Covid-19 Will Make the Workplace a Privacy Hotspot

The workplace environment is about to get more stressful. Human Relations departments must figure out how to prevent employees from potentially spreading Covid-19 when they return to work. Many are considering using contact tracing apps and monitoring real-time social distancing in the office, but a global survey released by Cisco last month found that many people are concerned about their privacy, even if employers are taking measures to protect public health.

More than a third of the 2,600 respondents in the survey said they want no relaxation of privacy laws due to the pandemic, 43% don’t want employers conducting medical checks and requesting health information, and nearly two-thirds don’t support disclosing information about infected individuals. While everyone wants to get back to business as usual, employers need to be careful that their efforts to monitor the health of employees and prevent the spread of the virus remain respectful of employee privacy and aren’t intrusive.

Uncharted territory

Despite the patchwork of laws and vague standards, doing nothing is not an option. Businesses have a duty under the Occupational Safety and Health Act (OSHA) to maintain a workplace that is “free from recognized hazards that are causing or likely to cause death or serious physical harm.” The Equal Employment Opportunity Commission (EEOC) has said employers may restrict access to facilities if they pose a “direct threat” to the health and safety of others and has categorized Covid-19 as a “direct threat.” Employers are advised to ask their workforce about symptoms, measure body temperature, and test for the virus. (The HR Policy Association has created a handy guide that synthesizes all the applicable laws.)

While personal health information is considered highly sensitive under HIPAA, the data that employers need to collect for prevention and tracking is not always within its scope. For data — and organizations themselves — that are not even covered by HIPAA, there is no clear standard for collecting and managing this information.

Other cited regulations aren’t very helpful. The Americans with Disabilities Act (ADA), which protects employees against workplace discrimination, prohibits employers from conducting medical exams of employees or disability-related inquiries except when there is reason to believe an employee’s medical condition could pose a direct threat to the health and safety of others. This can be interpreted as allowing employers to ask pandemic-related health questions of employees, but there’s no guidance beyond that.

Questionnaires, wearables and mobile apps

Despite the vague and inconsistent guidelines, companies are gathering employee health information, tracing contacts, and enforcing social distancing. HR questionnaires are asking probing health questions to find signs of illness or viral exposure. A recent IAPP survey found that 60% of employers are keeping records of workers who are diagnosed with coronavirus, and 23% are actively taking employee temperatures. Companies are checking for signs of illness before allowing employees into buildings, giving tests, issuing masks, and taking temperatures. Ford is testing wristbands that track employee movements and buzz if people get too close to each other. Amazon is testing thermal cameras and forehead thermometers.

To address privacy concerns, many companies are deploying contact tracing apps that store data locally on the device and use Bluetooth-based software developed by Apple and Google. However, not all of these apps are opting in. Care19, which relies on GPS data and is used in North Dakota and South Dakota, was found to violate its own privacy policy by sharing data with outside companies.

With a global pandemic still in place, businesses need to tread carefully and be mindful about the consequences of the policies and solutions they put into place. For health data, companies should only collect and use the minimum information they need to protect the health of employees. The data should never be used for decisions related to performance reviews or promotions.

Companies need to ensure that location-based data collection does not happen while employees are out of the building. Employees should not be penalized for their activities outside of work. When contact tracing apps are leveraged in the name of safety, the line between on and off hours gets very blurry. Even well-meaning efforts to protect the workplace could lead to unnecessary surveillance, data leakage, worker backlash, and lawsuits.

Heather Federman is VP of privacy and policy at BigID.