Employee privacy could be a sleeping giant in the COVID-19 pandemic. A global workforce that is concerned about their jobs and their loved ones is likely to cooperate with the health-screening and tracking measures their employers may adopt. But what’s the cost to their morale and engagement?
A regulatory obstacle course has already emerged, with governments around the world issuing more than 60 directives regarding protecting data privacy while responding to the COVID-19 pandemic.
How can companies provide a safe workplace in a way that is defensible to privacy regulators? One way is to complete privacy impact assessments (PIAs). In this report, we’ll show how you can evaluate employee privacy using several common use cases encountered during the mobilize, stabilize and strategize phases of the COVID-19 crisis.
During the mobilize phase of the COVID-19 pandemic, during which millions of workers shifted to work-from-home mode, employers verified the transition status of their workforce and received their first reports of employees testing positive for COVID-19. What lessons have been learned about how companies can provide a safe workplace, while also minimizing the impact on individuals’ privacy during this phase in future crises?
During the stabilize phase of the crisis, companies around the world are encountering a common challenge: a drop in worker energy, morale and productivity resulting from elevated levels of distress. What are the options for companies to measure and manage this new reality without causing further anxiety to workers or violating data privacy regulations?
When COVID-19 infection rates decline and governments begin to lift stay-at-home restrictions, businesses will likely face a new challenge: providing an ongoing safe environment as workers return to their offices. What options will they have to screen and track the contagious status of workers in the least-invasive way, while also complying with a patchwork of varying global regulations?
As with many things about the COVID-19 pandemic, companies were unprepared. This was clear from the ad hoc ways that employers initially assessed employees who were a risk to others, notified the people who may have been put at risk and made efforts to contain that risk.
COVID-19 privacy guidance issued by the regulators (referenced in our survey) identifies key components they will look for in future pandemic-response procedures. They include:
Narrowly tailor health-screening questionnaires. Several countries — including Australia, Bermuda, Canada, Cyprus, Estonia, Germany, Gibraltar, Ireland, Lithuania, the Philippines and the United Kingdom (UK) — require limiting the collection, use and disclosure of personal information to the minimum necessary to prevent and manage COVID-19. Early versions of questionnaires asked employees whether they had traveled to China, Italy or South Korea, had been in contact with anyone infected, or had any symptoms of the disease — but ongoing discoveries about how the disease is contracted and spread should inform and further narrow these criteria.
Designate authorized individuals to handle the questionnaires. Belgium, Croatia, Hungary, the Netherlands, Romania and Spain prefer that any screenings be done by medical personnel. Other nations, such as Colombia, Finland and Georgia, require a dedicated response team to perform screenings properly and minimize disclosures.
Inform screened employees of their rights. In some countries, such as Austria, employees can object to the disclosure of their status. Others, such as Switzerland and Uruguay, require employee consent. Romania requires notice to be given to employees regarding pandemic-related data processing. But in other countries, like Latvia, employers can inform the police if employees do not comply with quarantine orders.
Do not disclose the names of positive-testing individuals outside the response team. The identities of employees testing positive for a contagious disease do not have to be disclosed to management teams and the broader workforce across most countries with data privacy legislation, such as Mexico, New Zealand and the United States (US). Countries such as Denmark advise that when the status of employees needs to be communicated with their work teams, the reasons for being in quarantine or on medical leave should not be stated.
Mobilize: Migrate to work-from-home (Q1 2020) |
||
Key business problem |
|
|
Potential new data processing |
|
|
Methods of data processing |
|
|
Privacy risks |
|
|
Sample regulatory considerations |
|
|
Minimizing privacy impact |
|
“How are you doing?” This question was asked millions of times around the world as supervisors sought to connect with their staff and support them in this uniquely challenging time. But what about more specific questions? To what extent can employers systematically collect information about employee morale or monitor their productivity?
The answer depends on the details of the monitoring, as well as where it occurs. For example:
Employers in most Middle Eastern countries, as well as Brazil, China, Cyprus, Singapore and the US, can require employees to allow their productivity to be monitored, while in Russia, voluntary participation is permissible.
Employers in Colombia and the US can require employees to take a mandatory, personally identifiable survey about their general level of energy or confidence in the company. In contrast, those in Australia, Brazil, Canada, Czech Republic and Germany must take a voluntary approach to identifiable surveys. In France, Hong Kong, India, Italy, South Africa and the UK, participation must be both voluntary and anonymous.
