U.S. and Global Employee Data Privacy FAQs
An employer’s response to COVID-19 involves numerous privacy issues. Below are some answers to frequently asked questions (FAQs) about these issues within the United States and globally, based on laws such as the Americans with Disabilities Act (ADA) (which applies in the United States) and the European Union’s General Data Protection Regulation (GDPR). While many of these principles can be applied globally, employers should always look to applicable local laws in their jurisdictions and guidance from public health authorities. Employers should also consult any applicable internal policies, data privacy notices, employee collective bargaining agreements, employment contracts, and individual employment terms.
1. What statutes, regulations, and other legal issues do employers need to consider in connection with COVID-19 employee privacy issues?
In the United States, the Americans with Disabilities Act, state and local privacy legislation (such as the California Consumer Privacy Act), and state common law. Additionally, many U.S. companies have self-certified under the EU – U.S. Privacy Shield, or have made other contractual commitments to privacy making the GDPR framework relevant. U.S. health care providers, group health plans and other employer-sponsored medical programs (such as on-site medical professionals providing wellness programs or medical care to employees), health insurers, and companies that work with providers, plans and insurers that handle health information are also covered by the Health Insurance Portability and Accountability Act (HIPAA).
Outside the United States, GDPR applies to EU residents, and many countries have adopted global programs that are GDPR-compliant (whether or not they are EU – US Privacy-Shield certified). Other countries have data-protection statutes that may be broader than or different from GDPR. For example, Korea’s data privacy law requires explicit consent for employers to collect employee data and detailed disclosures about third parties to whom data is disclosed.
In any jurisdiction, certain employer actions may rise to the level of a tort claim such as invasion of privacy or negligence.
Employers should check internal policies, data privacy notices, and contract provisions related to privacy, as well as collective-bargaining agreements. Employers with employee representative bodies (unions, Works Councils, etc.) may need or want to consult with those bodies before implementing new measures implicating employee privacy.
2. What data-protection principles are relevant to COVID-19 employee privacy issues?
Employers need a valid reason for collecting health-related information of the nature necessary to implement a COVID-19 response plan in the workplace. Most applicable laws contain relevant exemptions that permit inquiries and data collection that would otherwise be prohibited. The ADA prohibits employer “medical examination” requirements and disability-related inquiries, but guidance from the Equal Employment Opportunity Commission (EEOC) establishes that it considers the COVID-19 pandemic a “direct threat.”
Similarly under GDPR and applicable local privacy legislation, employers need a valid reason to collect employee data, and medical data is considered “sensitive” or “special category” data that is subject to a higher threshold. GDPR contains exceptions for employers that need to collect data to use for lawful purposes in connection with workplace safety and other aspects of managing an employment relationship. HIPAA may prohibit employer-sponsored health plans or programs from sharing employee health information with non-plan personnel. But employees may complete authorization forms, allowing the release of designated information back to employers.
Under GDPR and applicable privacy legislation, employers may need to provide advance notice and/or consent to employees about how and for what purposes their data will be collected, disclosed, processed, used, transferred, and retained, as well as possible consequences in connection with nondisclosure. Most GDPR-compliant employers will have issued a Notice to employees regarding data the employer uses to manage the employment relationship. They may need or want to issue an additional notice in connection with specific disclosures, particularly if existing notices and policies do not put employees on adequate notice of the ways in which the employer intends to collect data.
Data Security and Retention
GDPR requires businesses to enact certain measures in connection with keeping personal data secure, which includes disclosure of breach. Under the ADA, any employee medical information employers maintain must be maintained as a “confidential medical record.” Individual U.S. states also have statutes that protect personally identifiable information, and individual jurisdictions have specific data-retention requirements.
Anonymization / Minimization
Two additional privacy concepts that may be helpful to employers in this environment include data minimization and data anonymization. “Data minimization” refers to the practice of taking a balanced approach to minimizing the disclosure of private employee information to only that the information that needs to be disclosed, and only to those with a need to know, such as human resources (HR) professionals trained to maintain privacy. “Data anonymization” in this context means providing general information about individuals infected (depending on context and potential exposure, this may mean job title, work area, etc.), so long as the information does not disclose personally identifiable information.
We recommend that employers make inquiries and disclosures in line with the above principles to the extent possible consistent with public health authority guidance.
Balancing / Reasonableness
U.S. state and local officials have increasingly requested (but not mandated) that employers balance privacy concerns with the overriding desire to take actions in support of public health policies designed to minimize public health risks in connection with COVID-19.
