[ad_1]
The landscape of privacy and data security laws in the United States is difficult at best, as they change and change frequently. I refer to privacy and data security laws as a patchwork quilt as they have been implemented by both the federal government and state legislatures in an ad hoc manner as technology advances and privacy concerns become more prevalent.
Most data privacy laws relate to personal information collected from consumers by businesses, and there are limited data privacy laws relating to the collection of data from employees. Please note that this article only discusses the collection of information from employees from a data privacy perspective. It does not discuss other laws that may be applicable to employee data collection, such as the Occupational Safety and Health Act (OSHA) and the Americans with Disabilities Act.
Against the backdrop of the coronavirus pandemic, for the first time ever, many companies are gathering more private information, including health information such as temperature screenings and health questionnaires, from their employees to assist with a safe transition to the workplace from work to home. .
In doing so, there are several data privacy laws and principles that companies may want to consider in determining how to collect, use, disclose and retain employee data.
This article is designed to address the balance between collecting health information from employees to maintain a safe workplace with those employees’ privacy concerns. It aims to challenge companies to treat this information in a different way and to be more strategic in how the information is collected, used and stored. Simply put, companies may want to carefully balance the need to collect data from their employees to provide a safe workplace with protecting the privacy of their employees. I also assume that companies may want to consider not keeping coronavirus health screening information collected from employees in employee personnel files.
Using a privacy impact assessment
When determining what information an employer needs to obtain so that it can provide a safe working environment for all employees as required by OSHA, employers can use a privacy impact assessment (PIA). A PIA is designed to assist in making decisions about the parameters of the collection of personal information in the minimum amount necessary to serve the purpose of the collection and, consequently, to consider how the collection affects the privacy of the individual whose information is collected.
In this context, when an employer decides what information it needs to collect from its employees to get workers from home to a safe work environment, employers should consider collecting only the minimum amount needed to provide a work environment. sure.
For example, an employer may believe that a temperature screening is an appropriate piece of data to collect from an employee before allowing the employee to physically work in the workplace. When using a PIA, the employer considers several questions before deciding that a temperature screen is a data item necessary for its purpose (a safe work environment) and whether the employee’s privacy is balanced with the need to obtain the information.
Some questions to consider when completing the PIA may include “How reliable is a temperature reading to predict if someone has COVID?” “How do I collect the temperature information?” “Do we take the employee’s temperature in the workplace or do we allow the employee to take their own temperature at home before entering the workplace?” “If we take the temperature in the workplace, is the information identifiable?” “What do we do with the information after we acquire it?” “Is it stored on a device?” “Is it shared with others?” “Is it aggregated with other information?” “Is it identifiable again?” “How long should it be kept?”
Privacy from an employee’s point of view
From an employee’s point of view, this new collection of health information can be daunting and “fraternal”. Most employees will voluntarily provide this type of information to their employers as good corporate citizens because they want to work in a safe environment and rely on their colleagues to do the same.
Some questions employees may have about collecting their temperature may include “Does my employer actually need to know what my temperature is on a daily basis or just knowing that I have no temperature?” “Once I get my temperature, where does this information go?” “Is my employer disclosing this information to others in the company or to third parties?” “Where do they keep the information and for how long?” “Are they putting it in my personal folder? If so, why? “” Do they really need to keep it? “
These questions from both the employer and the employee help the employer determine whether collection is necessary for the purpose and how to collect, use, disclose, and store it.
Whatever the decision the company makes, a reasoned approach should be taken to collect only the minimum amount of information necessary for the purpose of the company, and the information should only be kept for as long as is necessary to be used for that purpose.
In addition to temperature information, many employers require employees to complete a health screening questionnaire before physically arriving at the workplace. As with temperature scans, for many companies and employees, this is the first time that employers have asked employees about health information on a daily basis.
While this information may be important for assessing and maintaining a safe workplace, before deciding to use health questionnaires, employers may want to consider applying a PIA to help determine the minimum amount of information. necessary to obtain from the employee in order to provide a safe workplace and that it is kept only for the time necessary for that purpose, in line with the analysis above.
Many employees may not feel comfortable providing health information, such as a daily temperature monitoring or health screening questionnaire to an employer, and may see it as an invasion of privacy.
To make employees feel more comfortable with collecting this sensitive data, it is important to be transparent with employees about why the information is collected, how it will be used, that it will be kept confidential and that it will be destroyed when it is no longer needed. .
Return to the work program
Documenting a return-to-work program to provide employees with outlining the collection, use, disclosure and retention of data collected by them will help make employees feel more comfortable that the employer has considered theirs privacy issues. If a company has employees who reside in California, the California Consumer Privacy Act (CCPA) requires employers to notify employees of the categories of personal information they are collecting from employees, the purpose for which the information is collected, how it is collected. used and disclosed and for how long it is kept. Health information is included in the definition of “personal information” in the CCPA, so employers may want to include information about COVID-19 screening in their California employee notices. Whether you have employees residing in California or not, determining how much information you will collect, how you will use and disclose it, how you will store it and how long you will keep it is important information to provide to your employees if a law requires it or no.
In addition to completing PIAs to determine what information to collect from employees, when implementing a return-to-work program, attention should be paid to how the company’s data retention and destruction program applies in the context of collecting health data from employees during the pandemic. This health information is collected and used for one purpose: to maintain a safe workplace. A temperature taken today, if elevated, or a health questionnaire completed today may not be relevant tomorrow or in 14 or 30 days in the context of maintaining a safe workplace.
I assume that companies take time to consider how this information fits into their existing data retention schedule and not to include this data in their personnel records by default. Consider keeping this information separate and separate from personnel records, as it is collected for a limited purpose and only used for a short period of time. Unless state or federal law requires these records to be kept for a specific purpose or period of time (of which I am unaware at the time of this writing), this information should be destroyed when it is no longer relevant. . Destruction of information protects employee privacy.
There are data retention laws that require staff records to be kept for a considerable period of time. Of course, it is important to comply with any laws that may apply, and you should consult with your attorney to determine how to include these records in the company’s data retention schedule. Consider processing this information in the context in which it is collected when determining how long to keep it. It is collected for a limited purpose and is only needed for a limited time. Don’t automatically include them in your staff files because you don’t know where else to put them and you don’t want to take the time to consider the context of the limited collection purpose and employee privacy concerns.
In conclusion, when considering the collection of health information from employees during the pandemic, take the time to consider the minimum amount of information necessary to maintain a safe workplace, be transparent with your employees about the purpose of collecting health information. information, on how it will be collected, used, disclosed and stored and will determine how the information fits into the company’s data retention and destruction program.
Everyone wants to be a good corporate citizen and help maintain a safe work environment, but it is worth considering balancing employee privacy in a thoughtful way during this unusual time.
Linn Freedman is president of the Data Privacy + Cybersecurity team at Robinson & Cole, LLP. S Ms. Freedman focuses her practice on complying with all state and federal privacy and data security laws and regulations, as well as emergency data breach response, mitigation, and litigation.
Source link
