New US COVID-19 privacy bill could be the catalyst for corporate employee privacy programs

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

US Congress proposes privacy requirements to safeguard widespread collection of personally identifiable data as workplaces reopen with contact tracing

  • A group of Republican senators is putting forth a COVID-19 Consumer Data Protection Act (“the Act’’). 

  • The Act aims to provide Americans with more transparency, choice and security over the collection and use of their personal health, geolocation and proximity data, which may be gathered during contact tracing and other solutions to control the COVID-19 pandemic. 

  • The Act covers privacy principles discussed in PwC’s Balancing employee privacy and public health and safety. It aims to provide impetus for US companies to formalize an employee privacy program.

Issues arising from COVID-19

Americans will be returning to their workplaces before testing or vaccines for COVID-19 are widely available. If workers develop symptoms after they return to work and test positive, their employers will ask them to share information about their health status and movements to help with contact tracing — whether through human contact tracers, or tech-based apps or some combination of the two. Contact tracing in some form will be a key strategy for employers to quickly isolate sick workers and prevent flare-ups within their offices, factories, warehouses and other venues.

Privacy specialists and many government leaders worry, however, that without a national law in place, contact tracing could gather more personal data on Americans than they realize. Collected data could then be used and shared with the government for purposes other than controlling the pandemic, and it also could be vulnerable to hackers. Preventing both from happening is the impetus for the new bill

Meanwhile, return-to-workplace health measures and their related privacy risks are not yet high on the radar for CFOs who will likely be asked to fund these initiatives. Only 22% of CFOs we surveyed during the week of April 22 were evaluating new tools to support workforce-location tracking and app-based contact tracing. At the same time, leading CIOs, CISOs and chief privacy officers anticipated this issue when they started working on health-status checks at the beginning of the crisis, and later began focusing on employee work-wellness during the transition to remote work.

Chief human resources leaders, privacy leaders and crisis teams involved in return-to-workplace initiatives will want to get ahead of this trend. They will need to use capabilities in their consumer privacy program to build their employee privacy program, which should encompass data lifecycle management, data-subject rights management, privacy and security by design, and privacy impact assessments. In short, we believe it’s time for US companies to formalize an employee privacy program. 

Five things employers and employees should know about the new data protection bill

1. The Act covers companies regulated by the Federal Trade Commission

Financial institutions regulated by financial regulators, healthcare companies regulated by the US Department of Health and Human Services, and airlines and transportation companies regulated by the US Department of Transportation will want to determine if they are “covered entities” under the Act.

View more

2. The Act covers a wide range of data processing related to COVID-19 management

The scope of the Act will likely include questionnaires administered to staff regarding their health status; temperature checks or facial imaging administered at workplace entrances; and manual and app-based contact tracing.

View more

3. The Act requires opt-in consent of employees

Employers considering mandating that employees use contact tracing apps may need to shift gears. The Act also requires employers to provide detailed privacy notices and transparency reports to employees, a blueprint for gaining the trust and full participation of their workforce that is necessary for app-based contact tracing to achieve optimal results.

  •  Models by a team at Oxford University suggest that the epidemic could be stopped in the UK if approximately 60% of the population uses the app and adheres its recommendations. Even lower numbers of app users could have a positive effect: If the app is carefully implemented alongside other measures, such as testing and social distancing, it has the potential to substantially reduce the number of new coronavirus cases, hospitalizations and ICU admissions.
  • Americans are currently split on their willingness to use smartphone apps for contact tracing. Only 50% would download an app to alert them if they were in close contact with someone who tested positive for COVID-19, according to a survey from the Kaiser Family Foundation. Only 45% would share the names of their close contacts with public health authorities. Consumer understanding is evolving, and several surveys conducted in April reveal varying degrees of consumers’ willingness to share information under different conditions.

View more

4. Employers will likely need qualified privacy engineers

The Act includes specifications for data de-identification that hackers can’t counter, along with data deletion protocols once COVID-19 management objectives have been met. Employers will not want to take any chances with the health, safety and privacy of their employees — or be second-guessed by regulators or judges. They will want to meet the prevailing industry standards for implementing the privacy provisions of the Act.

View more

5. The Act offers an opportunity to demonstrate employees do not have to give up privacy to participate

 

The Act offers an opportunity to demonstrate that employees do not have to give up privacy to participate in contact tracing efforts. As long as the privacy principles in the Act are followed, there’s an opportunity for employers and developers to show that contact tracing is trusted technology — not the necessary evil that some consumers think tech is, according to PwC’s survey on trust in tech.

  • Tech providers like Apple and Google have created privacy-friendly APIs, ready for use by entities that favor privacy principles, such as prohibitions on location data collection and use in targeted advertising.

 

View more

Reopening American workplaces

Contact tracing should be only one aspect of your larger return-to-workplace plan, but it’s important to see how it plays out with these other aspects of the plan:

  • Your work environments and the plan for social distancing and disinfection in your locations 

  • The blend of work modes for your workforce (remote, on-premises, managed services)

  • The percent of time your employees travel 

  • The states and countries where your facilities are located and where your employees reside

  • The practices of the partners and suppliers in your ecosystem.

Like many other areas COVID-19 has accelerated, this might be the impetus for larger and more lasting regulation on data privacy in the US.

One could argue the combination of the COVID-19 Consumer Data Protection Act and the California Consumer Privacy Act (CCPA) produce a GDPR-lite protection for American employees. The General Data Protection Regulation offers extensive rights and protections to the personal data of European Union residents. Meanwhile the CCPA, covering California residents, provides a subset of rights similar to those found in GDPR, such as the right to access and delete personal data. The extension of CCPA to employees in California is scheduled to come into effect on January 1, 2021. 

We believe it’s time for US companies to formalize an employee privacy program. Companies that get a jump on formalizing a privacy program for their employees will be best positioned for handling this virus, as well as future pandemics and other workforce-impacting events.

Prepare to answer these 8 questions your employees will ask about contact tracing
  • Are you requiring express consent from employees to collect, process or transfer workers’ personal health, geolocation or proximity information for the purpose of tracking the spread of COVID-19?

  • Do you allow individuals to opt out of the collection, processing or transfer of their personal health, geolocation or proximity information?

  • Will you disclose, at the point of collection, how worker data will be handled, to whom it will be transferred and how long it will be retained?

  • Will you tell employees how their data will be used and reported without disclosing their identity?
  • Will you provide transparency reports to the public describing data collection activities related to COVID-19?

  • Will you collect only the minimum personally identifiable information needed?

  • What data security safeguards have you established for personally identifiable information that is collected from employees?

  • Will you delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency?
How PwC built privacy into its Check-In Automatic Contact Tracing (ACT) product
  • Check-In: Automatic Contact Tracing, a PwC Product, tracks movements only within the physical space of the office or business facility, and it keeps user data anonymous and secure.

  • Employees download an app and enter their name, email or other identifier — but this information is used to identify a person only if they need to be notified of a risk.

  • If an employee reports that he or she contracted COVID-19, an authorized user — usually HR — can get a list of colleagues whose devices were close enough to present an exposure risk. 

  • Once the data is used, it’s purged from the dashboard to maintain privacy and anonymity. 

  • While developing this capability, we worked closely with an epidemiologist and PwC’s privacy and security specialists to consider the range of potential security challenges.

Contact us

Sean  Joyce

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

David Sapin

David Sapin

PwC Risk & Regulatory Leader, PwC US

Jocelyn Aqua

Jocelyn Aqua

Principal, Cybersecurity and Privacy, PwC US