3. Can an employer ask employees to disclose that they have an illness or are experiencing symptoms of an illness?
Yes, if done in accordance with applicable laws, policies, and principles. In the US, the EEOC has issued guidance that the COVID-19 pandemic meets the “direct threat” standard such that employers can make inquiries related to it consistent with the ADA. Employers should ground any questions they ask in applicable public health authority guidance (e.g., employers should avoid asking questions about symptoms that local public health authorities have not identified as symptoms of COVID-19). Employees should consult local public health authorities in connection with any specific inquiries. As a practical matter, employers can and should request or require that employees immediately report to them if they believe they have been exposed to COVID-19, are experiencing COVID-19 symptoms, have tested positive for COVID-19, or have been diagnosed by a health care provider as presumptively having COVID-19.
4. Can an employer conduct temperature checks before allowing employees or visitors to enter the workplace?
From a purely privacy perspective, yes, with proper disclosure and secure, confidential retention of any data kept. Before deciding to conduct temperature checks, employers should satisfy themselves that they are able to do so in a manner consistent with workplace safety as applied by local public health authorities. Any safety protocols related to temperature checks should be vetted with a medical professional or epidemiologist. If employers contract with medical providers to conduct temperature checks on site, those providers may be subject to HIPAA, requiring careful design of the process for collection and release of testing results back to the employer. Thus far, very few government authorities have issued guidance as to how to conduct temperature checks, but employers should check with applicable health departments as to whether they have screening recommendations or requirements, which may include guidance on questions permissible to ask (such as the Ohio Department of Health’s “Screening Employees for COVID-19” guidance).
5. Can an employer ask employees to disclose information about their personal travel plans?
Yes, in light of the current border restrictions and government travel advisories, employers can ask for information about employee travel. Employers may not be discriminatory or stigmatizing in requiring these disclosures. GDPR-compliant employers or employers subject to local data-protection legislation must give employees proper notice including the purpose, use, and potential consequences of nondisclosure.
6. May employers disclose the identity and/or other information about an employee who tests positive for COVID-19 to other employees, customers, vendors, or other third parties?
Most employers will learn of a COVID-19 diagnosis from the employee, his or her family, or a public health authority. If a public health authority is in contact with an employer, the employer should take direction from that authority. Otherwise, employers should be mindful that, in many jurisdictions, (e.g. the European Union under GDPR) health data is classed as sensitive personal data and should not share the identity of infected or exposed employees. Employers can, however, inform members of the workforce that they may have been exposed to COVID-19 without revealing the identity of affected employees.
The particular messaging will depend on the circumstances—in some cases the identity of the affected individual will be obvious. Even if the individual’s name is withheld, the disclosure would still likely constitute “personal data” if the individual can be identified from it. But GDPR and most other data-protection laws contain exceptions for public health emergencies. Employers should still take care to tailor their disclosures to the purpose and not to disclose more than necessary. (See question 19.) Accordingly, as circumstances are case-specific and jurisdiction-specific employers should take advice on any applicable local data protection laws and call their local public health authorities for guidance.
The WHO “Getting your workplace ready for COVID-19” guidance states that potentially exposed employees should be given information necessary to adequately inform them of their potential workplace exposure or as otherwise directed by the local public health authority. Many countries’ workplace health-and-safety laws also require similar disclosures to varying extents. Employers can also communicate to non-exposed employees that there has been a COVID-19 diagnosis, without sharing additional identifying information. Before proceeding, employers should also evaluate any applicable local privacy law laws to ensure they do not contain different or additional requirements or provisions.
Generally, wide disclosure of the name of an employee who has tested positive to the workforce of third parties is still prohibited based on current guidance. In the United States, the ADA requires employers that collect medical information from employees to keep such information confidential. The EEOC and CDC guidance regarding COVID-19 make clear that, while it may be necessary to collect medical information from employees about their conditions, employee confidentiality under the ADA must be maintained. Communications with employees exposed due to contact with an employee who tests positive should be sufficient to indicate the heightened risk, without violating confidentiality by divulging the identity of the person who tested positive. In the United States, employers must also be mindful of OSHA’s General Duty Clause requiring employers to maintain a safe workplace.
Applicable data-protection legislation such as the GDPR applies outside the United States, as well as to U.S. companies that have opted into the EU – U.S. Privacy Shield. Under GDPR, employers cannot disclose personal data without a valid reason. Protecting employee health and safety provides an exception, but employers should still disclose only what is necessary to achieve that purpose. That should exclude the individual’s name if possible.
7. May an employer ask an employee for consent to disclose his or her identity and/or other personal information in connection with the employee’s actual or potential diagnosis with COVID-19?
It is always helpful for an employer to establish a rapport with an individual diagnosed with COVID-19, and as part of this relationship, to inform the employee about what will be disclosed before its disclosure to the extent possible. Whether and how to get “consent” to disclose particular information will depend on the circumstances. In some circumstances, getting the individual’s consent to disclose his or her name may assist in the disclosure process. Even this poses some risk if potentially coerced, however, particularly under GDPR (where employers are not permitted to rely on employee “consent” as a means to disclose, as it is deemed that the employee will not feel free to refuse).
