Personal data processing has come to the forefront during the pandemic. Employers face the challenge of maintaining a healthy workforce while protecting the privacy of its employees. It is important to keep up with the various evolving guidance that is periodically issued and updated by employers’ governing authorities.
For instance, recent enforcement memos reveal that the U.S. Department of Labor has increased its in-person inspections and have required more employers to disclose when employees are infected by COVID-19. In April 2020, the Department of Labor’s Office of Occupational Safety and Health Administration (OSHA) issued interim guidance that classified COVID-19 as a recordable illness, making it reportable to OSHA if the employee’s work environment exposed him or her to the virus. OSHA has since issued its “Revised Enforcement Guidance for Recording Cases of Coronavirus Disease 2019 (COVID-19)” memorandum (OSHA Memorandum) dated May 19, 2020, which replaces its April guidance referenced earlier. Similarly, various European Data Protection Authorities have issued guidance regarding the applicability of the General Data Protection Regulation (GDPR) – widely considered to be the most restrictive privacy law – during the pandemic. Even entities with physical presence only in the United States may be subject to the GDPR.
As states ease COVID-19 pandemic restrictions and businesses begin to reopen, employers increasingly seek to clarify their obligations to employees upon reopening.
In the latest guidance, OSHA continues to classify COVID-19 as an illness, requiring compliance with certain recording and reporting requirements as described below. An employer determining whether a COVID-19 case is “work-related” faces privacy challenges.
Generally, OSHA requires employers (with 10 or more employees) to record all serious work-related illnesses via OSHA Form 300 (Log of Work-Related Injuries and Illnesses), Form 300A (Summary of Work-Related Injuries and Illnesses), or Form 301 (Injury and Illness Incident Report). Employers must also do the following: maintain records of work-related injuries or illnesses for five years; report any worker fatality within eight hours; and report any hospitalization of a worker within 24 hours.
Each year, from February through April, OSHA requires employers to post a summary of the injuries and illnesses recorded the previous year at the workplace. Also, employers must provide copies of the records to current and former employees, or their representatives, upon request. Failure to meet these requirements results in significant monetary fines (ranging from $13,260 to $132,598 per violation depending on severity of offense).
The OSHA Memorandum requires employers to use OSHA Form 300 when recording work-related COVID-19 illnesses and is currently in effect until further notice. Moreover, OSHA classifies COVID-19 as a “privacy concern” case, which means that employees can request that their name be excluded from an employer’s Form 300 log submission and disclosure. Failure to comply with an employee’s request under 29 C.F.R. § 1904.29(b)(10) can result in penalties as articulated under Section 17(a) of the Occupational Safety and Health Act of 1970.
To trigger the reporting requirement, COVID-19 cases must:
• Be confirmed;
• Be work-related as defined under 29 C.F.R. § 1904.5, meaning any identifiable event or exposure caused by the work environment and resulting in the employee’s illness; and
• Involve one or more of the general recording criteria set forth in 29 C.F.R. § 1904.7, meaning cases that result in death, days away from work, restricted work or transfer to another job, medical treatment beyond first aid, or loss of consciousness.
To better understand OSHA’s new requirements, the compliance standard employed by OSHA’s Compliance Safety and Health Officers (CSHOs), who perform inspections, is informative. The OSHA Memorandum asks CSHOs to evaluate the following factors to assess an employer’s compliance with the guidance:
• The reasonableness of the employer’s investigation into work-relatedness;
• The evidence available to the employer; and
• The evidence that a COVID-19 illness was contracted at work.
Based on the foregoing, it is important for an employer to make a reasonable and good-faith effort inquiry regarding the possible causal link between an employee’s COVID-19 infection and his or her occupational duties. Although an employer may be relieved of the obligation to record a case where it cannot reasonably make that determination, the employer should maintain adequate records of its efforts and decision-making process.
Importantly, employers should keep in mind that the guidance explicitly calls for them to respect the privacy of their employees when conducting fact-finding investigations. Given these concerns, it is essential for employers to work closely with their human resources departments to ensure that their company’s COVID-19 record-keeping practices both comply with these new requirements and keep their employees’ privacy secure.
