In addition to the potential uses of contact-tracing apps, discussed recently in episode 1 of the Global Solutions series, most employers now conduct some form of employee screening or monitoring to help prevent the spread of COVID-19 in the workplace and protect staff.
Processing employee information raises various data protection issues and requires compliance with certain data privacy obligations both within and outside the United States. Generally, irrespective of which particular law applies, there will be a requirement for employers to handle any captured information lawfully, fairly, and transparently.
This installment of the Global Solutions series focuses on such compliance obligations and whether employee consent can be relied upon in the United States and the European Union (EU) as a legal basis for processing COVID-19–related data.
What Counts as Valid Consent?
The General Data Protection Regulation (GDPR) governs the processing of data within the EU. The GDPR requires that companies collect affirmative consent that needs to be “freely given, specific, informed and unambiguous” to be compliant.
The GDPR also requires companies to keep records of the consent provided. Therefore, it is important to have evidence of who consented, when the individual consented, what the individual was told at the time of consent, how the individual consented, and whether the individual has withdrawn consent.
U.S. law is sector-driven and subject to requirements imposed at both the federal and state levels. Some industries (e.g., healthcare and finance) impose obligations for actions within a specific industry. In addition, some states condition the use and disclosure of certain kinds of information on consent (e.g., biometric information in Illinois).
Each law, whether at the federal or state level, may include rules for what qualifies as valid consent or authorization. To the extent consent is required, some laws require explicit, written consent, and place conditions on the form and content of the consent to comply with applicable law. Other laws permit passive consent, barring uses or disclosures only if consent is withdrawn.
Consent in the Context of COVID-19
The issue of consent is central to any measures employers may seek to take, and consent will likely be needed to effectively administer employee testing or monitoring. However, from a data protection perspective, consent by itself is not necessarily sufficient grounds for the processing of employee information.
In the context of the employer-employee relationship, in some jurisdictions, employees who have concerns about their job security when considering whether to agree to requests may not be able to give valid consent to requests from their employers due to the unequal relationship between the parties. Given the requirements for valid consent, including the ability under the GDPR for individuals to withdraw consent at any point, reliance on employee consent as the only lawful basis for processing personal data may often be impractical.
In light of these concerns, the legal grounds upon which an employer may rely to process employee data typically include performance of an employment contract (e.g., for pay purposes, compliance with legal obligations such as the need to make income tax deductions) or the legitimate interests of the employer (e.g., processing data in order to effectively manage the employment relationship). The latter must be balanced against the privacy rights of the employee.
Generally, both in the EU and the United States, employers may carry out health testing or monitoring of employees when there is a good reason for doing so, as data protection law does not prevent employers from taking the necessary steps to keep their employees and the public safe during the pandemic. In the context of COVID-19 and employee health screenings, health monitoring, and data sharing, employers may be able to rely on one or more of the following:
- An obligation to ensure the health, safety, and welfare of employees
- The need to assess an employee’s ability to work
- Reasons of public health
The above considerations may generally be a “safer” basis for processing employee data than solely relying on consent. However, employers may also want to be mindful that separate from the need to identify an appropriate legal basis, additional conditions for processing may need to be satisfied.
Health Information as Sensitive Information
Any data relating to COVID-19 screening or monitoring will likely be classified as sensitive or special category personal data under applicable data privacy laws in the EU, or as confidential medical information in the United States.
Prior to implementing any measures, employers may want to assess what data protection risks exist and carefully assess who is collecting the information and how that information will be transferred and accessed within and outside the company. Employers in the EU must perform a written Data Protection Impact Assessment (DPIA) prior to processing or transferring sensitive information or information used to monitor employees. A DPIA must contain (1) a description of the processing operation along with the “purposes of the processing, including, where applicable, the legitimate interest” for the processing; (2) “an assessment of the necessity and proportionality of the processing operation in relation to the purposes”; (3) “an assessment of the risks to the rights and freedoms of [the] data subjects”; and (4) the measures to be taken to mitigate the risks.
Employers may want to give consider to the need to comply with particular requirements regarding the format of written documents. For example, if a nurse or other medical professional is brought in as a contractor to conduct testing, there may be a need to comply with rules under the Health Insurance Portability and Accountability Act for written authorization to be in a particular format, to allow for health information to be shared with the employer, even if the testing is paid for and conducted on behalf of the company.
Organizations may also want to avoid processing unnecessary data and design any COVID-19 screening or monitoring programs to minimize the collection and use of sensitive information, restrict access and disclosure of information to a need-to-know basis, and retain information for only as long as is necessary. The nature of the collected data may require the need to inform staff about
- what personal data is required;
- the purposes for which the data will be used;
- why the data will be used;
- with whom it will be shared;
- how long it will be kept; and
- what decisions will be made based on the information.
In light of recent events in the EU, employers may want to think through exactly how and where their COVID-19 screening or monitoring programs collect, store, and access data. The Court of Justice of the European Union’s declaration that Privacy Shield is invalid for purposes of transferring personal information to the United States will complicate matters and for some companies will require redesigning their programs to avoid cross-border transfers or to find different means to permit them.
Managing the Risk
COVID-19 screenings may be a necessary part of today’s workplaces, and careful design of testing and screening programs are important. Knowing which laws apply and the conditions they place on the provision of valid consent may help employers avoid gaps in compliance that can expose them to litigation or enforcement risks. Records showing that notice was provided and consent was obtained may be useful even where such methods cannot themselves form the sole basis for processing employee information. Cooperation is key to the success of employer screening, and absent buy-in among employees, information may be incomplete or inaccurate, making the program less effective.