In Australia, over 2 million citizens have downloaded an app meant to alert users if they’ve been in contact with someone who has recently had COVID-19. Apple and Google have both released an exposure notification API that’s mean to help governments and developers create contract tracing software. And, across the United States, companies are being put in the awkward position of dealing with how to announce confirmed COVID-19 cases at their workplace.

While talking about data privacy isn’t generally the life of the party, discussing data privacy during a global pandemic can feel nightmarish. Data is a crucial component of tracking, tracing, treating, and, ultimately, curing global diseases. But where do we draw the line between public health and individual rights?

Recently, we hosted a virtual roundtable to discuss the fine line between individual rights and public use for data. In particular, we were interested in discovering how much information businesses should be willing to share with the press when coronavirus outbreaks happen at their facilities, and how much information the press should be willing to share with the public regarding COVID-19 cases in the area.

And, like many broad data privacy discussions, we didn’t come up with any clear-cut answers. This is an unprecedented situation. Data privacy is already a rapidly-evolving framework across social and political bodies. When you introduce a touch of pandemic to the mix, you create more questions than you answer.

From Sick Days to Quarantine Days: The Evolution of Workplace Illness Data During a Pandemic

In the past, taking a sick day meant calling into work sick. It was generally that simple. But, during the COVID-19 pandemic, workers are calling into HR to specifically inform them that they have COVID-19. This creates an entirely new framework for how HR approaches healthcare data. You may need completely new sick leave policies to coincide with these changes, and you may even create new databases to store critical COVID-19-related information (e.g., testing results, temperature information, etc.)

This brings up some interesting questions. For starters, how and where are you storing that data? Is it highly personal data that should be stored with other sensitive employee data? Better yet, can you even store the data at all? How long should I be keeping the data and for what purpose?

The Information and Data Protection Commissioner recently issued a press release to touch on these types of issues. In the release, the commissioner urged data controllers to both act within the best interests of public health (when possible) and to continue to follow the procedures outlined in GDPR.

Thus far, many countries have released guidelines (though often rough) on processing and handling data during the novel coronavirus. In the U.K., the ICO released an online hub for data protection during the pandemic. In Spain, a Report from the State Legal Service Department was recently released, which set guidelines for data controllers relating to reporting workers suffering from COVID-19. And, in Canada, The Office of the Privacy Commissioner of Canada (OPC) released guidance to “help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak.”

In the United States, we still don’t have a clear-cut announcement regarding data controllers and individual privacy, especially when it comes to workplace situations. As we often see with data privacy, countries are rallying behind rapidly established local standards. This leaves companies with plenty of questions. 

For starters, let’s talk about what you certainly can do, at least in the United States.

  • You can check the temperatures of your employees so long as you use non-invasive temporal scanners. The U.S. Equal Employment Opportunity Commission recently released an in-depth guide covering this issue — specifically how it falls under ADA guidelines. 
    • Note: Temperature checks are considered “employee medical examinations,” so any data relating to that temperature check must be stored in compliance with ADA.
  • You can ask employees if they’ve had any COVID-19 symptoms.
  • You can require that employees complete a self-assessment of their travel history to areas with high COVID-19 rates. 
    • Note: These assessments have to be random or total. If you’re seen as administering them based on race, age, culture, etc. you could open yourself up to lawsuits.

Here’s where things get complicated, can you alert the press or other employees that one of your employees has tested positive for COVID-19? And what level of responsibility do employers have to comply with data handling standards during an ongoing pandemic?  If it is reported internally or externally that an employee has tested positive, can anonymized data be used to piece together the employee’s identity?  After all, 87% of the US population can be re-identified with only three pieces of information:  1) Gender  2) Zipcode  3)  Date of birth.  

Individual Data Rights vs. Public Health Initiatives: An Ongoing Tug-of-War

Since US authorities have yet to release guidance on collecting private data for COVID-19 case identification, employers are in the dark. This raises questions. How long should employers be keeping employee data relating to COVID-19? Are employers using high-quality processes for data ingesting, storage, and retrieval? Is critical data being encrypted and de-identified? Are retention policies in place for this type of data at your workplace?  What about unexpected data locations such as information entered into free-form description fields or chat windows?

