Companies worldwide are scrambling to respond to the current global COVID-19 pandemic, addressing critical and monumental health and safety risks, coping with operational and logistical challenges presented by erratic and/or reduced customer activity, and supporting remote employee working. Urgently, companies are putting together procedures for the collection of sensitive employee health information to detect and/or prevent the spread of the virus and are struggling with what to say and whom to tell when confirmed or suspected diagnoses arise. On top of these challenges, more than 20 U.S. and global data protection authorities and governmental agencies have issued diverse and divergent guidance on health data collection, COVID-19 diagnosis disclosure and work-at-home practices.1
In this alert, we provide a summary of emerging best practices based on the regulatory guidance that companies should incorporate into their COVID-19 response strategies. Our recommendations are based on trends in the global regulatory guidance and are designed to balance the health and safety of the larger workforce (and community) with the individual privacy and confidentiality of the affected workers and their families. Also, for a live discussion of these concerns, register for our upcoming webinar: “COVID-19 Response Communication Planning and Regulatory Guidance.”
What Every Company Needs to Know Now: What to Collect, Say and Share
Companies need to balance individual privacy with the collection and disclosure of sensitive employee/worker health information for safety purposes.
- Collection and Disclosure Best Practices to Strike a Balance. Thoughtfully establish health data collection procedures designed to protect the health of your employees without allowing individuals who contract the virus to become pariahs or be stigmatized. How you handle the situation will affect not only employee perception of your responsibility and regard for their well-being, but also the marketplace’s trust in your brand and perception of social responsibility.
- Avoid sensitive collection practices (e.g., taking and recording temperature, inquiring about family and others in the home, tracking location outside of work).
- Develop strict guidelines as to the limited times the names of employees/workers who contract the virus can be disclosed (e.g., only to health and safety government agencies, service providers who are bound by a written agreement and to healthcare professionals and family with consent).
- Notices and Agreements. Review your employee/applicant privacy notice(s) to determine whether the notices provide for the required data collection, use and disclosure appropriate for the health and safety of the workplace and all employees. Where applicable, work with vendors (e.g., staffing agencies) to determine what their notices contain as well. If necessary and/or feasible, develop COVID-19-specific notices for employees that outline the special data collection, use and sharing that may occur during the pandemic. Consider separate data sharing agreements or provisions with third parties as well to cover these situations. Ensure data sharing agreements contain sufficient protections. A breach of medical information could come with higher risks and costs.
- Privacy and Security Guidance for Work-at-Home Arrangements. Ensure that employees follow reasonable security practices when working from home, as contained in a Federal Trade Commission (FTC) alert from March 18, 2020, including using complex passwords, keeping security software up-to-date, enabling encryption (WPA2 or WPA3) on their home router, password-protecting and locking laptops and mobile phones, securing physical files and disposing of company data securely, such as by shredding.
- Security. Ensure that you have put in place reasonable security measures to protect any additional information collected from employees, such as health-related data or location history. This would likely include a designated data storage location that contains robust access controls, encryption and other protections against unauthorized access and disclosure.
Consistently Inconsistent - Guidance from Global Data Protection Authorities and Regulatory Agencies
More than 20 countries have issued privacy and security guidance covering the collection, use and disclosure of COVID-19-health related information. While some guidance is more restrictive, others promote a more liberal approach designed to balance the need to collect sensitive health data for public safety with the need to protect individual privacy. Below is a summary of practices based on this regulatory guidance, which varies by country but has some common themes.
Data Collection and Prevention Efforts
Don’ts. Generally, the following activities are regarded as sensitive or restricted practices and should not be done by companies:
- Taking and recording temperature
- Conducting employee/worker health surveys asking questions relating to family members and others living in the home
- Requesting and collecting information about employee/worker social interaction and information about locations visited outside of work
Do's. Generally, the following activities are regarded as acceptable and/or recommended practices:
- Taking non-recorded temperature readings and recording only people with temperatures sent to home quarantine
- Conducting health surveys of employees and other workers, including asking them if they are experiencing symptoms of the virus, such as fever and shortness of breath
- Requiring home quarantine for people suspected of coming into contact with someone with COVID-19 and/or exhibiting symptoms (i.e., temperature, dry cough or other symptoms) or otherwise not feeling well
- Requiring a doctor’s note to certify fitness-for-duty to return to work
- Using cell phone tracking software to track location information and confirm home quarantine compliance for people with COVID-19 (Israel only). Consent to collect precise location information may be required in some countries.
