August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

Maintaining Employees’ Privacy During a Public Health Crisis

As coronavirus disease 2019 (COVID-19) continues to spread, employers have been trying to strike a balance between safety and privacy as they apply their own policies and attempt to follow laws such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act of 1996 in the United States. Health data is often granted greater protective status under data-privacy laws and is subject to additional specialized laws. Most data-protection laws specify health- and safety-related exceptions that allow for more data collection and processing, with the GPDR citing “the prevention or control of communicable diseases and other serious threats to health” as one reason for such derogation.

A guiding principle of the GDPR is to avoid collecting, processing, or disclosing data unnecessarily and to maintain employee privacy—even during a global public health emergency. It is worth considering the purpose of a contemplated measure and whether that measure would reasonably accomplish its purpose based on the facts known at the time. Similar principles apply to transferring personal data. Whenever an employer processes its employees’ personal data, employees must be on notice about what the data will be used for as well as the consequences of nondisclosure.

A good first step is to look to governmental or other authoritative guidance, (such as in the United States, the Centers for Disease Control and Prevention (CDC) guidelines for businesses and employers. On February 27, 2020, the World Health Organization issued guidance for employers regarding COVID-19. For example, following the CDC’s recommendation, many U.S. employers are asking employees who are ill or experiencing symptoms of COVID-19 to work from home for two weeks, or even placing them on leave if their jobs cannot be done remotely. However, because new information about a potentially longer incubation period has emerged, as well as the possibility of asymptomatic transmission, employers may want to reconsider that length of time. They may also want to consider whether requiring those employees whose jobs cannot be done remotely to go on extended leave—especially if it’s unpaid leave—would do more harm than good by incentivizing employees to hide symptoms or withhold information about possible exposure to COVID-19.

The risk calculus will differ for each company and each position. Here are some of the more common privacy-implicating scenarios, which are complicated by the lack of definitive information about the transmission of this virus.

Employees’ Personal Travel

Due to the coronavirus situation, almost all employees would probably disclose high-risk travel to their employers. But can employers require employees to disclose the details of their travel? In countries where there is a constitutional right to a “private life,” employers may want to tread lightly. As long as areas of heightened epidemic concentration exist, employers can articulate a legitimate interest in asking employees about their travel to those areas in the name of keeping their workforces safe. But employers may want to keep in mind that at some point COVID-19 may reach community spread on a global basis and holding some areas as “higher risk” than others and requiring disclosure accordingly could be an obsolete designation. What about asking about employees’ family members’ travel? Where can employers draw this line? One approach: track and link to the applicable government site and encourage employees to disclose any potential heightened risk of exposure.

Employees’ Medical Information

At present, someone who tests positive for COVID-19 will likely be required by applicable health authorities to disclose that to his or her employer. But can employers actively seek this type of information from their employees? Some companies have contemplated mandating routine temperature screenings or asking for results of medical examinations. In many jurisdictions (including the United States and Europe), there are laws limiting requiring medical examinations without specific reasons. What happens if an employee overhears someone else’s cough and reports it? The employer would likely investigate and take some followup action, but with a view toward doing so discreetly so as to avoid stigmatization or unnecessary alarm.

Identifying Specific Employees Following a Positive Test or Exposure

If an employee tests positive for COVID-19, how should his or her employer alert its other employees and keep them safe? The GDPR encourages anonymization in appropriate circumstances, but a general disclosure that someone in the company has tested positive may cause paranoia and panic, which may lead to even more stress and harm. And what about secondhand or thirdhand exposure? Once an employer becomes aware of a potential connection or even a remote or theoretical risk, it may want to exercise extreme caution when crafting the communication in order to avoid unnecessary alarm and/or privacy intrusion.

Privacy-related concerns surrounding COVID-19 abound. One problem is that current information about incubation and transmission leaves employers in a position where they cannot easily convert employee personal data into measures reasonably likely to prevent spread and keep their workforces safe. Employers that collect relevant personal data may want to consider (1) if certain data is no longer useful to collect or if it should be collected in a different way; and (2) creating incentives to encourage employee disclosure and the seeking of medical treatment, such as allowing employees to work remotely and providing paid sick leave where possible so that employees will stay home when sick.

Finally, striking a balance between maintaining employees’ privacy and safeguarding their health is quite difficult. Measures that might violate privacy laws (including those viewed in hindsight) but are reasonably tailored and motivated by employee safety based on reliable sources may be worth the front-end risk of implementing. Data privacy regulators may be open to understanding why data controllers acted in the way they did; thus, they are slow to impose penalties where a reasonable risk assessment (sometimes called a “data protection impact assessment”) has been completed. Employers that are concerned that their measures overreach from a privacy perspective may want to consider handling concerns on a case-by-case basis through reasonable enforcement.

© 2020, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume X, Number 63


About this Author

Bonnie Puckett, Ogletree Deakins Law Firm, Atlanta, Labor and Employment Litigation Attorney

Bonnie Puckett leads the firm’s Asia-Pacific practice and offers global companies business-practical cross-border guidance on all aspects of managing a global and internationally-mobile workforce, reconciling complex issues of multiple and conflicting laws and managing risk.  Her regional focus spans Asia and beyond, with specialized expertise in countries such as China, Japan, Korea, Hong Kong, Singapore, India, Australia, Israel, and the UAE, as well as experience with matters in Europe and the Americas.  Bonnie’s practice covers data privacy, employee mobility and expatriate strategy,...

Simon McMenemy, Labor Employment, Managing Partner, New York, OgleTree Deakins law firm
Managing Partner

Simon is an experienced employment law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits. Simon advises on the increasingly complex issues arising on data privacy and data protection in the workplace and is a Certified Information Privacy Professional and a member of the International Association of Privacy Professionals. He is trusted advisor to many employers on all their people management issues and has particular expertise in investigations including those relating to potential business ethics violations. Simon is a trained mediator and is also a senior reservist officer in the military.


44 (0)20 7822 7620