Balancing employee privacy and public health and safety

As with many things about the COVID-19 pandemic, companies were unprepared. This was clear from the ad hoc ways that employers initially assessed employees who were a risk to others, notified the people who may have been put at risk and made efforts to contain that risk. 

COVID-19 privacy guidance issued by the regulators (referenced in our survey) identifies key components they will look for in future pandemic-response procedures. They include:

• Narrowly tailor health-screening questionnaires. Several countries — including Australia, Bermuda, Canada, Cyprus, Estonia, Germany, Gibraltar, Ireland, Lithuania, the Philippines and the United Kingdom (UK) — require limiting the collection, use and disclosure of personal information to the minimum necessary to prevent and manage COVID-19. Early versions of questionnaires asked employees whether they had traveled to China, Italy or South Korea, had been in contact with anyone infected, or had any symptoms of the disease — but ongoing discoveries about how the disease is contracted and spread should inform and further narrow these criteria.

• Designate authorized individuals to handle the questionnaires. Belgium, Croatia, Hungary, the Netherlands, Romania and Spain prefer that any screenings be done by medical personnel. Other nations, such as Colombia, Finland and Georgia, require a dedicated response team to perform screenings properly and minimize disclosures. 

• Inform screened employees of their rights. In some countries, such as Austria, employees can object to the disclosure of their status. Others, such as Switzerland and Uruguay, require employee consent. Romania requires notice to be given to employees regarding pandemic-related data processing. But in other countries, like Latvia, employers can inform the police if employees do not comply with quarantine orders.

• Do not disclose the names of positive-testing individuals outside the response team. The identities of employees testing positive for a contagious disease do not have to be disclosed to management teams and the broader workforce across most countries with data privacy legislation, such as Mexico, New Zealand and the United States (US). Countries such as Denmark advise that when the status of employees needs to be communicated with their work teams, the reasons for being in quarantine or on medical leave should not be stated. 

As the COVID-19 pandemic abates, employers will have to decide how to permit employees, contractors, clients and visitors to return to their offices in a way that sustains a safe workplace. Some companies are considering whether to require a ‘health passport’ — a certification from a physician or other reliable healthcare source that the holder has tested negative to COVID-19 or has not recently presented symptoms — to allow access to company facilities. This approach may work in countries such as Singapore, for example, where its Personal Data Protection Act allows employers to collect personal data through various means — and without employee consent — during public emergencies that threaten the life, health or safety of individuals. 

Many companies are also weighing the pros and cons of instituting temperature checks at some or all of the entrances to their facilities once they reopen. However, multinationals will likely face difficulty adopting one approach globally. For example, according to the findings of our survey of PwC privacy specialists across 47 countries:

• In China, the Contagious Disease Prevention Law requires that employers report on confirmed and suspected infections of a contagious disease to Chinese health authorities in a timely manner. Accordingly, employers are required to regularly and frequently conduct temperature checks on employees and workplace visitors, and they also can require employees to report any health issues to a team designated to handle workplace safety.

• In Slovakia, thermal-scanning checks have become compulsory at all workplace entrances, whereas in other EU member states, such as France and Iceland, employers are permitted to perform them, but cannot mandate them. 

• Russia requires employers to give employees notice about any use of thermal imaging and destroy any recordings within 24 hours.

• In the US, the Equal Employment Opportunity Commission recently released guidance that permits temperature checks for use during a widespread pandemic to help identify the high temperatures commonly associated with viruses.

• Luxembourg prohibits daily temperature checks and the systematic collection of employee health symptoms.

App-based contact tracing will soon reach many people in one way, shape, or form. Different versions by governments, employers, and mobile-phone makers are being offered to employees for use on personal and company-owned devices they use for work. They share the same concept: users of the app are notified if they have been in close proximity to someone else on the same app who has reported positive for a COVID-19 test. That notified user can then have a reason to self-quarantine and get tested. Many public-health stakeholders see this as an important tool in getting the world to return to their places of work in a safe way — if a large majority of a population adopts it. 

But what is the most privacy-responsible way for companies to roll out an enterprise version of app-based contact tracing? Here are some considerations for corporate privacy officers to be addressing in their PIAs for these solutions:

• Get employee buy-in. Employers need to get a high proportion of employees returning to offices to download the app, carry their phone with them while at the office, get tested if their risk factors increase, and self-report positive tests knowing they will end up being quarantined again. Employers may not need to take a mandatory approach to achieve that objective if they can win over their employees with clear and frequent communications about how it all works, appealing to the worker’s interest in helping to make the workplace safe and productive for everyone.

• Keep geolocation data anonymous and encrypted. Employees should be able to trust that their employers, coworkers, neighbors, and hackers can’t trace their whereabouts while using the app. Some versions of these apps accomplish this by de-identifying a device’s location data and encrypting it on the device itself, not on a company server. Privacy officers need to dive in and understand these technologies and data flows as part of their PIA.

• Don’t feed data to government authorities. Employers should exercise all available rights to keep their workforce data confidential in order to build and sustain employee trust in the app and achieve positive outcomes for everyone involved. 

• Make everything temporary. To meet the proportionality principle embedded in privacy laws around the world, the app and all of the data associated with it should be deleted once employers have returned to a pre-defined and communicated state of acceptable risk of contagion. Employers will want to resist the urge to re-use this data for purposes unrelated to COVID-19 management, such as workspace-capacity optimization. 

Employers can play a unique role in the app-based contact-tracing ecosystem. As employers, they can have a more influential, daily relationship with employees than their employees’ phone makers or government agencies. Employers are able, in their unique role, to explain to employees how everything works and architect it in a way that respects employees’ rights and freedoms as well as provide them a meaningful feedback loop. A multinational considering this option should perform a PIA that addresses the variables unique to each country in which it plans to deploy this technology.