Policy and Privacy Concerns for “COVID-19 Back to Work”

Policy and Privacy Concerns for “COVID-19 Back to Work”

When employees return to the workplace after months of social distancing, they will encounter a dramatically different work environment than the one they remember.  The “new normal” will be characterized by employers’ and employees’ shared concerns about coping with measures taken to minimize COVID-19 health risks and their efficacy for however long such measures remain in place.  Employers and employees will have to adapt to new rules and workspaces that are physically redesigned to promote social distancing, and employees will likely have to accept policies for which there is little precedent in pre-COVID-19 work environments, like the periodic monitoring of personal health status.  Preparing for these changes presents an array of policy choices and challenges that employers need to tackle before reopening in order to minimize risks and ensure employee safety.

Additionally, the pre-COVID-19 work regimen will likely be reimagined to significantly increase opportunities for “telework”—a change that will require a renewed focus by employers and employees alike on personal and business privacy requirements.  Over the past several months, employees have routinely and pervasively accessed confidential business and client-related data from remote locations via myriad devices.  As such practices will likely continue to be a fixture of the “new normal,” employers must meet the multiplicity of attendant privacy-related risks head-on.

The New Landscape for Workplace Policies and Procedures

The EEOC has declined to issue mandatory health and safety requirements for businesses reopening after restrictions enforcing their closure during the first few months of the pandemic are lifted.  It has instead issued a series of publications and updates to provide guidance to employers on appropriate policies and procedures to protect employee health that employers may adopt on a voluntary basis consistent with existing law.[1]  In the absence of compulsory workplace rules to protect employee health, it falls upon individual employers to adopt appropriate policies and procedures that comply with existing law, address novel workplace challenges, and reflect current guidance from an array of federal and state authorities, including the EEOC, the FDA, and the CDC.

In formulating revised workplace policies, employers must be aware that existing EEOC laws, including the Americans with Disabilities Act (the “ADA”) and the Rehabilitation Act, continue to apply during the pandemic.  Nevertheless, the EEOC has stated that these laws “do not interfere with or prevent employers from following the guidelines and suggestions made by the CFC or state/local public health authorities,” and on May 7, 2020, the EEOC specifically affirmed the lawfulness of administering Covid-19 tests, including employee temperature screenings in connection with a process that enables employees to return to the workplace.[2].  This guidance clarified that such testing, whether voluntary or as mandated by the employer, did not violate the ADA.

This guidance leaves space for additional policy concerns regarding health screenings that an employer must think through in advance of reopening.  For example, screening or testing policies and procedures should specifically include protocols for addressing possible objections by employees to testing based on religious or other asserted grounds.  Employers should decide in advance of reopening whether reasonable accommodations to objecting employees can safely be made without negatively impacting the health and welfare of other employees.  This decision requires careful analysis and decision making related to medical and legal issues.  Routinely screening or testing employees for COVID-19 will also result in employers possessing a wealth of personal health information that they are obligated to maintain and protect.  These privacy concerns must be addressed in advance of reopening with policies and procedures that protect both employer and employee.  Finally, employers must consider in advance what criteria will be used to deny employees access to the workspace, how screening/assessment criteria will be presented to employees, whether there is any procedure for reviewing a decision to prohibit an employee from entering a workplace based on measured and identified circumstances, the criteria for permitting an employee who was denied entry to the workplace to return (e.g., such as providing negative test results and completion of a quarantine period), and any collateral consequences to an employee who misses (onsite) work as a result of screening or testing results (e.g., does the employee lose pay or is the employee required to use paid time off).  The array of cost, implementation and legal issues related to common-sense precautions of screening employees for COVID-19 symptoms are suggestive of the myriad challenges facing employers reopening in our “new normal.”

The other factor that complicates employers’ ability to manage risks in this “new normal” is that much about COVID-19 remains unknown.  Employers must, therefore, monitor not only new pronouncements by the EEOC to ensure that revised policies and procedures remain consistent with EEOC guidance, but also updated guidance from the FDA, CDC, and state and local governments, in order to ensure that the screening methodologies and the particular tests administered to employees are accurate and reliable.  

Reducing Reopening Risks

Employers can reduce reopening risks by thinking through and making necessary revisions to existing policies and procedures in advance of reopening.  Policies and procedures that employers should review and revise in light of EEOC and state guidance, as well as state pandemic-related laws, regulations, or orders that affect specific businesses, include policies and procedures related to data privacy, human resources, and DRPs or BCPs.  Revisions to policies and procedures should address:

