Return to work: A privacy balancing act
Thursday, June 11, 2020 @ 8:50 AM | By Sharon Bauer
As we enter a phase where businesses are opening their doors and allowing employees back to work, employers have an obligation to create a reasonably safe environment for their employees. Creating a safe environment means that some businesses need to collect personal health information about their employees to surveil who may enter the workplace in order to reduce the risk of an outbreak.
Employees’ expectation of privacy
While employers have an obligation to maintain a safe work environment, they also have a tough act of balancing those obligations with their employees’ right to privacy.
Generally speaking, private sector employees in Canada, other than those in Alberta, British Columbia and Quebec, do not have a legislative right to privacy under the Personal Information Protection and Electronic Documents Act (PIPEDA). Employees do, however, have a common law right to an expectation of privacy and as such, employers should govern themselves in accordance with PIPEDA as a best practice.
Under normal circumstances, employers are prohibited from asking employees about their health or asking them to conduct medical examinations unless it is reasonably necessary for their job. However, in keeping with their obligation to maintain a safe work environment during the pandemic, some employers must take invasive measures, including collecting employee health information, to ensure those who work or visit the workplace are safe.
Privacy during a pandemic
According to the Privacy Commissioner of Canada, privacy expectations should exist during a public health crisis; however they should not create a barrier to appropriate information sharing. Despite this guidance, as in most situations related to COVID-19, companies are left confused about what they may or may not do with personal information during the pandemic.
Generally, employers should be open and transparent about what information they collect from their employees, how they will use it and who they will disclose it to. They should seek explicit consent, verbal or written, before they collect the information, although there are exceptions to seeking consent during a crisis. New information handling practices should be formalized in policies and procedures to create accountability and to streamline practices across the business. Employers should also minimize the information they collect to only that which is necessary to evaluate whether the employee may return to work.
Operationalizing return to work privacy
Companies must first develop a formalized plan to mitigate the risk of an outbreak at work. From a privacy perspective and in the spirit of complying with the data minimization principle, companies should use the least privacy invasive measures to achieve their goal. A Privacy Risk Assessment on new processes or procedures should be conducted as a best practice to identify privacy risks, develop practices to mitigate those risks and act as a due diligence defence should there be a complaint or investigation.
Before collecting personal information from employees, companies should notify employees of their intention to collect their information, identify what they intend to do with it and whom they plan to disclose it to.
When deciding what information to collect, companies need to collect the minimal amount possible to still achieve the intended result. For example, if an employee’s name is not required, then it should not be collected. According to the IAPP Survey, the most common questions employers ask employees before they enter the workplace include:
- Were you diagnosed with the virus?
- Have you experienced virus symptoms?
- Have you travelled lately?
- Does anyone in your household have virus symptoms?
Screening employees for their temperature, which is considered invasive, should be a last resort to achieve the company’s goal. Only those companies that have a high-risk environment should consider implementing temperature screening.
If companies engage in employee temperature screening, they should develop a formalized written process for doing so. Whenever possible, companies should hire third-party vendors to conduct temperature screening or enable someone internally to conduct testing making sure they understand the reading and instances where an employee may experience a higher reading that is unrelated to the virus. The screening may be accompanied with questions such as whether the employee exhibits any symptoms. The screening should be conducted in a private area.
In the spirit of the data minimization principle, companies should avoid recording the names and temperature of the employees they screen unless there is a justifiable reason for doing so. Consider anonymizing the information if statistics or insights are required. Companies should contact health authorities to discuss whether their workplace has a particular risk of infection, which may determine whether to record names or findings.
Companies should have policies and procedures in place to ensure the information collected is stored securely with limited access to the information. Companies should consult with health authorities and privacy experts to consider how long they need to retain the information and ensure the retention period is formalized in the policy.
Companies should refrain from sharing employee health information with a third party unless required to do so in accordance with the law or with explicit consent. Even when consent is provided, companies should limit the information they disclose and limit the way in which the third party may use the information. Proper agreements outlining these limitations are essential.
Given these novel circumstances, in order to avoid a privacy breach leading to a lawsuit and loss of trust, companies should consult privacy experts before collecting, using or disclosing employee personal health information. Many companies are recognizing the elevated importance of protecting privacy during the pandemic. Despite the downturn in the economy, according to the IAPP Survey, more than 80 per cent of companies do not intend to reduce their privacy budget during the pandemic, realizing that they are dealing with sensitive information and creating new risks for their business.
Sharon Bauer is a privacy lawyer and consultant. She builds privacy compliance programs and conducts privacy risk assessments and enables companies to optimize their digital solutions and ensure alignment with regulatory expectations, industry standards and best practices. She is the founder of Bamboo Data Consulting. She can be reached at email@example.com.
Photo credit / akinbostanci ISTOCKPHOTO.COM
Interested in writing for us? To learn more about how you can add your voice to The Lawyer’s Daily, contact Analysis Editor Richard Skinulis at Richard.Skinulis@lexisnexis.ca or call 437- 828-6772.