With the rollout of the COVID-19 vaccine, more and more businesses are planning to reopen their physical office spaces.  They are confronted with ensuring a safe workplace and minimizing the risk of exposure to COVID-19.  As employers consider health screening measures, ranging from temperature checks to vaccine mandates, they must navigate complex privacy issues.

I. Legal Considerations

There is no universal answer as to whether employers can process information in connection with COVID-19 screenings of employees.  As explained in a prior blog post, the EU is a patchwork of different approaches—for example, while Belgium has issued guidance indicating that employers are not permitted to ask about vaccination status, Austria does allow an employer to collect such data, to the extent it is necessary to ensure workplace safety.

The U.S. is no different.  Recent developments in the U.S., including President Biden’s expansive vaccine mandates announced in his COVID-19 Action Plan, are causing employers to evaluate how they are going to track employee vaccinations and comply with privacy rules.  There are state and federal workplace safety, employment, and privacy laws that provide diverging requirements.  The Equal Employment Opportunity Commission’s guidance clarifies that employers have substantial discretion to request vaccination information and that employers can even mandate vaccinations as long as they accommodate medical or religious exemptions.  In contrast, Montana earlier this year passed legislation prohibiting employers from requiring employees to disclose their vaccination status.  It is unclear how the federal vaccine mandates in the President’s COVID-19 Action Plan will interact with state and local vaccine laws, but we anticipate that the Occupational Safety and Health Administration (OSHA) and/or other federal agencies will address this uncertainty in future rules or guidance.

At least until then, the wide-ranging approaches underscore the importance of evaluating local laws and regulations applicable to processing of health screening information.  It is also critical to recognize that laws are still changing, and businesses must regularly monitor for updates from local government authorities.

II. Best Practices

Even when local laws permit the collection of health screening information, they provide little clarity around the scope of that processing.  In the absence of prescriptive requirements, well-established data protection principles can offer a roadmap of best practices for businesses seeking to mitigate risks.

  • Transparency: Employers should ensure that any privacy notice provided to employees is consistent with the collection, use, disclosure, retention, and disposal of health screening information.  Given the sensitivity, they might consider providing an additional privacy notice to explain the limited purposes for which screening information will be used.
  • Lawful Basis: Employers should identify in advance specific purposes for which screening information is being processed, and ensure there are controls in place to limit use to those purposes.  Any processing for those purposes should be necessary and proportional.
  • Minimization: Employers should process the minimum information necessary, such as collecting screening information only from in-person employees—if there is no reasonable business need to collect from employees who will continue to work remotely.  Employers should limit secondary or unrelated processing of screening information to only as required or authorized by law.
  • Retention: Employers should set a retention schedule and might even consider implementing a process to safely delete records as soon as the pandemic is declared over by public health or other government authorities.  Note that in some jurisdictions there may be requirements to store screening information for a minimum period of time or to store it in a file logically separate from the general personnel file.
  • Security: Employers should implement technical and administrative safeguards to protect information, such as restricting access to screening records only to individuals responsible for monitoring workplace health and safety.  The employer should store screening records securely in accordance with security requirements for the most sensitive categories of personal data.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Michelle Barineau Michelle Barineau

Michelle Barineau counsels U.S. and multinational clients on a broad range of employment issues. Michelle routinely provides guidance pertaining to wage and hour compliance, job classifications, pay equity, and employee leave. She also prepares key employment documents including employment agreements, employee policies, and…

Michelle Barineau counsels U.S. and multinational clients on a broad range of employment issues. Michelle routinely provides guidance pertaining to wage and hour compliance, job classifications, pay equity, and employee leave. She also prepares key employment documents including employment agreements, employee policies, and separation agreements.

Michelle guides employers through hiring and terminating employees and managing their performance, as well as workforce change strategies, including reorganizations, reductions in force, and WARN compliance. In addition, Michelle provides practical advice about workplace issues impacting employers including remote work, workplace culture, diversity, equity, and inclusion, and the use of artificial intelligence in the workplace. She helps clients navigate matters involving harassment, discrimination, non-competition, and other issues arising under state and federal employment laws including Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Equal Pay Act, the Family and Medical Leave Act, and the Fair Labor Standards Act. She assists clients when responding to agency charges and demand letters, including whistleblower retaliation complaints, and frequently interacts with the Equal Employment Opportunity Commission, state and local equal employment opportunity agencies, and the Occupational Safety and Health Administration.

Michelle has experience investigating employment complaints and she frequently partners with white collar colleagues to conduct sensitive internal investigations, workplace culture assessments, and racial equity audits. She works with colleagues in the privacy, employee benefits and executive compensation, and corporate groups when employment matters arise and she regularly works with colleagues in California to advise on matters implicating California employment laws. Michelle is a co-founder of Covington’s AI Roundtable, which convenes senior lawyers at the firm working closely on AI issues to discuss legal implications of AI deployment and use.