Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/16/2020
05:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Privacy in a Pandemic: What You Can (and Can't) Ask Employees

Businesses struggle to strike a balance between workplace health and employees' privacy rights in the midst of a global health emergency.

The balance between employee health and privacy rights is difficult to strike, especially at a time when organizations are making critical decisions based on health-related information.

Collecting and sharing information is necessary but must be done with employees' privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws, says Christine Lyon, privacy partner at Morrison-Forrester LLP. What health-related inquiries are acceptable? Can employers require a doctor's note or medical exams? 

"The interesting aspect of this is there aren't straight-line answers," Lyon explains. "Even legal analysis changes as the facts evolve." As an example, Lyon points to the increasingly common question of whether businesses can take temperatures at work. This typically is considered a medical exam and is prohibited under the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) states in guidance related to pandemics.

However, as COVID-19 continues to spread across the United States, the Center for Disease Control (CDC) has begun to recommend employers take temperatures. Daily "health checks," which include screening for temperature and respiratory symptoms, have been encouraged in CDC guidance for Santa Clara County, California, and Seattle-King, Pierce, and Snohomish counties, Washington.

"It's challenging for employers because there's no clear-cut answer," Lyon says. The CDC may recommend taking temperatures but doesn't suggest what to do if someone has a fever. It's one of many areas in which businesses should proceed with caution. If an office visitor has a high temperature, the company likely would not turn that person away. Instead, she says, it would likely call the person the visitor had planned to meet and say they'll schedule a phone call.

"Keep as much confidentiality as possible," she says. "What is the information that we really need to know?" This concept, she says, also applies to storing health-related information. Many employers are collecting minimal health data, including the temperatures they record. If you're keeping temperature data, it's considered a medical record and confidentiality rules will apply.

Privacy rules and regulations differ by company, industry, and state. As a result, it's difficult to provide detailed guidance on what employers should do. Modern privacy and data protection laws, like the European Union's General Data Protection Regulation and the California Consumer Privacy Act, don't prevent businesses from recording certain information, says Bart Willemsen, research vice president at Gartner. For example, employers must record data necessary to determine if salaries are being paid, or information related to the workspace physician providing treatment to an employee. However, health-related data must be treated differently.

The Do's and Don'ts of Health-Related Questions
"Health information is information of a sensitive nature, a special category of data," Willemsen continues. "Every person has the right to not share such information — but they can share metadata." Employers can collect data related to insurance payment (for example, if something happens in the workplace). They can also record employees' adjusted work environments, if they start to work remotely. But employers are not doctors, he emphasizes, and they should not assume the position of collecting detailed health data unless under specific circumstances. 

So, what can employers ask their employees to ensure a safe workplace without violating privacy rules? Lyon says it's "generally fine" to ask if they have been experiencing cold or flulike symptoms, especially if there is a pandemic. The CDC states employees who fall ill with flulike symptoms during a pandemic should leave the workplace. Companies can ask about the expected duration of absence if an employee calls out sick; however, they can't ask why.

"Though it's important to know how long an employee may be absent, it is not for the employer to inquire in detail after why that absence is a fact," Willemsen adds. People do not have to share the details of their illness unless it has direct influence on their job function (for example, if they are a healthcare worker). It's fine if they want to volunteer that information, but even if they do, employers should refrain from recording and processing the data they share.

Employers should be careful with pointed questions about specific illnesses and diagnoses. Questions like "Have you been tested for coronavirus?" and "Do you have any medical conditions that make you susceptible?" are crossing the line into ADA territory, says Lyon. "An employer has to show a justification for asking those sorts of questions," she continues. If an employee returns from travel, the company may ask if they are returning from a country with a known outbreak, even if the travel was personal and the employee does not have symptoms.

Doctor's notes can also be tricky. The CDC suggests companies do not require a note to validate illness or return to work because in times like these, "healthcare provider offices and medical facilities may be extremely busy and not able to provide such documentation in a timely way."

If a company wants to verify someone is fit to return to the office, they may ask for a note saying as much because it doesn't disclose a specific condition, Lyon explains. However, if a company wants a note stating an employee has tested negative for a particular condition, such as coronavirus, that ventures into dangerous territory.

Companies are encouraged to record only health-related information that is factual, and the minimum amount of information necessary. This data should only be shared with employees on a "need-to-know" basis and used as anonymously as possible, Willemsen says. It should be stored securely and only for as long as it is necessary. If it must be disclosed, it should only be shared with external parties as mandated by law — for example, with local health agencies.

Lyon suggests businesses establish a centralized place where employees can view information about what is and isn't appropriate. "Make sure these questions are going to the right people so managers aren't on their own for what they can and can't ask," she explains. Creating a list of frequently asked questions for managers and employees can be helpful in times like these.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AntonioMochilas
50%
50%
AntonioMochilas,
User Rank: Apprentice
4/8/2020 | 6:43:03 AM
Totally agree
We should take care about what we said to our employeers or chiefs
Alexaex
50%
50%
Alexaex,
User Rank: Apprentice
3/27/2020 | 6:47:18 AM
GREAT ARTICLE
Liked this one. Thank you a lot.
Recently I've heard of some unpleasant situations in companies (dealing with the virus). Some people make scenes as if they're ill, saying that a company is guilty. Firms got fines( 
zentrusted
50%
50%
zentrusted,
User Rank: Apprentice
3/25/2020 | 2:42:45 PM
VERY HELPFUL
Very helpful post, a lot of information was new to me. Some very interesting insights as well (such as the contradiction in ADA vs. CDC guidance on taking temperature). Thanks!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13442
PUBLISHED: 2020-05-25
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
CVE-2020-13439
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
CVE-2020-13440
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.