Stabilize: Optimize work-from-home (Q2 2020) |
|
Key business problem |
|
Potential new data processing |
|
Methods of data processing |
|
Privacy risks |
|
Sample regulatory considerations |
|
Minimizing privacy impact |
|
As the COVID-19 pandemic abates, employers will have to decide how to permit employees, contractors, clients and visitors to return to their offices in a way that sustains a safe workplace. Some companies are considering whether to require a ‘health passport’ — a certification from a physician or other reliable healthcare source that the holder has tested negative to COVID-19 or has not recently presented symptoms — to allow access to company facilities. This approach may work in countries such as Singapore, for example, where its Personal Data Protection Act allows employers to collect personal data through various means — and without employee consent — during public emergencies that threaten the life, health or safety of individuals.
Many companies are also weighing the pros and cons of instituting temperature checks at some or all of the entrances to their facilities once they reopen. However, multinationals will likely face difficulty adopting one approach globally. For example, according to the findings of our survey of PwC privacy specialists across 47 countries:
In China, the Contagious Disease Prevention Law requires that employers report on confirmed and suspected infections of a contagious disease to Chinese health authorities in a timely manner. Accordingly, employers are required to regularly and frequently conduct temperature checks on employees and workplace visitors, and they also can require employees to report any health issues to a team designated to handle workplace safety.
In Slovakia, thermal-scanning checks have become compulsory at all workplace entrances, whereas in other EU member states, such as France and Iceland, employers are permitted to perform them, but cannot mandate them.
Russia requires employers to give employees notice about any use of thermal imaging and destroy any recordings within 24 hours.
In the US, the Equal Employment Opportunity Commission recently released guidance that permits temperature checks for use during a widespread pandemic to help identify the high temperatures commonly associated with viruses.
Luxembourg prohibits daily temperature checks and the systematic collection of employee health symptoms.
App-based contact tracing will soon reach many people in one way, shape, or form. Different versions by governments, employers, and mobile-phone makers are being offered to employees for use on personal and company-owned devices they use for work. They share the same concept: users of the app are notified if they have been in close proximity to someone else on the same app who has reported positive for a COVID-19 test. That notified user can then have a reason to self-quarantine and get tested. Many public-health stakeholders see this as an important tool in getting the world to return to their places of work in a safe way — if a large majority of a population adopts it.
But what is the most privacy-responsible way for companies to roll out an enterprise version of app-based contact tracing? Here are some considerations for corporate privacy officers to be addressing in their PIAs for these solutions:
Get employee buy-in. Employers need to get a high proportion of employees returning to offices to download the app, carry their phone with them while at the office, get tested if their risk factors increase, and self-report positive tests knowing they will end up being quarantined again. Employers may not need to take a mandatory approach to achieve that objective if they can win over their employees with clear and frequent communications about how it all works, appealing to the worker’s interest in helping to make the workplace safe and productive for everyone.
Keep geolocation data anonymous and encrypted. Employees should be able to trust that their employers, coworkers, neighbors, and hackers can’t trace their whereabouts while using the app. Some versions of these apps accomplish this by de-identifying a device’s location data and encrypting it on the device itself, not on a company server. Privacy officers need to dive in and understand these technologies and data flows as part of their PIA.
Don’t feed data to government authorities. Employers should exercise all available rights to keep their workforce data confidential in order to build and sustain employee trust in the app and achieve positive outcomes for everyone involved.
Make everything temporary. To meet the proportionality principle embedded in privacy laws around the world, the app and all of the data associated with it should be deleted once employers have returned to a pre-defined and communicated state of acceptable risk of contagion. Employers will want to resist the urge to re-use this data for purposes unrelated to COVID-19 management, such as workspace-capacity optimization.
Employers can play a unique role in the app-based contact-tracing ecosystem. As employers, they can have a more influential, daily relationship with employees than their employees’ phone makers or government agencies. Employers are able, in their unique role, to explain to employees how everything works and architect it in a way that respects employees’ rights and freedoms as well as provide them a meaningful feedback loop. A multinational considering this option should perform a PIA that addresses the variables unique to each country in which it plans to deploy this technology.
The consumer has dominated the global debate over data privacy since its inception two decades ago. But most of those consumers are employees who arrive to work with the same privacy expectations they formed as consumers. If people feel trapped about the privacy choices available to them as consumers, some of the tracking and monitoring envisioned by their employers to cope with the COVID-19 pandemic may accentuate these feelings and affect the trust they place in their co-workers, employers and society at large.
All members of the C-suite — not the privacy leaders alone — have a stake in the emotional well-being of their employees and their commitment to the values of the company. As the executive leadership teams plot their strategies to adjust their business models to the new post-COVID realities, one of their agenda items should be to formalize an employee data ethics policy. The foundation of that policy should be the principle that informed employees understand their best interests and should be empowered to make decisions about both their health and their data. Adherence to this principle will likely help global regulatory compliance and help restore employee confidence in the changed and challenging world around them.
A product by PwC