• Health screening and testing methodologies, including:
  • documentation that the screening and testing methodologies adopted are both (i) “job-related” and (ii) “consistent with business necessity”; and
  • designations of specific screening methodologies and specific COVID-19 disease or antibody tests that have been shown to be safe and accurate.
• Employee disclosures related to Covid-19 screening and testing, including:
  • reasonable disclosures regarding an employer’s requirement that employees be tested and legal basis for testing;
  • reasonable disclosures regarding testing safety and risks associated with both false positives and false negatives;
  • explanation of circumstances under which waivers or exceptions would be granted;
  • the criteria that constitute a “positive” test or a “failed”; and
  • the protocols that the employer will follow in the event that an employee tests positive for Covid-19 or fails a Covid-19 screening.
• The impact of COVID-19 on ADA-related issues or employees with underlying medical conditions that put them at increased risk.
• How screening and testing will be conducted, including how staff will be trained to perform screening or testing and whether a qualified third-party vendor should be used to conduct that training or should be used in lieu of staff to conduct screening and testing (after the vendor’s privacy protocols have been reviewed and been deemed compliant with company policy).
• Strict confidentiality protocols and procedures designed to ensure adequate protection for the volume of confidential employee-related medical data that your business will maintain and preserve.
• Protocols to ensure effective monitoring of CDC, FDA and EEOC updates, and guidance and to require the timely revision of firm policies and procedures as necessary in response to changes in the guidance. 

Additionally, employers should consider adopting a protocol to address potential employee concerns about any actual or perceived disparate impacts of screening or testing, denials of return to site and standards for post denial clearances on racial and ethnic minorities.  Such concerns were raised, for example, in a June 1, 2020 letter from Travis LeBlanc, member of the Privacy and Civil Liberties Oversight Board, to the Department of Homeland Security (“DHS”) in the context of the TSA’s conducting passenger temperature checks and potentially prohibiting a passenger from travelling based on those results.  Mr. LeBlanc’s letter challenged the TSA’s legal basis for administering temperature checks and cited CDC conclusions about the reliability and accuracy of such checks and their differential impacts on racial and ethnic minorities and transparency of biometric information practices.  Employers who decide to use biometric testing at points of office entry should be prepared to address such concerns and should evaluate in advance any possible civil litigation exposure.

Key Privacy Considerations for a Secure “New Normal”

Evaluating and revising data privacy policies, both in light of employees’ increased accessing of sensitive company or third-party data from remote locations and of the wealth of employee and third-party health data that employers are likely to acquire, will be just as critical to de-risking the “new normal” as evaluating and revising employee and workplace policies.  These are the kinds of questions that employees should be asking now:

• Has a “needs analysis” been performed to assess the effectiveness of current privacy and security policies and procedures?
  • If so, what were the results?  What remediation efforts were undertaken to address deficiencies? 
  • What specific conclusions were drawn regarding increased reliance on remote access?
  • What system enhancements are necessary to enhance privacy protections for sensitive client, vendor, or other third-party data?
• Have any data security breaches been identified, whether resulting from onsite or remote use of computer systems, that affected the personal or business data of enterprise clients, employees, vendors, or other retained third parties?
  • If a breach has been identified, were affected parties notified?  If not, was the failure to notify them due to the absence of any relevant policy or was the failure more purposeful, and what  should be done about it in either case?
  • Whether or not a breach was identified, do your enterprise’s cybersecurity policies and procedures include a “concealed breach response plan”?
• What steps will be taken to ensure that employee privacy will be protected, and have you assessed the risks that inevitably attend the collection and use of employees’—as well as, potentially, clients’ and visitors’—personal health information?
  • What are appropriate “best practices” for employer’s recording, storage, use and controls of disclosures of personal health information?
  • Who will be tasked with developing your enterprise’s new privacy policies and procedures?  Who will implement them?  What technologies can be considered and adopted for use?  How will staff be trained?  And how will the new policies be enforced?
  • What different or additional measures should be considered to protect the personal health information of independent contractors, consultants, customers, and vendors?

Enforcement of State Consumer Privacy Laws Is Coming

Finally, employers faced with re-thinking data privacy issues now in response to COVID-19-related challenges should take this opportunity to ensure compliance with state consumer privacy laws that will soon be enforced.

On January 1, 2020, California’s landmark Consumer Privacy Act of 2018 (“CCPA”) went into effect, and its enforcement begins on July 1, 2020.  Other states have “cloned” the CCPA, making CCPA-like consumer privacy protections an important feature of the current regulatory landscape.  Employers should review the state privacy laws for each jurisdiction where they conduct business in order to ensure that they are prepared for potential enforcement actions following data breaches that result from the disclosure of personal information.  Among other things, employers should understand how to avail themselves of statutory “cure periods” in the event of a data breach and the range of penalties they may face under the various state laws.  Additionally, employers should be aware that the laws of certain states require that the current versions of companies’ privacy policies and procedures are posted to their websites.[3] 

Conclusion

Reopening in the wake of COVID-19-related restrictions on businesses presents employers with unprecedented challenges at the same time as laws imposing new obligations on businesses to protect consumer privacy are coming “online.”  Many of the policy decisions now facing employers may be subject to regulatory scrutiny and may also give rise to civil litigation risk.  The time for businesses to address these risks is prior to reopening, through the implementation of new and revised policies that are fully informed by an evaluation of the regulatory and litigation risks specific to your business.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further,
please contact Paul Lieberman or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.