One of the most important things for employers, schools, universities, hospitals, and public places to do during the time of a pandemic is to determine (to some degree of certainty) which individuals are infected, which are contagious, and which are symptomatic. The concept of “social distancing” is enhanced if we can know who is contagious so that those persons can be encouraged to self-quarantine or be compelled to quarantine. For employers — particularly those with international operations, knowing which of their employees, and also guests, customers, and others are contagious can help them limit the spread of the disease — particularly at the beginning of an outbreak.
But privacy and employment laws may actually prohibit employers from doing this. In fact, under international privacy regimes, employers may be prohibited from even asking an employee who shows up to work at a crowded office whether they have tested positive for the COVID-19 virus!
The law firm of Baker & McKensie recently published a country-by-country analysis attempting to answer a few simple questions from a privacy law perspective. The survey of their lawyers in each of thirteen countries asked the following questions:
- Can an employer lawfully conduct temperature checks of employees and visitors in its premises?
- Can an employer require employees to inform HR / their line manager if their temperature rises above the normal threshold?
- Can an employer require employees (and visitors to its premises) to complete travel declaration forms?
- Have data privacy regulators issued any guidance either permitting or restricting the collection of personal data for purposes of identifying Covid-19 cases?
- Is an employer permitted to disclose the identity of any worker who is confirmed to have COVID-19, to other co-workers?
From a public health perspective, you would think that employers – who have a duty to protect both infected and non-infected employees in the workplace — would be able to take reasonable precautions to identify infected and contagious individuals, to isolate them, and to inform others about the contagion so that they could similarly isolate themselves.
From a privacy perspective, according to the Baker report, you would be wrong.
Obviously, the law differs in different jurisdictions. For the United States, the fabulous Baker boys (well, men and women) conclude that, when it comes to employers taking the temperature (literally) of their employees they say “NO!” But, since this guidance is actually very old (a few days old), they have an important caveat noting “There would be an exception to this if COVID-19 is undergoing widespread transmission in the relevant community, declared to be a pandemic, or otherwise deemed to be severe in the community by state or local health authorities or the Center for Disease Control and Prevention (CDC).” The general privacy regulations under the Americans with Disabilities Act (ADA) and the EEOC’s guidance would usually prohibit employer medical testing on employees, and telling other employees the physical condition of those tested. In a pandemic? Not so much. The EEOC guidelines for pandemics (influenza) provides that, during a crisis “ADA-covered employers may ask such employees if they are experiencing influenza-like symptoms, such as fever or chills and a cough or sore throat. Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.” The guidance also notes that “If pandemic influenza becomes severe, the inquiries, [about health, symptoms, temperature] even if disability-related, are justified by a reasonable belief based on objective evidence that the severe form of pandemic influenza poses a direct threat.” During a pandemic “employers may measure employees’ body temperature.”
In the end, privacy laws should not act as a restriction on the ability of employers or government agencies in responding effectively and without panic to the emergency. But don’t overdo it. Don’t “name and shame” those with symptoms. Treat this information judiciously, collect what is necessary to respond, and not more. And protect the data as well.
And practice social isolation. For those in the IT field, we have been doing it for years.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.