24x7x365 e360 Client Technical Support: Call (877) 368-4797 opt 9, or

The world is no longer as it once was and as we continue the process of immunization, self-isolation, social distancing, satisfying our travel itch, and yes…return to work there is a bit of consternation about what can and cannot be asked of employees as they transition back to the office.

I acknowledge that many employees will not be returning to the “old normal” and rather will have a “new normal” of a hybrid environment combining some semblance of remote work and in office meetings.  Today for folks such as myself who are consultants, we must not only follow our own company’s requirements but must acknowledge and be aware of the requirements and cultures of the organizations we serve.

So, with all that said below are some privacy considerations as organizations look to bring employees back into the office.

One of the most serious challenges we will face as employees return to work is tied directly to workplace privacy and the security of personal data. These primarily revolve around the “lawful” processes to screen employees for possible COVID-19 testing (whether overtly or covertly) and then what to do with both negative and positive results. Examples specifically identified include but are not limited to diagnostic tests, test for antibodies, workplace monitoring applications, requirements (or lack thereof) for immunization, employee consent, temperature scans, thermal scanners, substantive questions, etc.

In the United States, the Equal Employment Opportunity Commission (EEOC) updated it’s COVID-19 guidance on December 16, 2020.  This updated guidance, amongst other items, includes a new section providing information to employers and employees about how a COVID-19 vaccination interacts with the legal requirements of the Americans with Disabilities Act (ADA), Title VII of the Civil Rights Act of 1964, and the Genetic Information Nondiscrimination Act (GINA).  Review the new COVID-19 guidance in the EEOC here.

Two of several questions contained within the guidance include:

  • How much information may an employer request from an employee who calls in sick in order to protect the rest of its workforce during the COVID-19 pandemic?
  • When screening employees entering the workplace during this time, may an employer only ask employees about COVID-19 symptoms that the EEOC has identified as examples, or may it ask about symptoms identified by public health authorities associated with COVID-19?

This is just one tidbit of a plethora of guidance we have seen around the globe. In the U.S., state and local governments are also weighing in. In Europe we have individual countries, provinces, and even the EU as a whole weighing in. AsiaPac is the same.

So, what should a company do?

First, the company should form and empower an overarching cross functional “Return to Work Governance / Steering Committee” to oversee the policies, procedures, execution, and audit of the program. This committee at a minimum should include Human Resources, Corporate Compliance, Legal, Employment Law, Risk Management, Corporate Communication, Information Management, Information Security, Employee Health Services, Occupational Health and Safety, Physical Security and yes…Privacy. In order to be successful, a single individual should be appointed to hold ultimate responsibility of the committee’s activities. Moreover, I would extrapolate that this group and those individuals’ incentive compensations should be based on such performance and the reporting structure should be to the Board via Senior Corporate Leadership.

Remember further that Europe defines sensitive personal data as Race, Ethnicity, Political Affiliation, Trade Union Membership, Sexual Orientation, Health Status, Criminal History, Genetic Information and Biometrics. Add to that the focus that we in the U.S. have on regulated data such as government issued identifiers, health insurance numbers, health information in general, bank account information, credit card numbers and pin codes.  These are the most sensitive forms of information requiring the highest levels of protection.

But now add to that jurisdictions such as California reference personal data as data that can directly or indirectly identify a person, something about them or their family and all of a sudden the world opens up a whole new complexity specific to what is or is not personal data, the combination of data elements that could construe personal data and the protections that the data must have.

Now combine the above two paragraphs with whatever processes and procedures that your Office of General Counsel and Human Resources say are permissible, and meld the two together.

The law firm of Bird & Bird has published a COVID-19 Data Protection Guidance which is spectacular in my estimation. Not only does it break Europe down country by country in an easily absorbable format, but it also includes a Q&A section that I believe can serve as a foundation for any company’s return to work policies, procedures, and communication.

The conclusion here is that while the pandemic may be slowing in some places, and companies are earnestly in discussions about returning to work in the new normal, whatever that is, it is ultimately going to be execution of the new norm within your own organizational structure that matters.

I once had an attorney counsel me to always take the high road. I would urge every company to take the high road and the high road can only be executed by deeply examining one’s own organizational structure and culture, identifying the relevant laws rules and regulations, having the most senior leadership intimately involved at the execution level (not just oversight), auditing your processes and procedures, and providing full transparency to the process you used to allow your employees, contractors, consumers, and customers to identify issues.

The future is upon us and it is time to ensure that we address that future in the most comprehensive manner possible while also following leading practices and the law.

To learn more or speak to an Advyz Cyber Risk Services data privacy expert, email us at advyz@entisys360.com or call (877) ENTISYS.



Creating a strategy for managing risk and compliance while helping to filter the myriad of cybersecurity technologies

Modern Infrastructure

Empowering your enterprise to its greatest potential through an efficient and secure IT infrastructure

Digital Workplace

Helping businesses keep infrastructure up-to-date, minimizing security risks, and maintaining compliance

Cloud Enablement

Accelerating IT service delivery through the adoption of agile methodologies using systems-oriented approach

Microsoft Expertise

Helping set goals and establishing benchmarks with the successful deployment of Microsoft solutions

Enterprise Managed Services

Best IT practices with design, configuration, implementation, licensing and environmental services

Markets and Market Support Vehicles


Professional services and renowned expertise aligned with the trends and challenges facing a variety of industries


Addressing IT challenges faced by healthcare organizations through trusted services, solutions and relationships

Public Sector

Helping organizations manage costs and high availability while increasing security, compliance and efficiency

Group Purchasing

Industry-leading IT consulting services and technology solutions through a streamlined contracting process

Resource Library


e360 in-person and online events

Solutions Literature

Access content on e360 services


Read about trending technology

Press Releases

Get official updates about e360

News Stories

Read about industry and e360 news


e360 webinar and podcast content

About e360

Who We Are

Our mission, vision, leadership and team


e360 awards and recognition


e360's commitment to privacy


e360's commitment to privacy


e360 career opportunities

Connect With e360

e360 locations and contact resources