With the rollout of the COVID-19 vaccine, more and more businesses are planning to reopen their physical office spaces.  They are confronted with ensuring a safe workplace and minimizing the risk of exposure to COVID-19.  As employers consider health screening measures, ranging from temperature checks to vaccine mandates, they must navigate complex privacy issues.

I. Legal Considerations

There is no universal answer as to whether employers can process information in connection with COVID-19 screenings of employees.  As explained in a prior blog post, the EU is a patchwork of different approaches—for example, while Belgium has issued guidance indicating that employers are not permitted to ask about vaccination status, Austria does allow an employer to collect such data, to the extent it is necessary to ensure workplace safety.

The U.S. is no different.  Recent developments in the U.S., including President Biden’s expansive vaccine mandates announced in his COVID-19 Action Plan, are causing employers to evaluate how they are going to track employee vaccinations and comply with privacy rules.  There are state and federal workplace safety, employment, and privacy laws that provide diverging requirements.  The Equal Employment Opportunity Commission’s guidance clarifies that employers have substantial discretion to request vaccination information and that employers can even mandate vaccinations as long as they accommodate medical or religious exemptions.  In contrast, Montana earlier this year passed legislation prohibiting employers from requiring employees to disclose their vaccination status.  It is unclear how the federal vaccine mandates in the President’s COVID-19 Action Plan will interact with state and local vaccine laws, but we anticipate that the Occupational Safety and Health Administration (OSHA) and/or other federal agencies will address this uncertainty in future rules or guidance.

At least until then, the wide-ranging approaches underscore the importance of evaluating local laws and regulations applicable to processing of health screening information.  It is also critical to recognize that laws are still changing, and businesses must regularly monitor for updates from local government authorities.

II. Best Practices

Even when local laws permit the collection of health screening information, they provide little clarity around the scope of that processing.  In the absence of prescriptive requirements, well-established data protection principles can offer a roadmap of best practices for businesses seeking to mitigate risks.

  • Transparency: Employers should ensure that any privacy notice provided to employees is consistent with the collection, use, disclosure, retention, and disposal of health screening information.  Given the sensitivity, they might consider providing an additional privacy notice to explain the limited purposes for which screening information will be used.
  • Lawful Basis: Employers should identify in advance specific purposes for which screening information is being processed, and ensure there are controls in place to limit use to those purposes.  Any processing for those purposes should be necessary and proportional.
  • Minimization: Employers should process the minimum information necessary, such as collecting screening information only from in-person employees—if there is no reasonable business need to collect from employees who will continue to work remotely.  Employers should limit secondary or unrelated processing of screening information to only as required or authorized by law.
  • Retention: Employers should set a retention schedule and might even consider implementing a process to safely delete records as soon as the pandemic is declared over by public health or other government authorities.  Note that in some jurisdictions there may be requirements to store screening information for a minimum period of time or to store it in a file logically separate from the general personnel file.
  • Security: Employers should implement technical and administrative safeguards to protect information, such as restricting access to screening records only to individuals responsible for monitoring workplace health and safety.  The employer should store screening records securely in accordance with security requirements for the most sensitive categories of personal data.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Michelle Barineau Michelle Barineau

Michelle Barineau counsels clients on a broad range of labor and employment issues. She helps clients navigate matters involving discrimination, harassment, family and medical leave, wage and hour compliance, non-competition, trade secrets, and other issues arising under state and federal employment laws. She…

Michelle Barineau counsels clients on a broad range of labor and employment issues. She helps clients navigate matters involving discrimination, harassment, family and medical leave, wage and hour compliance, non-competition, trade secrets, and other issues arising under state and federal employment laws. She routinely provides guidance pertaining to employee handbooks, employment agreements, and workplace policies. Michelle also has experience investigating employment complaints and she frequently partners with white collar colleagues to conduct internal workplace culture assessments and audits in the wake of the #MeToo movement.