I felt there were more than enough folks posting advice about COVID-19 and HRTECH, so having made my position clear, I had promised myself not to add to the exponential curve, but nevertheless, here I am (note, I am neither a lawyer nor an epidemiologist).
I have noticed many enterprise tech vendors and consulting firms rapidly building out applications, screens, reports, bots, remote temperature trackers and mobile apps to track employees and workers with COVID-19, or symptoms (temperature and even diagnosis, etc). Tracking employees that are ill or could be falling ill in these times seems like a responsible thing to do. Modern applications enable you to easily add fields, or spin up a dashboard, so it would seem an ideal use case for an extension application, either for HR, employee engagement, analytics, or service centre products.
However, I’m going to suggest you proceed with caution.
There are specific laws and rules for gathering, processing, and storing medical related information. Pandemic or not, these rules exist for good reason. These rules may vary.
Many countries have specific rules for how you treat medical records. For instance, in the US, HIPAA and Health and Safety rules, such as OSHA, lay out specific rules for how you record and report illness, treatments and injury. There is a complex trade off between medical privacy, company, insurer and government reporting needs. As a health care systems expert told me, propagating personal health information outside of “minimum necessary use” systems is a cardinal sin. Specific applications for H&S and medical records have been developed to carefully address this balance (There is much more to this that I’m saying here).
Regular readers will have known that was coming.
The Australian Information Commissioner has published some guidelines here, It is easy to follow, and has good links to other relevant legislation and guidelines. It makes the key point of data minimization.
In order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19
I’ll focus on my more familiar territory of GPDR:
The EDPB chair made the following statement the other day.
“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
Indeed, the clever people who penned the GDPR thought about epidemics, and Recital 46 specifically refers to some types of processing that serve the goals of vital interest and public safety “including for monitoring epidemics and their spread”. However, this doesn’t mean you can just process health stuff as you please because there is a pandemic.
As usual, even within the EU, countries do things a little bit differently. Thearticle hereby Bird&Bird is well worth a read. I quote extensively from it.
In both France and Italy, the data protection supervisory authorities (the CNIL and the Garante respectively), have stated that employers should not actively collect information about their employee’s state of health.
The Future of Privacy forum (FPF) reported on the 10th of March
the key recommendation made by the Italian DPA was for employers to “refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to individual workers or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside of the work environment”.
And furthermore from Bird & Bird.
If employers decide to collect information about symptoms from visitors and employees, they will need to ensure that the processing relies on a valid condition under Article 9 of the GDPR, as the employer will be processing sensitive personal data. This will require a thorough analysis; in addition to national data protection laws in each member state implementing the GDPR, which vary when it comes to sensitive personal data, national health regime laws may apply.
This will make it difficult for international companies to adopt a unified approach on collecting health-related information for coronavirus prevention across the EU.
It is pretty clear that relying on consent as a basis of processing in the employment relationship is problematic.
Yet more from Bird & Bird on this.
Employers who seek to rely on consent (by requesting employees and visitors to tick a consent box or by making the questionnaire optional) should consider the fact that, in an employment context, consent is often deemed to be invalid due to the imbalance of power between the employer making the request and the employee, who may feel compelled to provide the information. Consent under the GDPR must also be revocable, which may undermine the organisation’s monitoring process.
The FPF noted that Irish DPO noted.
Not only that the processing needs to be necessary and proportionate, but it also “needs to be informed by the guidance and/or directions of public health authorities, or other relevant authorities.”
In other words, if an authority says please store health data x, then do it, otherwise don’t.
So, if you are planning to track employee health information, do so carefully. Ideally you should have existing health and safety applications and processes in place already with the appropriate safeguards for the various jurisdictions in which you do business.
If you are deploying something new for COVID-19, you really need to sit down with your data protection and health officer first, urgent though deploying a solution may seem.
Here are some suggestions and comments, mainly related to GDPR. These don’t replace talking to your DPO or lawyer, and healthcare experts, and there are probably a good few I have forgotten.
Many of the vendors are offering free solutions to help against COVID-19 are doing so with genuine altruistic motives, but this doesn’t mean you should deploy these solutions without careful due diligence. However, if vendors say we just build the app, make sure it is compliant is your problem, then I’d suggest more than just social distancing.
It is tempting to get something out the door quickly to help your customers, and yes, it can be smart marketing too. But remember you are building applications that process really sensitive data that really impacts people’s lives. Privacy By Design is a good place to start. Treat their data and the laws that protect that data with respect. Ask how you would feel if your medical data, or that of a dear one was treated poorly. If you have never built health data applications before, do some research first.
If you have all this nailed, brilliant.