The world is no longer as it once was and as we continue the process of immunization, self-isolation, social distancing, satisfying our travel itch, and yes…return to work there is a bit of consternation about what can and cannot be asked of employees as they transition back to the office.
I acknowledge that many employees will not be returning to the “old normal” and rather will have a “new normal” of a hybrid environment combining some semblance of remote work and in office meetings. Today for folks such as myself who are consultants, we must not only follow our own company’s requirements but must acknowledge and be aware of the requirements and cultures of the organizations we serve.
So, with all that said below are some privacy considerations as organizations look to bring employees back into the office.
One of the most serious challenges we will face as employees return to work is tied directly to workplace privacy and the security of personal data. These primarily revolve around the “lawful” processes to screen employees for possible COVID-19 testing (whether overtly or covertly) and then what to do with both negative and positive results. Examples specifically identified include but are not limited to diagnostic tests, test for antibodies, workplace monitoring applications, requirements (or lack thereof) for immunization, employee consent, temperature scans, thermal scanners, substantive questions, etc.
In the United States, the Equal Employment Opportunity Commission (EEOC) updated it’s COVID-19 guidance on December 16, 2020. This updated guidance, amongst other items, includes a new section providing information to employers and employees about how a COVID-19 vaccination interacts with the legal requirements of the Americans with Disabilities Act (ADA), Title VII of the Civil Rights Act of 1964, and the Genetic Information Nondiscrimination Act (GINA). Review the new COVID-19 guidance in the EEOC here.
Two of several questions contained within the guidance include:
- How much information may an employer request from an employee who calls in sick in order to protect the rest of its workforce during the COVID-19 pandemic?
- When screening employees entering the workplace during this time, may an employer only ask employees about COVID-19 symptoms that the EEOC has identified as examples, or may it ask about symptoms identified by public health authorities associated with COVID-19?
This is just one tidbit of a plethora of guidance we have seen around the globe. In the U.S., state and local governments are also weighing in. In Europe we have individual countries, provinces, and even the EU as a whole weighing in. AsiaPac is the same.
So, what should a company do?
First, the company should form and empower an overarching cross functional “Return to Work Governance / Steering Committee” to oversee the policies, procedures, execution, and audit of the program. This committee at a minimum should include Human Resources, Corporate Compliance, Legal, Employment Law, Risk Management, Corporate Communication, Information Management, Information Security, Employee Health Services, Occupational Health and Safety, Physical Security and yes…Privacy. In order to be successful, a single individual should be appointed to hold ultimate responsibility of the committee’s activities. Moreover, I would extrapolate that this group and those individuals’ incentive compensations should be based on such performance and the reporting structure should be to the Board via Senior Corporate Leadership.
Remember further that Europe defines sensitive personal data as Race, Ethnicity, Political Affiliation, Trade Union Membership, Sexual Orientation, Health Status, Criminal History, Genetic Information and Biometrics. Add to that the focus that we in the U.S. have on regulated data such as government issued identifiers, health insurance numbers, health information in general, bank account information, credit card numbers and pin codes. These are the most sensitive forms of information requiring the highest levels of protection.
But now add to that jurisdictions such as California reference personal data as data that can directly or indirectly identify a person, something about them or their family and all of a sudden the world opens up a whole new complexity specific to what is or is not personal data, the combination of data elements that could construe personal data and the protections that the data must have.
Now combine the above two paragraphs with whatever processes and procedures that your Office of General Counsel and Human Resources say are permissible, and meld the two together.
The law firm of Bird & Bird has published a COVID-19 Data Protection Guidance which is spectacular in my estimation. Not only does it break Europe down country by country in an easily absorbable format, but it also includes a Q&A section that I believe can serve as a foundation for any company’s return to work policies, procedures, and communication.
The conclusion here is that while the pandemic may be slowing in some places, and companies are earnestly in discussions about returning to work in the new normal, whatever that is, it is ultimately going to be execution of the new norm within your own organizational structure that matters.
I once had an attorney counsel me to always take the high road. I would urge every company to take the high road and the high road can only be executed by deeply examining one’s own organizational structure and culture, identifying the relevant laws rules and regulations, having the most senior leadership intimately involved at the execution level (not just oversight), auditing your processes and procedures, and providing full transparency to the process you used to allow your employees, contractors, consumers, and customers to identify issues.
The future is upon us and it is time to ensure that we address that future in the most comprehensive manner possible while also following leading practices and the law.
To learn more or speak to an Advyz Cyber Risk Services data privacy expert, email us at email@example.com or call (877) ENTISYS.