Disclosures of Names of Individuals with Confirmed Cases or Suspected Ones
Don’ts. Disclosure of impacted individuals should never be made to:
- Co-workers and other company personnel (disclosures to co-workers should not focus on the name of the individual impacted, but should rather focus on the location (i.e., office, building)) and the people who should closely monitor their health as they may have come in contact with one or more individuals who potentially had the virus
- Executives and direct supervisors, to the extent possible and on a need-to-know-basis under the circumstances
Do's. Disclosures of the name of the impacted individual should only be made in three limited circumstances:
- To health and safety government agencies without consent of the individual in cases of confirmed illness
- To healthcare providers with consent of the individual to aid the individual’s treatment
- To family members with consent of the individual to help the family protect themselves and/or aid the individual’s treatment
Employee Duty to Inform Employer of Health Status Potentially Endangering Others
- Reminder. It is acceptable to remind employees/workers that in many countries they have an obligation to inform their employer if they have a health condition that could impact the safety and welfare of others.
- Point of Contact. Companies should set up a single point of contact to report confirmed conditions (often in human resources or legal departments). That said, companies that have in-house doctors or healthcare professionals can involve them in evaluation of employee health and symptoms or as a point of contact for confirmed or suspected illness.
- Disclosures Requiring Authorization. Organizations subject to HIPAA (as covered entities or business associates), including organizations that provide self-funded healthcare benefits, must obtain the authorization of the individual before disclosing protected health information to third parties for new or undisclosed purposes.
Working From Home
A variety of countries also have work at home guidelines, including the U.S., Ireland and France. As more work comes into the home, data privacy and security safeguards must be tightened. There may be additional requirements if you are handling credit card, healthcare or other regulated data at home. However, in general, the following are the emerging best practices:
Don’ts. If permitting employees to work remotely, companies should not:
- Allow employees to use personal devices that are unsecure for work purposes
- Encourage employees to print or bring home physical records unless absolutely necessary (employees should shred records for disposal, not throw them in the trash or recycling bin)
Do's. To enable secure remote working, companies should::
- Provide information and training to employees on appropriate safeguards for data handling at home
- Ensure that any devices used by employees for work purposes have the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced
- Mandate that employees use work email accounts rather than personal ones for work-related emails involving personal data
Coordinate COVID-19 Information Handling and Disclosure Guidelines with Other Related Initiatives
Companies should keep in mind that privacy and health information collection and disclosure should be coordinated with other COVID-19 response efforts. The Fenwick COVID-19 Resource Center and team have been helping companies with important related initiatives that may have an impact on data security and privacy, including, but not limited to, the following:
- Health and safety guidelines for your office and employees
- Recruiting and personnel challenges, including operating with a reduced workforce
- Executive team and employee travel policies, including provisions for stranded travelers unable to return home
- Meeting protocol with potential customers, investors and others
- Policies in your global offices based on local health and data protection laws
- Company event and conference postponements and their impacts on your business
- Remote work and work-at-home policies
- Contract playbook on how to handle force majeure, amendments and performance guidelines
- Plans for infectious disease management
- Plans for conducting M&A and financing diligence remotely
Please contact us for additional information regarding the requirements in a specific jurisdiction or to discuss how the Fenwick COVID-19 Response Center and Team can help develop or enhance your COVID-19 response program, procedures and training relating to any of the issues described above. Fenwick’s COVID-19 Resource Center also contains other insights across Fenwick’s practice disciplines and is updated as additional legal, regulatory and commercial developments unfold.
1 Belgium, Denmark, the European Union, France, Germany, Iceland, Ireland, Italy, Lithuania, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Russia, Slovakia, Slovenia, Spain, Sweden, United Kingdom and the United States have all issued guidance.
*Kyra Baffo is an intern at Fenwick & West and contributed to this article.