Beyond that, should you even be collecting this data in the first place? When we surveyed companies on their policies for alerting press on COVID-19 cases, none of them said they would comment to the press. But, they all had unique policies on how they were handling sicknesses internally, especially when it came to who and how to notify employees of COVID-19.

The Office of Civil Rights, Health & Human Service issued guidance showing that employers can request “protected health information” from HCPs, so long as it’s to prevent a “prevent a serious and imminent threat.” This adds another layer of complexity to this whole situation.

Should you be requesting this information? Should you be sharing any employee information with government bodies for public health reasons? And, if you do hand over employee data to the government, where does your liability start and where does it end?

Our Standpoint

We’re not here to make bold claims regarding data privacy. And we certainly don’t have all the answers, since authority guidance has yet to be released. But we will say that every business should be following five core rules.

1. Minimize Employee Data Acquisition

We understand that these are unique times. You have to collect some baseline level of employee health information regarding COVID-19 to keep your workplace and your community safe. But you should collect as little information as possible to manage the COVID-19 situation at your business. Gartner also recommends data minimization when dealing with coronavirus data, so this should be a front-of-mind strategy going forward.  This includes regular and automated data discovery to find unexpected data locations (ie. Open form fields) and verify acquisition policies are actually being followed.

2. Minimize Employee Data Processing

Again, the key here is to do as little processing and acquisition as possible to keep your workplace safe. Don’t horde data in archaic systems, and don’t over-process data outside of the scope of necessity. It can be difficult to figure out where to draw that imaginary line in the sand of your data strategy, but you should work closely with your compliance teams to discover the least amount of data that you can process.  Storing data is cheaper than ever and analyzing data for insights with AI and ML may be tantalizing, however, less is more in this case.  Do you have a technical control to audit the enterprise data dumping grounds – data lakes – for toxic data combinations that could re-identify an individual?

3. Adequately Store Employee Data

You should have a high-level process to capture, store, and utilize employee health data relating to COVID-19. Data should be de-identified and encrypted, and you should have your data cataloged appropriately to ensure compliance with overarching data privacy structures. I Treat COVID-19 data as sensitive data, categorize it appropriately, and enable “trust but verify” processes to seek out clear text data that matches data classifications for data that should be protected.  Ensure that best data handling best practices are being applied to this data. For example, “are we retaining this data for longer then we need to keep it”.

4. Tread Carefully When Sharing Information

This part gets complicated. For starters, you don’t necessarily need employee consent to share data for reasons relating to public health interest. When you exercise data processing or data acquisition in the name of a vested authority, you should still comply with legal bases until specifics have been released by larger bodies of authority. For now, minimize sharing details with the press, especially given the complex layer of uncertainty that surrounds the current data privacy landscape.  This also applies to business partners with data-sharing agreements.  Monitor inbound and outbound application APIs for sensitive data.

5. Maintain Confidentiality

Employers have a legal obligation to protect their employees. Given the evolving pandemic, you should almost certainly inform employees about cases within their workspace. But you should also maintain confidentiality when you release this information. We highly recommend releasing this information broadly to avoid legal hiccups instead of attempting to use internal contact tracing.  Contact tracing and specific identity attributes can be easily used to piece together an employee’s identity.  A news outlet recently reported on a COVID-19 case likely contracted at a security conference along with eight unique identifiers about the infected individual, but “withheld the name to protect his privacy.”  A quick search on LinkedIn narrowed down the search to one person…with only 1)  Company name  2)  State/location  3)  Title keyword.

Start by Implementing the Right Systems

At Integris Software, we’ve been paying careful attention to the evolving compliance situation surrounding COVID-19 data. We develop data privacy, governance, and protection solutions and understanding the current landscape is paramount for our customers. If you’re looking to learn more about privacy by design during this evolving situation contact us.