8. May an employer ask an employee about his or her workplace contacts for contact tracing purposes?
Yes, an employer can ask about this if it has a present need for this information, such as when the employee has been diagnosed with COVID-19, reports symptoms of COVID-19, or reports known exposure to a diagnosed case of COVID-19. Employers seeking to ask employees about their workplace contacts outside of a present need (such as from asymptomatic employees without known exposure, as a matter of course) should exercise caution and consult local public health authorities for guidance. Some health authorities have indicated that contact tracing may not be practicable or necessary in situations where there is community spread.
In its guidance to employers, the CDC has stated that “[t]o prevent stigma and discrimination in the workplace,” employers should “use only the guidance described below to determine risk of COVID-19 infection.” The guidance also does not suggest that employers’ implementation of social distancing involve proactive contact tracing. Employers should keep this information confidential once collected, and if not connected with an immediate need to disclose exposure, should give appropriate disclosures to employees before collecting the information.
9. In the United States, is an employer’s knowledge that an employee has COVID-19 subject to HIPAA’s privacy restrictions?
Not usually. HIPAA regulates the use and disclosure of health information of patients held by health care providers, health plans or insurers, and organizations that support these entities. It is not applicable to most employers (even if they are within the health care industry) as long as they are not actually treating the employee (like an on-site provider would) or paying for the costs of treating (e.g., insurers and plans), or providing services to companies that do these things. Because most employers will learn of a COVID-19 diagnosis from the employee or his or her family in the employer’s role as an employer, HIPAA usually will not be implicated.
On the other hand, if an employee sees an employer’s on-site medical provider, any disclosure from that provider directly to the employer would likely be covered by HIPAA. In most cases, employers’ policies should require the employee to disclose and avoid coordinating with any medical provider directly.
10. If an employer learns that an employee has tested positive for COVID-19, can it disclose the employee’s name to a public health authority?
The current CDC guidance suggests that employers should contact the local public health authority and tell it that they had an employee test positive. Employers need not volunteer the identity of the employee by name, but answer any questions of the public health authority (including identifying the employee if asked) and details regarding the location where the employee worked. Employers should follow whatever directives the local public health authority provides.
11. Is an employer allowed to ask questions of an employee who has tested positive for COVID-19?
Generally, yes. The appropriate individual designated by the employer should follow the instructions of the CDC, state, or local public health authority with regard to seeking follow-up information from an employee who tests positive for COVID-19, which may or may not include asking the affected employee questions in an effort to trace the employee’s contacts and activities within the last 14 days or other time period.
12. How should employers instruct their supervisors about what they can and can’t discuss regarding an employee’s medical condition or symptoms in this environment?
Some laws permit exceptions or relaxed enforcement of privacy restrictions in the face of a public health emergency or similar crisis event. These exceptions are generally subject to interpretation, and new guidance is being issued as the crisis unfolds. Nonetheless, best practices for supervisor communication include the following: If supervisors receive information about an employee’s medical condition that implicates COVID-19, they should report that information to a designated member of the human resources, risk, or safety teams. Supervisors should not widely disclose medical information about an employee in any case. Guidance under the ADA indicates that direct supervisors should not be handling medical information for most purposes due to confidentiality, so a process that channels medical information through contacts other than those supervisors is advisable. Avoid designing programs that channel reporting through in-house medical providers, as doing so will likely require additional paperwork to authorize disclosures of medical information under HIPAA. Such paperwork is likely to be burdensome for a doctor or nurse who is already overwhelmed with treating impacted employees.
13. Is a unionized employer required to disclose to a union, upon an information request, the names of individuals who have tested positive for, exhibit symptoms of, or have been exposed to persons who have tested positive for COVID-19?
This is confidential employee medical information, and employers must handle it with care. Employers may be prohibited from releasing such information to third parties under state privacy laws and/or the ADA. Employers should carefully explore a union’s explanation for why it wants this information, notify employees that the union has asked for it, and request a release. If an employee is not willing to release the information to the union, that employee reaction should be clearly communicated in an objection to the union’s information request. Statistical data without employee-identifying information, such as the number of employees who have tested positive, is not confidential medical information.
14. How should employers store information gathered in connection with COVID-19 (symptoms, diagnosis, contact tracing, etc.)?
Under the ADA, information gathered must be stored as a “confidential medical record,” kept in line with the company’s existing storage and retention protocols for such records. Employers also need to consider their existing data privacy notices and applicable data-protection legislation, if it imposes different requirements.