August 3, 2020

COVID-19 Data Privacy and Protection


Share this post: 

As the uncertainty of COVID-19 continues, a common question permeates the work environment: “When can we get back to work and how can we do it as safely as possible?”

Collection of personal and health data by organizations as a measure to ensure the safety of their employees and customers is part of the new reality in a post-COVID-19 world. While it may be true that your organization must collect such data in order to protect employees and customers when re-opening, it is important to develop a strategy to limit the amount collected, ensure compliance with the right regulatory requirements, and protect it from misuse or breach. Privacy controls can provide immense value in protecting sensitive data while still empowering businesses to safely re-open.

What data may be collected?

It is possible that an uncomfortable level of information will be required from employees to ensure the safety and well-being of the employee workforce. The data collected will be used to identify the most vulnerable employees and prevent the spread of COVID-19 within the organization.

As shown here, in their recent study, Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing, the International Association of Privacy Professionals (IAPP) and Ernst & Young (EY) found that at least 50 percent of organizations are already tracking employee health and travel data, and almost 25 percent are taking the temperature of their employees. (See their chart to the right.)

Through employee-reported data, employer-based contact tracing, and observation, organizations will be able to track the lifecycle of COVID-19 for employees who are at risk or who were infected. Businesses should expect to track self-quarantine periods, as well as when employees begin showing symptoms, test positive for COVID-19, return to work following COVID-19, and potentially even antibody test results. Any data that your organization collects should be reviewed by the privacy stakeholders prior to collection. While it may be necessary, it is important for these stakeholders to understand how it is being used, stored, and processed to ensure that adequate privacy and security measures are in place.

What is the regulatory impact of collecting this data?

The regulatory landscape is continuing to evolve with almost daily updates on what data can be collected by employers. New data collection, especially associated with health, requires stringent management and protection to minimize risks of unauthorized disclosure and breaches. Organizations must now understand, implement, and ensure compliance with the laws and guidance provided by industry regulations that are provided through:

        • American Disabilities Act (ADA)
        • Rehabilitation Act
        • Equal Employment Opportunity Commission (EEOC) guidance
        • Occupational Safety and Health Administration (OSHA)
        • State and local guidance 

How can privacy best be achieved?

An organization’s response to the impact of COVID-19 should be tailored to both rapidly respond to employee needs and achieve long-term privacy compliance. Prior to collecting COVID-19-related employee health data, key privacy principles should be considered and addressed, including:

        • Notice: Provide employees with notice of what information is being collected with clear and transparent purposes
        • Collection Mechanisms: Restrict collection of data to approved paths (e.g., self-reporting, observation, temperature scanning, contact tracing)
        • Data Minimization: Limit data (including copies) to the minimum necessary; dispose of data when no longer needed
        • Purpose Limitation: Only use data for approved purposes that were communicated to employees
        • Security: Implement security controls to protect data collected
        • Data Sharing and Disclosures: Take care to avoid inadvertent disclosure (e.g., conversations, laptop use)

Perhaps even more than other sensitive data or personal information (as defined by General Data Protection Regulation [GDPR] or California Consumer Privacy Act [CCPA]), COVID-19-related data should be protected from accidental disclosure, misuse, unauthorized access, and breach. Your organization should put controls in place that restrict who can access the data, limit with whom it is shared (i.e., third parties), and provide the technical measures for modifying and even deleting it upon request. Based on the regulatory impact of the collected data, as determined by the privacy office, additional technical safeguards (e.g., encryption, masking, logging and monitoring, physical security) may be required.

Where to begin?

It is important to engage your privacy office to ensure a thorough understanding of what data needs to be collected, its regulatory impact, and what additional protective measures need to be put in place. As with all new processes, training and awareness for employees and managers handling the data will be imperative to ensure that adequate privacy and security are achieved. Most organizations never expected to handle such sensitive data and at such a large scale, but with proper planning and oversight, the risks can be managed to ensure that the privacy, health, and safety of your employee workforce remain your top priorities.

Conclusion

A pandemic requires us all to manage through unprecedented challenges. As the virus slows its spread worldwide, enabling the success of your business through the planning and development of immediate responses ensures that your organization’s services are preserved. Taking pre-emptive actions to update policies and procedures, operationalizing strong and agile governance, and establishing proper data protection mechanisms for personal data is the first step in evolving your organization for the future.

 

Interested in learning more about managing post-pandemic risks and requirements?

Download our guidebook for a roadmap for leaders to decisively deploy actions that correspond to the shape of the future state economy, all while mitigating new and emerging cyber and operational risks.