COVID-19 has brought to the forefront a range of data privacy issues. Therefore, it’s important for companies to pay attention to the subject of privacy and adopt robust data collection and protection practices to maintain employee trust and avoid legal issues, writes Adam Day, president & CEO, Time Rack.
In the battle against COVID-19, offices, distribution centers, and other workplaces have scrambled to create a safe and secure workplace for employees. The outcome has been the implementation of safety protocols, employee COVID screeningsOpens a new window , and new technology. However, given the priority has been protecting health above all else, all businesses need to ensure they’ve approached data collection and employee privacy protection with the same rigor.
According to consultancy experts PWC, employee privacy issues could become a sleeping giantOpens a new window during the COVID-19 pandemic, with potentially huge consequences from HR policy violations to data theft and litigation. And while employers are rightly trying to protect their staff and customers by screening for COVID symptoms, measures such as contact tracing and health questionnaires mean companies are collecting vast amounts of personal data from their employees.
Therefore it’s vital that as HR professionals we understand the risks that come with data collection, and be familiar with the tools and best practices that can help mitigate this business risk.
Risks Companies Face When Collecting COVID-19 Symptom Screening Data
As a company, you need to be vigilant when collecting, processing, and disclosing personal data. At first, it might seem straightforward to adhere to the privacy laws, but companies have found that with laws changing quickly and varying between jurisdictions, it can be difficult to know what the correct protocols are. There are three areas, in particular, where companies face the most risk of committing privacy violations.
1. Gaining consent
Consent is a delicate subject when it comes to employee data collection. Getting ‘valid consentOpens a new window ‘ varies widely at the federal and state levelOpens a new window . As a company, you should always check whether consent for symptom screenings requires written and explicit contracts, or whether verbal agreements are satisfactory according to the law.
There is also a possibility that an employee may feel coerced into consenting, as they may fear their job is on the line if they choose to opt-out. Therefore, you must be as open and transparent as possible, take the time to discuss any concerns raised by the employees, and accommodate to the best of your ability the individual needs.
2. Data use and privacy
Before the pandemic, some employees were already wary about how their personal identifiable information (PII) was used, as data privacy issues are now abundant. Yet, with health screenings being used as a tool to contain COVID-19, employees have had to give away more of their PII and place greater trust in their employer.
As an employer, it’s your responsibility to use this information for COVID-19 purposes only and refrain from transferring this data to other parties, selling the data, disclosing PPI, or inappropriately storing the information. Failure to follow these privacy protocols can lead to violating privacy guidelines such as the Health Insurance Portability And Accountability ActOpens a new window (HIPAA) and the Americans with Disabilities ActOpens a new window (ADA).
3. Discrimination and sensitivity around the use of data
Companies should be aware that health screenings, like symptom questionnaires and temperature monitoring, fall under the category of medical examinations. For that reason, the data collected is considered confidential and must be stored in a medical file that complies with the ADA regulations.
Employees can file complaints if they believe that their medical data is being used for non COVID-19 purposes and instead used to discriminate against them for pre-existing conditions or other non-COVID health concerns. Furthermore, if the health screenings are carried out by third parties, it is the employer’s responsibility to ensure that the third party is adhering to privacy and disclosure regulations. Failure to comply with these measures can put your company at risk of violating EEOC guidelinesOpens a new window .
Practical Steps for Handling and Storing Screening Data
Now, while screening employees for COVID-19 comes with risks attached, there are plenty of simple measures your company can take to ensure health screenings abide by various data privacy laws.
1. Adopting a less is more mentality
Companies should always be thinking about how they can gather the information they need, by collecting the least amount of PII. This can be done by learning to ask strategic questions that focus solely on COVID-19 monitoring. The best way to formulate these strategic questions is to first carry out a privacy impact assessmentOpens a new window to assess how different types of data collection can impact employees.
2. Deciding who can access the data
Who has access to the data can vary depending on the type of collection and information gathered. If PII was gathered by an external company, it is the responsibility of both your company and the vendor to adhere to the data privacy laws.
Within your company, only a limited number of employees should be allowed to access PII and should be monitored and trained before being given related responsibilities. Employees should be prohibited from sharing or transferring this information, or from accessing this information through public devices. The employees chosen to handle PII should be in appropriate positions (i.e. within the HR team) and you may consider requesting that they sign confidentiality agreements.
3. Securely storing the data
Files that contain PII need to be stored in an adequate and discrete manner. If the PII is collected digitally, your company should avoid storing the information on shared drives/sheets/docs and consider investing in data privacy vaults.
All files should be password-protected with multiple-factor authentication required for access. In addition, you should consider encryption to prevent data loss and avoid cybercriminals, or non-authorized employees getting access to the PII. If the data is paper-based, it should be locked in cabinets and its location should only be given to the authorized employees.
4. Managing PII deletion requests
Handling PII responsibly requires abiding by the data deletion requests. This can be a more complicated process than many think if data is not stored properly, or if employees are unaware of the data that has been collected.
When data is asked to be deleted, your company must be able to locate ALL PII and ensure that all files from every device and folder are permanently deleted or destroyed. Time is of the essence as these requests must be completed as soon as they come in. It is wise to assign a system for these incoming requests to be processed, in order to avoid complaints and violations.
5. Seeking legal and insurance advice
Reaching out to legal professionals and insurance carriers should be standard for most businesses as they navigate these uncertain times. These professionals can best advise your company on whether your health screening and data collection practices are appropriate, based on location, policies, and protocols.
They can also offer insight on current trends or things to watch out for when it comes to data protection.
6. Using the right tool for the job
A DIY solution such as Google Forms and Sheets can be prone to data leaks, unauthorized access and other issues. Therefore, consider if investing in specialist symptom screening software provides a more robust solution. For example, symptom screening mobile apps allow employees to self-screen before they leave home to start their shift, preventing potential bottlenecks at the building entrance.
7. Transparency goes a long way
When it comes to collecting data, transparency goes a long way. If your company hides or omits information about how health screening data will be used, transferred, or stored – it can destroy trust within an organization and lead to legal battles. Therefore, employers must be transparent before they collect any data. Actually, they must inform their employees about the purpose of collection, who will handle the gathered data, the types of data they will need to provide, and be able to point to privacy and health laws that justify the screenings.
While nationwide distribution of the COVID-19 vaccine has offered hope that we are at the beginning of the end, the same cannot be said for the data privacy issues that the pandemic has brought to the forefront. Now more than ever, it’s important for companies to pay extra attention to the subject of privacy and adopt robust data collection and protection practices to maintain employee trust and avoid any legal issues.