As a result of the COVID-19 pandemic and the emerging efforts to monitor those who have been vaccinated, many companies in the U.S. are struggling to determine how to handle and retain such sensitive health information of their employees or even customers. When the U.S. officially declared a pandemic in March of 2020, many organizations were forced to set up new protocols in order to safely operate. Some of those new protocols included the collection of information related to temperatures and health screenings from customers and employees. Because of the sudden nature of these new data collection protocols, in combination with the lack of a federal data privacy framework, questions developed regarding how to contain the spread of the virus without compromising personal privacy. One of the main concerns many have with respect to this issue is how transparent organizations must be in communicating what they are doing with this newly collected health information and how long they plan on keeping it. The introduction of vaccines has only complicated the issues even more.
With a lack of precedents to follow, the pandemic created widespread uncertainty and confusion around data privacy issues where companies did not have relevant protocols in place. Businesses are being forced to confront a range of privacy issues concerning what data they can or should collect and retain, which notices to provide, and what actions to take based on this data. Although companies have found that information like temperature checks do not need to be tied to specific individuals or retained for more than a few weeks, collecting information to track whether employees and visitors are vaccinated, or requiring the vaccine for entry or return to work status, may give rise to additional legal risks that will require a more personalized inquiry.
The move toward collecting more data in response to the pandemic has exposed businesses to increased liability under the emerging patchwork of data privacy laws, including the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Both the CCPA and the GDPR require companies to be more transparent about the personal information they collect and provide for greater consumer control over how such information is used and shared. However, this expansion of consumer rights and control over their personal information is being balanced against emergency efforts to contain the virus. Thus, the debate regarding what information people can keep private about their health conditions and what information they can be forced to disclose will continually gain attention.
Additionally, employers must be careful with how they handle the information of their employees under the context of employment laws, which contain different privacy, security, and data retention requirements than consumer privacy laws. In the employment law context, there is greater influence to retain records, as opposed to the trend of data privacy laws which demonstrate a preference toward data minimization. Accordingly, employers must think about the information they collect for health checks and virus tracking separately from their treatment of human resource data like background checks and benefits information, which are typically subject to lengthy data retention requirements.
To address this issue, organizations must understand which data they are collecting, where the data is being stored and/or processed, the highly sensitive nature of such data, the specific purpose for which it is collected, and the minimal amount of time needed to retain such information to fulfill their indicated purpose of collection. Employers should avoid storing this sensitive health information in employees’ HR files for extended periods of time. However, tension has emerged between privacy professionals who have encouraged the quick disposal of such information and litigation-minded advisors who have advocated for longer retention periods to allow organizations to demonstrate all the reasonable steps they have taken to protect staff and visitors.
As we await developments concerning whether businesses can require workers or visitors to be vaccinated, the ultimate challenge at hand is to develop a process that balances public safety with privacy concerns. Companies should consider work-from-home arrangements when developing their vaccination policies. For instance, requiring a remote-work employee to show proof of vaccination may be an unreasonable intrusion into that employee’s privacy, or trigger employment law concerns under the Americans with Disabilities Act. In any event, the current situation with COVID-related data collection further demonstrates the need for federal action in the U.S. regarding the creation of a national privacy framework.