COVID-19 and CCPA – Updates and Best Practices
COVID-19 has become part of daily life for people across the globe, and as cities, states and countries manage the pandemic, companies are evaluating screening programs to mitigate the risk of spreading the disease. As a practical matter, that has meant increased collection of data through symptom and temperature screening, among other protocols. While the primary concern is to ensure the health and safety of the public, these practices have privacy implications which companies need to understand in order to ensure they are complying with various data privacy laws like GDPR and CCPA.
How do companies typically conduct screenings?
Temperature screening can be conducted in a number of ways. Employers could request that their employees self-report their temperature, HR staff could conduct the screenings on-site manually or a company could choose to employ an automated no-contact screening method (such as infrared scanners, thermal scanning devices, or wearable technologies). Companies could also request that their employees self-identify COVID-19 symptoms, or have staff monitor and report symptoms that they see in the workplace.
Collecting information through these protocols could come with heightened privacy obligations due to the potential sensitivity of the information. Regardless of whether this information is collected from employees working remotely or at the office, companies should look to mitigate privacy and security compliance risks by considering the following when implementing policies and processes on this topic.
Understand privacy implications when determining your approach.
The less sensitive information you have, the less likely it is that you’ll run afoul of privacy laws, so reducing the breadth and depth of data you collect on this matter should reduce your exposure for violation. Regardless of the methods you choose, screening protocols may trigger obligations regarding:
- State Data Breach Laws: Each U.S. state has enacted a data breach notification statute which could require a company to notify individuals, credit reporting and investigative agencies of the breach. The more sensitive the data (such as health information obtained during screenings), the higher likelihood that these state statutes and related obligations will be triggered.
- California Consumer Privacy Act (“CCPA”): If you implement a temperature screening program, CCPA (for California residents) require that your privacy statements and disclosures clearly state what is being collected, how it is being used, and how it is being shared. CCPA also gives an employee certain rights to access the information or have it deleted.
- Americans With Disabilities Act (“ADA”): The ADA prohibits an employer from making disability-related inquiries and requiring medical examinations of employees, except under limited circumstances. Given the public policy issues around COVID-19, testing specifically related to COVID-19 can occur, but broader monitoring or inquiries cannot. Also, be careful regarding the disclosure of any test results.
- Global Data Protection Regulation (“GDPR”): GDPR, Europe’s data privacy regulation, requires COVID-19 related information, even if it just notes that a temperature is “high” or “within a normal range,” to be categorized as a “special category of personal data”. The GDPR generally prohibits processing of this kind of data unless you can meet certain legal grounds and thresholds.
- Health Information Portability and Accountability Act (“HIPAA”): It is not likely that COVID-19 screenings would trigger a HIPAA obligation because an employer’s HIPAA obligations are generally limited only to covered health plans that are sponsored by the business, however given the novel nature of the pandemic this remains somewhat of an open question.
If you’re collecting biometric information, make sure you’re properly disclosing your process and obtaining affirmative consent.
Body temperature, by itself, is typically not considered to be biometric information; however, face scans and fingerprints are. Many state laws, most notably CCPA, require businesses to provide adequate notice and, at times, obtain affirmative consent before collecting biometric information from individuals.
If you’re using a third-party to assist with screening, do your due diligence.
It is important to review agreements with third-parties assisting with screening and make sure that they include sufficient privacy and security provisions that address their obligations and limited use rights as it relates to the personal information being collected through the screening.
Protect and keep confidential the information collected from employees.
Information collected from screenings must be adequately protected and kept confidential, and shared strictly on a need-to-know basis and in compliance with various privacy laws. Information about an employee’s illness should be kept as a confidential medical record, separate from the employee’s personnel file.
Additionally, many state laws, such as New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) requires businesses to implement and maintain information security protocols, and its definition of personal information includes biometric information.
As companies around the world continue to acclimate to the new realities of COVID-19, they should stay mindful of conducting their business within the parameters of data privacy laws. California’s Attorney General has publicly stated that CCPA enforcement will not be postponed due to COVID-19, and the penalties imposed by CCPA, and other data privacy laws, could be catastrophic for noncompliant companies.
Clym can help. Contact us today to learn how we can help, or schedule a demo with one of our team members who can show you how our platform can offer you a cost-effective way to get and stay compliant.