Pandemics & privacy: Managing employee data risks
Employee health screenings and temperature checks during COVID-19 are exposing employers to serious privacy and cyber risks.
Editor’s Note: PropertyCasualty360 is committed to providing our readers with the latest insurance news and information. To that end, we are now publishing select stories in both English and Spanish. To read this article in Spanish, please click here.
As businesses in all 50 states reopen, they are facing another challenge: how to reopen safely. What safely reopening entails will vary from business to business. As the COVID-19 pandemic continues to be a significant concern, employers are looking for ways to keep up operations while keeping employees safe.
Fortunately, guidelines do exist to help with at least part of those safety measures. The Centers for Disease Control and Prevention (CDC) provides businesses with industry-specific guidelines for various industries, as has the American Industrial Hygiene Association (AIHA). Such guidelines help companies further maintain compliance with the Occupational Safety and Health Administration’s (OSHA) personal protective equipment (PPE) requirements. Also, OSHA has released guidance for preparing workplaces for the return of employees during the pandemic.
In keeping with OSHA requirements for maintaining a safe workplace, a recent trend among businesses is to monitor the health of employees. In a number of instances, employees entering the workplace are being monitored as they arrive for work. Wellness checks, temperature checks, and observation of an employee’s use of PPE, and adherence to physical distance guidelines are measures that many employers consider to be essential.
However, the balance between maintaining safety and maintaining employee privacy is a delicate one. As with any procedure that falls outside of standard operations, such measures could be placing companies at increased risk of privacy issues, not to mention cyber risks.
Where the risks lie
Depending on the industry, companies may not be aware of the privacy risks associated with complying with OSHA guidelines in the time of COVID-19. As employers strive to reduce employees’ exposure to COVID-19, the way in which they attempt to do so could be putting the business at risk for privacy violations.
Prior to COVID-19, most businesses were aware of what employee information they could collect, and guidelines for storage security and duration. Amid the current crisis, the lines have blurred. The additional collection of employee information, no matter how temporary the need, could involve regulations that protect employee privacy, such as the Health Insurance Portability and Accountability Act (HIPAA).
Even something as basic as asking employees to reveal their temperature or current health status could be a privacy exposure. This is a particular risk for companies that do not normally conduct any kind of health screening, since employers inadvertently could be gathering data that is not relevant to the current pandemic. Questions about employee health history that stretch beyond whether the employee has traveled recently, or been exposed to people who have or are suspected of having COVID-19, could be problematic.
Another potential exposure: how the data is gathered. For example, a company might screen its employees before allowing them to enter the premises. As employees are turned away because of fever or other visible signs that may indicate illness, other employees in the vicinity are now aware that these employees have been sent home — a potential violation of an employee’s right to keep personal health information private.
To avoid such violations, companies should be setting up private screening areas to protect workers’ health information. Some companies are using wellness apps that allow employees to self-report their health conditions. Moving the screening process online could alleviate some privacy issues, though there are still concerns that the data collected may go beyond what is necessary.
Information gathering tools may also cause issues. If an employer conducts thermal imaging for temperature checks, it is important to be mindful of regulations surrounding the collection of biometric data. Even a small change such as monitoring employees as they work to ensure proper distancing and PPE use could be a violation of employee privacy if proper policy precautions are not taken.
Balancing privacy with protection
Fortunately, there are ways companies can balance the need for employee privacy with the need to provide a safe workplace. Start by reviewing current policies and procedures regarding privacy and handling of personally identifiable information. The policies should specify what data is being collected and how it is being stored, and for how long.
A review of policies against the regulations in the jurisdiction where the business is located can help to determine if current policies need to be changed to address any regulatory changes at the local level.
Policies must be updated to address additional data collection associated with COVID-19. A company should be specific in describing the need for the additional data, what will be gathered, how it will be stored, and for how long it will be retained.
Next, communicate the changes to every member of the organization. Full disclosure provided to every employee allows employees to give meaningful consent to those changes, allowing employers to gather data that protect employees while on the job.
In order to avoid over-collecting data, companies should consider these points: Is the company collecting all the information that is needed to maintain workplace safety? Is there more information being gathered than is needed to comply with safety regulations? Are the questions being asked remaining specific to the current pandemic?
It is important for employers to remember: Any change in the data collected and the way in which employee privacy is handled may change the company’s potential exposures and, consequently, the insurance needs of the company.
Moving forward safely
The goal of any COVID-19 health check should be to ensure your company is complying with safety requirements while not gathering or storing more data than is necessary. While there are no one-size-fits-all checklists that reveal the exact steps your business should be taking, resources do exist that can help your organization put together a program that can reduce your employees’ exposure to COVID-19 and help you comply with workplace safety and privacy regulations.
Companies should talk with their insurance carrier and risk management professionals to determine the best process for their organizations. Review your insurance policies to ensure your business is covered for any additional exposures. Reasonable efforts to do the right thing, along with a plan that fits your organization, can help you keep your employees safe and the business up and running.
Danielle Roth is claims manager of cyber at AXA XL. This article was first published by AXA XL and is republished here with consent.
Leer este artículo en español.
Related: