Published On August 21, 2020As the world reemerges from shutdowns, organizations are challenged to balance privacy vs security considerations as they develop reopening protocols.
As the world re-emerges from shutdowns due to COVID-19, organizations are balancing the need to protect their employees and customers with an obligation to protect the privacy of workers and their families. It’s a challenging moment.
Managers are anxious to open their doors in this changed world so they can keep their businesses afloat. Some large organizations are talking about contact tracing and taking temperatures on a daily basis for their workforces. Employees even have to weigh the risk of going to work with the possibility of being exposed to COVID-19.
Given concerns about a resurgence of COVID-19 cases as the “Great Pause” ends, workers also have to face the probability of being questioned about their health in ways that were unimaginable just a few months ago: Do they have symptoms of COVID-19? Do they have a temperature? Do they have to answer these questions? As organizations reopen and individuals head back to workplaces, it’s safe to say that privacy vs security concerns are on everyone’s mind right now.
The Privacy vs Security Problem in a Post-COVID World
Generally, employers have “an obligation to protect the well-being and health of employees,” explains Iron Mountain’s Global Privacy Officer Michael Zurcher. For instance, in the United States the Occupational Safety and Health Administration requires employers to provide a safe workplace. At the same time, health information and other sensitive data about workers cannot be disclosed without a worker’s consent unless there is a statutory obligation to do so. In the past, an employer might be aware of a worker’s cancer diagnosis or other illness, but there would not have been any legal reason to alert colleagues about their co-worker’s condition.
But the ease with which COVID-19 is transmitted, and the potentially dire consequences of contracting the virus given the lack of a real treatment for it, means that employers, workers and customers may want to know if an employee has come down with the coronavirus. Zurcher explains that the challenge for employers seeking to make sure their workforce is healthy while simultaneously protecting the privacy of workers is exacerbated, because there has not been clear guidance from regulators on this subject.
Incorporate Privacy by Design Into Reopening Protocols
What exactly an employer could or should do becomes a balancing act in those jurisdictions where the law is not precise about an organization’s obligations in a post-pandemic world, Zurcher says. Generally, “organizations need to be in a position to justify more invasive approaches” to questioning and even possibly testing their employees, Zurcher suggests.
Organizations should think about the information they really need to collect, Zurcher advises. The type of work some businesses do may merit a more strident inquiry into employee health and activities than others. Nursing homes, where workers have a lot of close contact with residents, may need more stringent employer assessment and monitoring of workers than other workplaces where staff and clients have limited contact with each other.
The U.S. Centers for Disease Control and Prevention suggests that employers alert fellow employees about any exposure to COVID-19 if a worker tests positive. At the same time, employers should not disclose the sick employee’s identity, pursuant to the requirements of the Americans with Disabilities Act, the CDC notes. Reporting obligations can vary by jurisdiction and may also depend on the federal laws to which a given employer is subject.
What Data Do You Really Need?
An employer might simply identify certain symptoms and ask workers individually if they have experienced any of those symptoms. If a worker has any, then certain consequences may be identified in any return-to-work protocol being developed by an organization. The worker might have to return home, see a doctor, get tested and so on.
Leadership at some entities have expressed an interest in using contact tracing apps that would allow them to determine whether workers are socially distancing while on the job. Such apps also might be useful for alerting others if an individual is diagnosed with COVID-19. At the same time, contact tracing apps pose plenty of dilemmas: If individuals have to opt in, are they of much use if someone opts out? Will contacts still be traced during out-of-office time? How will data — particularly any personally identifiable information — be managed?
Data Privacy Challenges Already Emerging
Incorporating contact tracing into this new normal has posed challenges for governments already. Germany came under fire earlier this year when it initially pursued a more centralized approach to contract tracing, where smartphones would be used to determine whether individuals were in close contact for periods of time. Should someone be diagnosed with COVID-19, contacts who may have been exposed could be alerted via contact tracing information stored on a remote computer server.
Concerns about the possibility for excessive government surveillance led Germany to opt for a decentralized, app-based approach that does not allow the government to have access to health data if the contract tracing app has been deleted. Apple and Google have worked together to develop an app that enables a decentralized approach to contact tracing that incorporates Bluetooth technology. If an individual opts in and contracts the coronavirus, that person can notify other contacts anonymously via their cellphones.
Scale Privacy vs Security Approaches According to Risk
Organizations trying to do the right thing for privacy and security during this fraught time are struggling to determine what information to collect about their employees, Zurcher acknowledges. Ultimately, what they might do is “design their approach relative to the risk involved,” he suggests. An organization can begin by reconfiguring its workplace to allow social distancing and to use devices that beep if individuals get too close to one another. If people refuse to comply, or if an outfit is operating in a high-risk area or with people with a sensitive history, then more protective measures should be taken, he suggests.
At a moment when everyone is trying to get this right, such a risk-based approach honors an individual’s privacy rights while protecting workers, customers and even the public at large.