It is important to remember that this new guidance does not provide a waiver to an employee’s right to privacy in the workplace. As mentioned above, COVID-19 is explicitly categorized as a “privacy concern” case under OSHA’s rules. Employers should avoid “extensive medical inquiries” and respect an employee’s request not to disclose their name on its Form 300 log. Finally, when conducting their investigations, employers also need to maintain their employees’ confidentiality as required by various applicable laws (e.g., the Americans with Disabilities Act, HIPAA, and state and federal laws).
The European Data Protection Board (EDPB) is an independent European body that, among other things, promotes uniform application of the GDPR, issues guidance on interpretation of the GDPR and adjudicates disputes concerning cross-border data-processing activities. On April 21, 2020, the EDPB issued guidance regarding the use of location data and contact tracing tools during the pandemic, which apply to both government and private companies that use such tools (such as telecommunications companies). Employers may be affected if they collect personal data in connection with such tools or provide the means for collection of such data. Among other things, the EDPB requires that participation in contract tracing programs should be voluntary and should track proximity information, rather than individual movements. The data should be anonymized as much as possible, which should be accomplished through a transparent process. Various GDPR requirements, including lawful processing (voluntary participation does not necessarily mean that processing will be based on consent), continue to apply.
On March 16, 2020, the EDPB also issued a statement emphasizing the need to ensure protection of personal data during the COVID-19 outbreak. The GDPR notably permits employers and public health authorities to process personal data without the need to obtain consent from the data subject, such as if processing is necessary in furtherance of public health interests, to protect the vital interests of the data subject or another person in an emergency situation, where the data subject is incapable of providing consent, or to comply with a legal obligation (e.g., Articles 6 and 9). Erasure of personal data upon the data subject’s request may also be excused (e.g., Article 17).
It is important to check for legislation from Member States and guidance from the data protection authorities (DPAs) that have jurisdiction over an organization’s data or activities. Much of the guidance issued to date highlights employees’ obligation to act upon the guidance of public health authorities, employers’ obligation to protect their employees and how to balance public interest against privacy considerations.
For instance, the Italian DPA adopted a decree giving the government certain “extraordinary” powers, such as permitting certain data processing and simplifying methods for obtaining consent to process data. While an employee may have an obligation to inform his or her employer of any danger to health and safety at the workplace – particularly where the employee’s duties involve contact with the public – employers are warned against generally collecting or specifically requesting health information about the employee or their contacts outside of the work environment because public health authorities are charged with these investigations. France’s DPA issued similar guidance and warns employers against requiring mandatory temperature readings or employing medical questionnaires. Ireland’s DPA, meanwhile, advises employers to be transparent regarding data processing in connection with the pandemic, secure personal data(particularly health information), limit data collection only to what is necessary to prevent or contain the spread of COVID-19, and document the decision-making process regarding measures implemented to manage COVID-19 as they relate to data processing. The United Kingdom’s (UK) DPA permits collection of certain limited data from employees and office visitors regarding symptoms and travel history, but warns against collecting more data than necessary. It also announced that organizations will not be penalized for failure to reply to data subjects’ requests to exercise their rights under the GDPR in a timely manner, because organizations understandably have to divert resources to maintain operations or adapt their compliance mechanism. It also advised that text messages and other electronic communications from the government or health professionals do not consist of regulated direct marketing communication. Indeed, the UK DPA encourages using the latest technology to facilitate communication to stem public health threats.
The public health situation, and guidance regarding privacy obligations, continue to evolve. The guidance above may be subject to revision or withdrawal. Therefore, each organization should identify relevant regulatory authorities, review guidance issued by those authorities regularly and implement such an informed compliance strategy while balancing business needs.
About the author: Anna Mercado Clark, CIPP/E is a partner at Phillips Lytle LLP and leader of the firm’s Data Security & Privacy and e-Discovery & Digital Forensics Practice Teams. She can be reached at firstname.lastname@example.org or (212) 508-0466.