June 16, 2021

Volume XI, Number 167

Advertisement

June 15, 2021

Subscribe to Latest Legal News and Analysis

June 14, 2021

Subscribe to Latest Legal News and Analysis

What’s your vaccination status? Key legal considerations before asking your employees about theirs

With 2019 novel coronavirus (COVID-19) vaccines available throughout the U.S., many employers are eager to normalize operations. For business planning purposes, surveying employees regarding their vaccination status may be a helpful tool in understanding if employee are, or plan to become, vaccinated.

If your business is considering surveying employees about their vaccination status, consider these four key legal areas before you act:

Four Legal Considerations Before Sending a Vaccination Status Survey 

1. Federal guidance from the EEOC

In December 2020, the U.S. Equal Employment Opportunity Commission (EEOC) issued guidance addressing vaccination status surveys from a federal law, and specifically an Americans with Disabilities Act (ADA), perspective. The EEOC stated that employers may generally inquire whether employees are vaccinated and ask for proof of vaccination without running afoul of the ADA. However, the EEOC cautioned that inquiring why an employee chooses not to get a vaccine could uncover underlying medical conditions that require accommodations. Employer knowledge of underlying medical conditions could also increase the risk of a disability discrimination claim if the employee later experiences an adverse employment action.

2. State omnibus data privacy laws

Omnibus data privacy laws broadly govern the collection and disclosure of personal data. The California Consumer Privacy Act (CCPA) is the original and only effective example in the U.S. as of this writing, but these statutes are growing in popularity. In fact, Virginia has enacted a data privacy law that becomes effective on Jan. 1, 2023, and similar statutes sit on legislative dockets in other states.

If a data privacy law applies to a company or the data it plans to collect, including employees’ vaccination status, the company must follow the law’s requirements when collecting such data. For example, the CCPA requires covered employers to provide written notice of the CCPA and the company’s CCPA-compliant privacy policy before collecting any personal data. Importantly, the CCPA applies to employers located in states outside of California collecting data on employees in California locations.

While California is the only state with an omnibus data privacy law impacting vaccine data collecting procedures today, employers should be aware of pending legislation in states where they operate as future omnibus privacy laws are inevitable.

3. State data security and data breach laws

Some states have adopted data security laws, which govern the securitization of “personal information.” These laws generally come in one of two forms:

  1. Laws that require employers to “take reasonable steps” to secure “personal information”  
  2. Laws that create a liability shield in the event of a data breach if the employer stores “personal information” in statutorily prescribed ways

Most states to adopt securitization laws follow the first pattern, while Ohio is the primary example of the second framework. Separately, all states have data breach notification laws. Under these statutes an employer must follow specified notification procedures if “personal information” is exposed by a data breach.

Whether these laws apply to the data employers collect on their employees’ vaccination status depends on how each state defines “personal information” in the applicable statutes. In many states any data containing a name plus health information is considered “personal information” and subject to state data security laws (if applicable) and breach notification laws (always applicable). In some states, however, the statutory definition of “personal information” is more restrictive, and likely does not include data on employees’ vaccination status. In all states, “personal information,” whether it includes or excludes vaccination status data, is defined the same for purposes of data security and data breach notification laws.

In those states where vaccination status data is considered “personal information,” it is crucial employers collecting vaccine data are compliant with storage securitization requirements and aware of their notification responsibilities.

4. New and existing state employment laws

State employment laws also may impose requirements on employers seeking their employees’ vaccination status. These types of laws fall into two categories:

  1. Pre-existing employment laws that happen to apply to vaccination status data collection or retention
  2. States considering legislation that restricts private businesses from asking their employees for proof of vaccination or about their vaccination status

In the latter category, Illinois has pending legislation (H.B. 3862) that would prohibit employers from requiring an employee to demonstrate that he or she has received a vaccine. The New York state legislature is also considering a bill (A.B. 4602), which provides “no person shall be required to have, carry or present evidence of having received immunization against COVID-19.”

Four Strategies for a Successful Vaccination Status Survey

Before surveying employees regarding vaccination status, it is advisable to:

  1. Work with counsel to verify which, if any, state data privacy laws or data security/notification laws you must comply with. You should also check if vaccination status data constitutes “personal information” under any applicable laws and is therefore subject to them. If so, ensure you are fully compliant before collecting any vaccination status information.
  2. Prepare to store the vaccination status data as you would Social Security Numbers, driver’s license numbers or other personally identifying information, unless there is a compelling reason not to.
  3. Ensure your survey avoids inquiring further if an employee says they are not getting the vaccine. Doing so may trigger accommodation requirements under the ADA.
  4. Keep an eye on enacted and pending legislation, such as the bills in Illinois and New York.

Key Takeaways for Employers 

The debates and legislation surrounding COVID-19 and COVID-19 vaccines are dynamic and fast-moving. Employers must therefore keep abreast of pending legislation in all the states in which they operate. 

Copyright © 2021 Godfrey & Kahn S.C.National Law Review, Volume XI, Number 131
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Paul J. Covaleski Litigation Attorney Godfrey & Kahn Madison, WI
Associate

Paul is an associate in the Madison office and a member of the Litigation Practice Group. Paul has litigated a variety of complex civil matters in Illinois and Wisconsin state and federal courts, primarily in the areas of labor & employment, products liability, antitrust, and insurance coverage.

Paul previously worked for a Chicago based law firm, focusing on commercial defense, products liability, and employment, matters. Prior to that, Paul worked as a judicial intern for the Honorable Thomas Waterman of the Iowa Supreme Court. While in law school, Paul served as a Note and...

608.284.2619
Sarah Mueller Employment Lawyer Godfrey Kahn
Associate

Sarah Mueller is an attorney in the Labor, Employment & Immigration practice group. Sarah’s practice focuses on advising clients on a wide variety of day-to-day employment matters, including administering federal and state family and medical leave laws, disability accommodations, and wage and hour matters.

Prior to joining Godfrey & Kahn, Sarah was a Judicial Intern for the Wisconsin Court of Appeals. While in law school, Sarah served as a Comment Editor for the Marquette Law Review. Sarah also served as a leader for Marquette University Law School’s Academic Success Program...

414.287.9353
Sarah A. Sargent Associate Milwaukee Cybersecurity Practice Group, Technology & Digital Business Practice Group
Associate

Sarah Sargent is a member of the Data Privacy & Cybersecurity Practice Group and Technology & Digital Business Practice Group. She holds the CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals, allowing her to draw from both domestic and international best practices when it comes to questions of data privacy.

Sarah’s practice focuses on assisting clients in implementing innovative technology and finding practical business solutions for privacy compliance. She counsels clients on privacy compliance with a variety of state, federal,...

414-28-9450
Advertisement
Advertisement