So, You Want to Take My Temperature?
How to Protect Employee Data
The COVID-19 pandemic has not only changed the way we live; it has also changed the way we conduct business.
In 2022, businesses are focused on bringing employees back to work safely while protecting valued clients and customers.
In a good faith effort to comply with public health guidelines, many businesses are collecting additional health-related information from employees.
For example, businesses may be taking employee temperatures, dealing with contact tracing and exposure notifications, and supporting employees impacted by infection or exposure.
The collection and processing of health information raises issues under data privacy & security laws, and companies need to ensure they meet their legal obligations with respect to this data.
Steps every business should take
To ensure compliance with data privacy and security laws, companies bringing employees back to the workplace and implementing employee health screening programs should follow these steps:
Avoid storing employee temperature data - If your company plans to take employee temperatures, where possible don’t record or store them.
Focus on your employee’s health - You can ask employees about their current state of health, but don’t ask about the health of family members or for information about the employee’s activities outside of work.
Keep health information confidential - Records containing employee health-related information must be treated as confidential medical records (kept separate from personnel records).
Review data privacy notices and policies - Ensure that any data privacy notices and/or policies relating to employee personal information reflect actual data collection practices.
Keep names of at risk employees confidential - Don’t disclose the names of employees who are quarantined, infected, or otherwise impacted by COVID-19 to anyone in the company except for those who have a specific need to know.
Limit information disclosed for contact tracing - When informing colleagues who have potentially been exposed, only disclose the location and timeframe of the potential exposure.
Get explicit consent to share health information – Before sharing health-related information with healthcare providers & family members for treatment purposes, get explicit consent from the employee.
Seek legal advice for government reporting - Before sharing employee health information with government agencies (which in some cases can be done without the employee’s consent), be sure to obtain legal advice.
Implement robust data security measures - Health-related data is subject to increased protections under data privacy laws. Make sure to protect data from external threats (hacks) and internal threats (unauthorized access).
Strengthen contracts with service providers - If employee health-related data is shared with a third party service provider, be sure your contracts contain robust data privacy & security requirements, including strong indemnity & audit rights in case of a data breach.