COVID-19 has become part of daily life for people across the globe, and as cities, states and countries manage the pandemic, companies are evaluating screening programs to mitigate the risk of spreading the disease. As a practical matter, that has meant increased collection of data through symptom and temperature screening, among other protocols. While the primary concern is to ensure the health and safety of the public, these practices have privacy implications which companies need to understand in order to ensure they are complying with various data privacy laws like General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Temperature screening can be conducted in a number of ways. Employers could request that their employees self-report their temperature, HR staff could conduct the screenings on-site manually or a company could choose to employ an automated no-contact screening method (such as infrared scanners, thermal scanning devices, or wearable technologies). Companies could also request that their employees self-identify COVID-19 symptoms, or have staff monitor and report symptoms that they see in the workplace.
Collecting information through these protocols could come with heightened privacy obligations due to the potential sensitivity of the information. Regardless of whether this information is collected from employees working remotely or at the office, companies should look to mitigate privacy and security compliance risks by considering the following when implementing policies and processes on this topic.
The less sensitive information you have, the less likely it is that you’ll run afoul of privacy laws, so reducing the breadth and depth of data you collect on this matter should reduce your exposure for violation. Regardless of the methods you choose, screening protocols may trigger obligations regarding:
Body temperature, by itself, is typically not considered to be biometric information; however, face scans and fingerprints are. Many state laws, most notably CCPA, require businesses to provide adequate notice and, at times, obtain affirmative consent before collecting biometric information from individuals.
It is important to review agreements with third-parties assisting with screening and make sure that they include sufficient privacy and security provisions that address their obligations and limited use rights as it relates to the personal information being collected through the screening.
Information collected from screenings must be adequately protected and kept confidential, and shared strictly on a need-to-know basis and in compliance with various privacy laws. Information about an employee’s illness should be kept as a confidential medical record, separate from the employee’s personnel file.
Additionally, many state laws, such as New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) requires businesses to implement and maintain information security protocols, and its definition of personal information includes biometric information.
As companies around the world continue to acclimate to the new realities of COVID-19, they should stay mindful of conducting their business within the parameters of data privacy laws. California’s Attorney General has publicly stated that CCPA enforcement will not be postponed due to COVID-19, and the penalties imposed by CCPA, and other data privacy laws, could be catastrophic for noncompliant companies.
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.