24x7x365 e360 Client Technical Support: Call (877) 368-4797 opt 9, or

The world is no longer as it once was and as we continue the process of immunization, self-isolation, social distancing, satisfying our travel itch, and yes…return to work there is a bit of consternation about what can and cannot be asked of employees as they transition back to the office.

I acknowledge that many employees will not be returning to the “old normal” and rather will have a “new normal” of a hybrid environment combining some semblance of remote work and in office meetings.  Today for folks such as myself who are consultants, we must not only follow our own company’s requirements but must acknowledge and be aware of the requirements and cultures of the organizations we serve.

So, with all that said below are some privacy considerations as organizations look to bring employees back into the office.

One of the most serious challenges we will face as employees return to work is tied directly to workplace privacy and the security of personal data. These primarily revolve around the “lawful” processes to screen employees for possible COVID-19 testing (whether overtly or covertly) and then what to do with both negative and positive results. Examples specifically identified include but are not limited to diagnostic tests, test for antibodies, workplace monitoring applications, requirements (or lack thereof) for immunization, employee consent, temperature scans, thermal scanners, substantive questions, etc.

In the United States, the Equal Employment Opportunity Commission (EEOC) updated it’s COVID-19 guidance on December 16, 2020.  This updated guidance, amongst other items, includes a new section providing information to employers and employees about how a COVID-19 vaccination interacts with the legal requirements of the Americans with Disabilities Act (ADA), Title VII of the Civil Rights Act of 1964, and the Genetic Information Nondiscrimination Act (GINA).  Review the new COVID-19 guidance in the EEOC here.

Two of several questions contained within the guidance include:

  • How much information may an employer request from an employee who calls in sick in order to protect the rest of its workforce during the COVID-19 pandemic?
  • When screening employees entering the workplace during this time, may an employer only ask employees about COVID-19 symptoms that the EEOC has identified as examples, or may it ask about symptoms identified by public health authorities associated with COVID-19?

This is just one tidbit of a plethora of guidance we have seen around the globe. In the U.S., state and local governments are also weighing in. In Europe we have individual countries, provinces, and even the EU as a whole weighing in. AsiaPac is the same.

So, what should a company do?

First, the company should form and empower an overarching cross functional “Return to Work Governance / Steering Committee” to oversee the policies, procedures, execution, and audit of the program. This committee at a minimum should include Human Resources, Corporate Compliance, Legal, Employment Law, Risk Management, Corporate Communication, Information Management, Information Security, Employee Health Services, Occupational Health and Safety, Physical Security and yes…Privacy. In order to be successful, a single individual should be appointed to hold ultimate responsibility of the committee’s activities. Moreover, I would extrapolate that this group and those individuals’ incentive compensations should be based on such performance and the reporting structure should be to the Board via Senior Corporate Leadership.

Remember further that Europe defines sensitive personal data as Race, Ethnicity, Political Affiliation, Trade Union Membership, Sexual Orientation, Health Status, Criminal History, Genetic Information and Biometrics. Add to that the focus that we in the U.S. have on regulated data such as government issued identifiers, health insurance numbers, health information in general, bank account information, credit card numbers and pin codes.  These are the most sensitive forms of information requiring the highest levels of protection.

But now add to that jurisdictions such as California reference personal data as data that can directly or indirectly identify a person, something about them or their family and all of a sudden the world opens up a whole new complexity specific to what is or is not personal data, the combination of data elements that could construe personal data and the protections that the data must have.

Now combine the above two paragraphs with whatever processes and procedures that your Office of General Counsel and Human Resources say are permissible, and meld the two together.

The law firm of Bird & Bird has published a COVID-19 Data Protection Guidance which is spectacular in my estimation. Not only does it break Europe down country by country in an easily absorbable format, but it also includes a Q&A section that I believe can serve as a foundation for any company’s return to work policies, procedures, and communication.

The conclusion here is that while the pandemic may be slowing in some places, and companies are earnestly in discussions about returning to work in the new normal, whatever that is, it is ultimately going to be execution of the new norm within your own organizational structure that matters.

I once had an attorney counsel me to always take the high road. I would urge every company to take the high road and the high road can only be executed by deeply examining one’s own organizational structure and culture, identifying the relevant laws rules and regulations, having the most senior leadership intimately involved at the execution level (not just oversight), auditing your processes and procedures, and providing full transparency to the process you used to allow your employees, contractors, consumers, and customers to identify issues.

The future is upon us and it is time to ensure that we address that future in the most comprehensive manner possible while also following leading practices and the law.

To learn more or speak to an Advyz Cyber Risk Services data privacy expert, email us at advyz@entisys360.com or call (877) ENTISYS.

Services

Security and Privacy

Creating a strategy for managing risk and compliance, while helping to filter the noise of myriad cybersecurity technologies.

Modern Infrastructure

Empowering your enterprise to achieve its full potentialand greatest efficiencyby keeping IT infrastructure operational, available and secure.

Digital Workplace

Helping businesses keep infrastructure up-to-date, minimizing security risks, and maintaining compliance

Cloud, DevOps & Automation

Accelerating IT service delivery for our clients through the adoption of agile methodologies that are all part of a systems-oriented approach.

Microsoft Expertise

Helping set goals and establishing benchmarks for the journey toward the successful deployment of Microsoft solutions.

Enterprise Managed Services

Design, implementation, licensing optimization, and environmental services, ensuring use of Microsoft's best practices and configurations.

Our Markets and Market Support Vehicles

Business

Professional services and nationally-recognized expertise that align perfectly with the trends and challenges facing a variety of industries.

Healthcare

Recognizing the unique challenges faced by healthcare IT organizations, and offering understanding, capabilities, and trusted relationships.

Public Sector

Helping organizations contain costs maintain high availability while finding new ways to increase security, compliance and more.

Group Purchasing

Industry-leading IT consulting services and technology solutionsaccessed through a streamlined contracting process.

Resources

Events

Learn about our upcoming events and webinars.

Solutions Literature

Access content on solution and service offerings.

Blog

Learn about leading technology topics.

Press Releases

Read official updates from the e360 team.

News Stories

Read about latest industry and  e360 news.

About e360

About e360

Our mission, vision, leadership and team

Accolades

e360 awards and recognition

Privacy

e360's commitment to privacy

Community

e360's commitment to privacy

Careers

e360 career opportunities

Contact

e360 locations and contact resources