Employers, COVID-19 Does Not Nullify Privacy Or Other Data Security Laws

I send you into this weekend with a guest post by Marty Robins, one of our amazing Privacy Group partners in Illinois. An expert in all things data privacy, Marty and I talked this week (and last) about the effect of the Coronavirus on data privacy issues.

With the current focus on preventing the spread of COVID-19 in the US, employers must remain mindful of legal obligations under privacy or employment laws. While the latter has been addressed by FisherBroyles in this client alert and additional posts (here, here, and here), employers should consider the following privacy considerations:

• As with all personal information belonging to employees and customers, proper disclosure of (and in the European Union, consent to) contemplated uses of material collected is essential; if employment agreements, handbooks, and pre-existing company policies restrict uses or do not reserve employer discretion as to such uses, there is reason for concern—whether failing to keep confidential an actual diagnosis of COVID-19 or symptoms of another medical condition.
• Employers should not assume that a formal federal or state declaration of a state of emergency may excuse violations after the fact. While the European Union’s General Data Protection Regulation includes a nebulous exception to the stringent confidentiality obligations for disclosures to public health authorities, but its parameters are far from clear. Even if an employer reserves discretion as to usage in an outward-facing privacy policy, this may not suffice. In all circumstances, check relevant documentation, and check with counsel before disclosing such information.

• Newer legislation—such as the California Consumer Privacy Act (CCPA) and the Illinois Biometric Privacy Act—clarify that data regarding an employee’s physical status and characteristics, such as body temperature, is subject to privacy law. Under the Illinois statute, which impacts companies with any contacts with Illinois (even if not headquartered there), employees must consent expressly to disclosure. Several recent class action settlements, north of $100 million, should motivate employer compliance with this Illinois statute. Similarly, the CCPA applies to sharing of information pertaining to health status. Check with us to identify specific obligations.
• All US and EU legislation prohibit the collection or disclosure of customer or employee information absent a legitimate need for doing so. And, even if there is a legitimate reason to collect or disclose health information pertaining to COVID-19, this is not a free-for-all for employers. For example, an employee’s elevated temperature does not justify inquiries about an employee’s lifestyle, such as smoking.

Apart from employment issues, employers should keep in mind their contractual and statutory obligations regarding security and privacy of data provided by members of the public and endeavor to use the company’s customary security measures, even if it is accessed from offsite.

Of course, employers often have to make quick decisions concerning an employee’s health, and we recognize that legal obligations may not always take precedence. However, with COVID-19, as in other matters, a little knowledge and consultation will reduce legal risk. We encourage you to promptly speak with any of our Privacy Group partners to develop appropriate protocols.