With the rollout of the COVID-19 vaccine, more and more businesses are planning to reopen their physical office spaces. They are confronted with ensuring a safe workplace and minimizing the risk of exposure to COVID-19. As employers consider health screening measures, ranging from temperature checks to vaccine mandates, they must navigate complex privacy issues.
I. Legal Considerations
There is no universal answer as to whether employers can process information in connection with COVID-19 screenings of employees. As explained in a prior blog post, the EU is a patchwork of different approaches—for example, while Belgium has issued guidance indicating that employers are not permitted to ask about vaccination status, Austria does allow an employer to collect such data, to the extent it is necessary to ensure workplace safety.
The U.S. is no different. Recent developments in the U.S., including President Biden’s expansive vaccine mandates announced in his COVID-19 Action Plan, are causing employers to evaluate how they are going to track employee vaccinations and comply with privacy rules. There are state and federal workplace safety, employment, and privacy laws that provide diverging requirements. The Equal Employment Opportunity Commission’s guidance clarifies that employers have substantial discretion to request vaccination information and that employers can even mandate vaccinations as long as they accommodate medical or religious exemptions. In contrast, Montana earlier this year passed legislation prohibiting employers from requiring employees to disclose their vaccination status. It is unclear how the federal vaccine mandates in the President’s COVID-19 Action Plan will interact with state and local vaccine laws, but we anticipate that the Occupational Safety and Health Administration (OSHA) and/or other federal agencies will address this uncertainty in future rules or guidance.
At least until then, the wide-ranging approaches underscore the importance of evaluating local laws and regulations applicable to processing of health screening information. It is also critical to recognize that laws are still changing, and businesses must regularly monitor for updates from local government authorities.
II. Best Practices
Even when local laws permit the collection of health screening information, they provide little clarity around the scope of that processing. In the absence of prescriptive requirements, well-established data protection principles can offer a roadmap of best practices for businesses seeking to mitigate risks.
- Transparency: Employers should ensure that any privacy notice provided to employees is consistent with the collection, use, disclosure, retention, and disposal of health screening information. Given the sensitivity, they might consider providing an additional privacy notice to explain the limited purposes for which screening information will be used.
- Lawful Basis: Employers should identify in advance specific purposes for which screening information is being processed, and ensure there are controls in place to limit use to those purposes. Any processing for those purposes should be necessary and proportional.
- Minimization: Employers should process the minimum information necessary, such as collecting screening information only from in-person employees—if there is no reasonable business need to collect from employees who will continue to work remotely. Employers should limit secondary or unrelated processing of screening information to only as required or authorized by law.
- Retention: Employers should set a retention schedule and might even consider implementing a process to safely delete records as soon as the pandemic is declared over by public health or other government authorities. Note that in some jurisdictions there may be requirements to store screening information for a minimum period of time or to store it in a file logically separate from the general personnel file.
- Security: Employers should implement technical and administrative safeguards to protect information, such as restricting access to screening records only to individuals responsible for monitoring workplace health and safety. The employer should store screening records securely in accordance with security requirements for the most sensitive categories of personal data.