Employers’ Duties to Maintain Employee Privacy in a COVID-19 Pandemic

Posted by:

Dealing with illness in the workplace can be challenging under normal circumstances, but it is much more so in the midst of the Coronavirus pandemic. Many questions remain unanswered regarding the precise application of federal, state and local orders and their relationship with employee benefits. As COVID-19 becomes an increasing presence in California workplaces, and employers are forced to comply with government directives, it is just as important as ever for employers to take steps to maintain compliance with employee privacy regulations. Workers who suffer adverse employment decisions, such as pay reductions, furloughs and layoffs, may be particularly attuned to whether all their rights were respected in the process.

How much information may an employer request from an employee who calls in sick, in order to protect the rest of its workforce during the COVID-19 pandemic?

According to Guidance provided by the Equal Employment Opportunity Commission (EEOC) addressing the COVID-19 pandemic, employers covered by the Americans with Disabilities Act (ADA) may ask employees if they are experiencing COVID-19 symptoms such as fever, chills, cough, shortness of breath, or sore throat, but employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Does an employer have a duty to inform employees that one of their colleagues has tested positive for COVID-19?

Employers may be uncertain about whether to tell employees that there has been a reported case of COVID-19 in the workplace. Depending on the particular facts involved, information regarding illness of an employee or family member may be protected under the Health Insurance Portability and Accountability Act (HIPAA), the ADA or both.

A pandemic, on the other hand, likely alters those practices. In light of the rapid spread of COVID-19, employers should promptly inform workers if one of their colleagues tests positive for the virus. However, employers typically need not divulge the identity of an employee or employee’s family member to achieve the objective of maintaining a healthy workplace.

Employers may also choose to notify employees and other relevant parties that contagious illnesses may be present in any workplace and list precautionary steps suggested by medical professionals, such as the CDC. Even when not specifically required by law, it is important for business effectiveness to maintain the privacy of individual employees. These matters are best handled carefully to prevent unnecessary disruption in the workplace.

How should the employer communicate to employees that one of their colleagues has a suspected or confirmed case of COVID-19?

Clear, effective employer communications are critical to providing employees with relevant information, maintain order in the workplace, and reduce employees’ concerns. Employers should keep the following in mind when developing employee communications:

• Inform employees that the company will take any reasonable and necessary steps to ensure a safe and healthy work environment.
• Identify typical symptoms employees should watch out for.
• Include information on how to protect against getting the illness.
• Advise employees of any changes to policies.
• Notify employees of any discontinued travel.
• Ensure HR is available and prepared to address employees’ questions

What Are Employers’ Obligations to Prevent Harassment of Those Suspected of Being Infected?

Employers must take steps to prevent discrimination and harassment against individuals who have a potential claim that they are disabled due to a COVID-19 related reason. Employers should consider reminding employees of anti-harassment and discrimination company policies. Employers must be vigilant about promptly responding to and investigating any complaints of harassment or bullying in the workplace, and be conscious to limit the spread of rumors and speculation amongst the workforce.

Under the ADA, may an employer to require employees to provide a doctors’ notes certifying their fitness for duty when they return to work?

The EEOC says yes. The ADA permits such inquiries either because they would not be disability-related or, are justified under the ADA standards for disability-related inquiries of employees given the COVID-19 outbreak. However, doctors and other health care professionals may be too busy during and immediately after a pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches may be necessary, such as reliance on local clinics to provide a form, a stamp, or an e-mail to certify that an individual does not have the pandemic virus.

Conkle, Kremer and Engel’s attorneys follow the legal developments concerning Coronavirus issues at the federal, state and local level. We are available to assist employers navigate their rights and obligations in these difficult times.

Print Friendly, PDF & Email
0

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

Posted by:

If you sell or offer goods to EU residents, even from the U.S., it is now necessary to re-examine your data processing and privacy procedures. There is a new EU privacy law that will go into effect on May 25, 2018, with significant penalties for violations. The EU General Data Protection Regulation, or “GDPR,” covers any website, including a U.S.-based website, selling to EU residents and processing personal data of those EU residents.  Here are some basic questions and issues to address concerning your online presence:

Do you collect, store, or use Personal Data? You are subject to this regulation if your website collects, organizes, stores, disseminates, uses or otherwise processes personal data of EU residents, regardless of where your website keeps or uses such information.

“Personal Data” will likely be broadly interpreted. The GDPR defines “Personal Data” very broadly to include any information that can be used to identify an individual. This can include all sorts of data, like names, e-mail addresses, office addresses, and even IP addresses.

Can your users easily revoke consent? The GDPR takes consent seriously. The GDPR requires you to demonstrate consent was “freely given, specific, informed and unambiguous” by a “clear affirmative action” on the part of the user for the processing of personal data. When you ask for the user’s consent, you must articulate “specified, explicit, and legitimate purposes” for processing the data. Limit the data you collect to what is necessary to achieve these articulated purposes. Be extra careful if you are collecting sensitive personal data – the GDPR raises the bar for obtaining consent to process “special categories of personal data.” And make sure it is as easy for the user to withdraw consent as it is to give consent.

Can you respond quickly and effectively when the user exercises rights under the GDPR? The GDPR grants users, or “data subjects,” quite a few rights, including but not limited to knowing where and why you are taking the data and anything that happens to it, objecting to its collection or use, obtaining a copy of it, correcting or erasing it, or restricting its use. Make sure you have procedures in place to respond appropriately in the event a user exercises rights under the GDPR.

Penalties for failure to comply can be steep. Failure to comply with the GDPR can expose companies to administrative fines of up to 20 million Euros or 4% of the total worldwide annual turnover of an “undertaking” of the preceding financial year, whichever is greater. Even if you use vendors to process your data, you are still responsible for monitoring compliance. You are required to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

The EU GDPR is a minefield of regulatory requirements that require a close examination of your data processing and privacy procedures. Some companies, such as Microsoft, are implementing a single system worldwide to comply with the EU’s requirements, effectively granting greater-than-required  rights to non-EU residents.  There will likely be considerable uncertainty and confusion as the GDPR requirements are implemented and enforcement begins.  Contact Conkle, Kremer & Engel to help bring your data processing and privacy procedures into compliance.

Print Friendly, PDF & Email
0