As organizations begin to reintroduce people back into workplaces and schools during the COVID-19 pandemic, they face a unique set of privacy issues that arise from the use of screening processes and technologies. Organizations must design and implement new procedures to protect the health and safety of workers, students, and staff, but these procedures, the technology deployed to implement them, and the data that is collected in support of them can run afoul of the legal protections set forth in privacy and security laws, not to mention labor and employment laws. The laws that impact each organization will also vary depending on whether the organization is a government or a private entity and in which jurisdiction(s) the organization operates.
Generally, bringing people back to work and school involves implementing some combination of the following strategies: (1) written rules and procedures to be followed, (2) prescreening to determine who can return to work or school, (3) symptom tracking and health screening on an ongoing basis, and (4) contact tracing and quarantining if exposure to COVID-19 is suspected. Each of these strategies creates a series of issues that must be addressed.
Although written procedures must be consistent with changing public health guidelines, they still might not be enforceable. For example, many public schools have created written procedures for athletes who are returning to their sports at the high-school and college levels.[1] Although these procedures are designed to protect and ensure safety for athletes, they often cross the boundary between encouraging athletes to follow the rules and asserting that athletes have assumed the risks of participating—constituting a waiver—with questionable enforceability.[2]
Closely related to privacy concerns is the fact that prescreening of employees to determine whether they can return to work may violate employment laws. The EEOC has already asserted that the use of COVID-19 antibody tests as a vehicle for prescreening employees to determine whether they can return to work violates the Americans with Disabilities Act’s “job related and consistent with business necessity” standard for medical examinations or inquiries for current employees because CDC guidelines provide that antibody test results “should not be used to make decisions about returning persons to the workplace.”[3]
Symptom tracking and health screening raise a number of privacy issues, from what questions can be asked for screening, to how the data that is collected should be treated. The EEOC guidance for covered employers specifies that employers may ask employees whether they are exhibiting symptoms associated with COVID-19, consistent with current CDC-specified symptoms and guidelines, or those of other public health authorities and reputable medical sources. Employers may also take the body temperature of employees during the pandemic consistent with recommendations of the CDC and state and local health authorities. All information collected must be treated as an employee medical record, with the associated implications for protecting the privacy of that data and limits on maintaining and sharing such information. It is important to note that employers are allowed to share medical information with public health agencies.
The use of contact tracing for determining whether a person has been exposed to COVID-19, or has exposed others, raises a plethora of new issues. Contact tracing can be performed manually, but is often implemented through mobile applications that communicate with each other. The Google/Apple partnership, for example, has developed a common application programming interface (API) that will be available on all mobile phones that run either the Android or iOS operating systems.[5] This API allows public health agencies and medical organizations to develop contact tracing applications. The underlying technology enables phones to contact each other when they are in proximity and share anonymous information that can later be used to develop contact lists if a person is diagnosed with COVID-19.[6] This technology is subject to a number of privacy and security concerns, including device tracking to identify and locate users,[7] sharing of personally identifiable[8] and confidential health information, and use of that data for other purposes by either the technology companies or public health organizations. These applications must also be deployed carefully by employers to prevent labor law issues associated with surveillance outside of work hours.[9] Existing privacy laws are still in effect for the data collected as part of contact tracing, and some states are weighing in to create new privacy laws to specifically address contact tracing.[10]
Finally, the collection of data also creates record retention issues. Organizations may be tasked with keeping certain records to establish compliance with privacy mandates or to otherwise address broader regulatory concerns, particularly for human resources records. Add to that the fact that some data, even if it does not rise to the level of a record, may need to be retained for statistical or other metrics measurements. These data retention issues must be carefully balanced against strict privacy regulations at the national and international levels. To that end, litigation discovery concerns could also rear their ugly heads. This is where processes and systems for record retention and disposition are most critical.
On the whole, organizations face a difficult set of privacy issues arising from the use of screening processes and technologies to reintroduce workers and students to workplaces and schools during the COVID-19 pandemic. The landscape of legal privacy issues is going to continue to change as CDC guidance changes over time and as more governments pass new legislation to specifically address COVID-19-related challenges.
* Joan Wrabetz is a J.D. candidate, 2021, at Santa Clara University. John Isaza, Esq. is Vice President of Information Governance Solutions at Access Corp in Boston. Mr. Isaza can be reached at [email protected].
[1] Washington Interscholastic Activities Ass’n, Guidance for Opening Up High School Athletics and Activities (June 22, 2020); NCAA Sport Science Institute, Resocialization of Collegiate Sport: Developing Standards for Practice and Competition (Aug. 14, 2020).
[2] Zachary Zaggar, NCAA Teams’ COVID-19 Risk Forms May Fall Flat In Court, Law360, June 19, 2020.
[3] U.S. Equal Employment Opportunity Commission, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws (Jun 17, 2020).
[4] Surveillance and Data Analytics, Centers for Disease Control and Prevention, Coronavirus Disease 2019 (COVID-19) (June 29, 2020).
[5] Rebecca Pifer, Apple-Google COVID-109 contact tracing software released, Healthcaredive, May 20, 2020.
[6] Apple/Google, Exposure Notification—BluetoothÒ Specification, V. 1.2, April 2020, at 8.
[7] See generally Michael Kasdan, et al., Tracking Technologies: Privacy and Data Security Issues, Thomson Reuters Practical Law Practice Note, June 20, 2020; see also Federal Trade Commission, Cross-Device Tracking: An FTC Staff Report (Jan. 2017), at 8.
[8] Privacy International, Bluetooth tracking and COVID-19: A tech primer (Mar. 31, 2020).
[9] Vin Gurrieri, Privacy Risks Lurk in Tech-Heavy Return-To-Work Plans, Law360, June 5, 2020.
[10] Kansas Introduces the COVID-19 Contact Tracing Privacy Act, Security Magazine, June 9, 2020.