that individual.
- Can local health authorities require an employer to share health information about employees who test positive, or can employers share this information with health authorities voluntarily?
Employers generally must keep employees’ health information confidential, including under the ADA pandemic guidelines and relevant state health information confidentiality requirements. Employers can, however, report statistical information and encourage employees to engage with healthcare providers directly.
- Should we provide an update regarding affected employees at an all-hands call or via an email?
Communicating updates via email is likely a more prudent approach because it allows better control of the communication and avoids missteps by the speaker that may inadvertently identify the affected individuals.
- Can we request and circulate employees’ personal contact information for business continuity purposes?
If company systems are not set up for a remote work environment that permits employees to communicate using their existing business contact information, then employers may request employees’ personal contact information, such as phone numbers or email addresses, for continuity of business operations. It is prudent to limit this to contact information that is necessary for business continuity, and, if feasible, share it only with team members that have a need to know the information. Employers can also encourage the sharing of this information among team members directly or facilitate communications via cloud-based enterprise communications platforms.
Please email firstname.lastname@example.org if you have any questions. For additional information and guidance, please refer to Cooley’s Coronavirus Resources page. To sign up to receive Cooley’s c/d/p blog updates, visit cdp.cooley.com.
Cooley’s c/d/p team