With the rollout of the COVID-19 vaccine, more and more businesses are planning to reopen their physical office spaces.  They are confronted with ensuring a safe workplace and minimizing the risk of exposure to COVID-19.  As employers consider health screening measures, ranging from temperature checks to vaccine mandates, they must navigate complex privacy issues.

I. Legal Considerations

There is no universal answer as to whether employers can process information in connection with COVID-19 screenings of employees.  As explained in a prior blog post, the EU is a patchwork of different approaches—for example, while Belgium has issued guidance indicating that employers are not permitted to ask about vaccination status, Austria does allow an employer to collect such data, to the extent it is necessary to ensure workplace safety.

The U.S. is no different.  Recent developments in the U.S., including President Biden’s expansive vaccine mandates announced in his COVID-19 Action Plan, are causing employers to evaluate how they are going to track employee vaccinations and comply with privacy rules.  There are state and federal workplace safety, employment, and privacy laws that provide diverging requirements.  The Equal Employment Opportunity Commission’s guidance clarifies that employers have substantial discretion to request vaccination information and that employers can even mandate vaccinations as long as they accommodate medical or religious exemptions.  In contrast, Montana earlier this year passed legislation prohibiting employers from requiring employees to disclose their vaccination status.  It is unclear how the federal vaccine mandates in the President’s COVID-19 Action Plan will interact with state and local vaccine laws, but we anticipate that the Occupational Safety and Health Administration (OSHA) and/or other federal agencies will address this uncertainty in future rules or guidance.

At least until then, the wide-ranging approaches underscore the importance of evaluating local laws and regulations applicable to processing of health screening information.  It is also critical to recognize that laws are still changing, and businesses must regularly monitor for updates from local government authorities.

II. Best Practices

Even when local laws permit the collection of health screening information, they provide little clarity around the scope of that processing.  In the absence of prescriptive requirements, well-established data protection principles can offer a roadmap of best practices for businesses seeking to mitigate risks.

  • Transparency: Employers should ensure that any privacy notice provided to employees is consistent with the collection, use, disclosure, retention, and disposal of health screening information.  Given the sensitivity, they might consider providing an additional privacy notice to explain the limited purposes for which screening information will be used.
  • Lawful Basis: Employers should identify in advance specific purposes for which screening information is being processed, and ensure there are controls in place to limit use to those purposes.  Any processing for those purposes should be necessary and proportional.
  • Minimization: Employers should process the minimum information necessary, such as collecting screening information only from in-person employees—if there is no reasonable business need to collect from employees who will continue to work remotely.  Employers should limit secondary or unrelated processing of screening information to only as required or authorized by law.
  • Retention: Employers should set a retention schedule and might even consider implementing a process to safely delete records as soon as the pandemic is declared over by public health or other government authorities.  Note that in some jurisdictions there may be requirements to store screening information for a minimum period of time or to store it in a file logically separate from the general personnel file.
  • Security: Employers should implement technical and administrative safeguards to protect information, such as restricting access to screening records only to individuals responsible for monitoring workplace health and safety.  The employer should store screening records securely in accordance with security requirements for the most sensitive categories of personal data.
Print:
EmailTweetLikeLinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Photo of James Yoon James Yoon

James Yoon is an associate in the firm’s Data Privacy and Cybersecurity Practice Group. Prior to joining the firm, he served as a law clerk to Judge J. Clifford Wallace on the U.S. Court of Appeals for the Ninth Circuit and Judge Barbara…

James Yoon is an associate in the firm’s Data Privacy and Cybersecurity Practice Group. Prior to joining the firm, he served as a law clerk to Judge J. Clifford Wallace on the U.S. Court of Appeals for the Ninth Circuit and Judge Barbara M.G. Lynn on the U.S. District Court for the Northern District of Texas.

James is a member of the Bar of California. District of Columbia bar application pending; supervised by principals of the firm.

Michelle Barineau

Michelle Barineau counsels clients on a broad range of labor and employment issues. She helps clients navigate matters involving discrimination, harassment, family and medical leave, wage and hour compliance, non-competition, trade secrets, and other issues arising under state and federal employment laws. She…

Michelle Barineau counsels clients on a broad range of labor and employment issues. She helps clients navigate matters involving discrimination, harassment, family and medical leave, wage and hour compliance, non-competition, trade secrets, and other issues arising under state and federal employment laws. She routinely provides guidance pertaining to employee handbooks, employment agreements, and workplace policies. Michelle also has experience investigating employment complaints and she frequently partners with white collar colleagues to conduct internal workplace culture assessments and audits in the wake of the #MeToo movement.