Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Privacy in a Pandemic: What You Can (and Can't) Ask Employees

Businesses struggle to strike a balance between workplace health and employees' privacy rights in the midst of a global health emergency.

The balance between employee health and privacy rights is difficult to strike, especially at a time when organizations are making critical decisions based on health-related information.

Collecting and sharing information is necessary but must be done with employees' privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws, says Christine Lyon, privacy partner at Morrison-Forrester LLP. What health-related inquiries are acceptable? Can employers require a doctor's note or medical exams? 

"The interesting aspect of this is there aren't straight-line answers," Lyon explains. "Even legal analysis changes as the facts evolve." As an example, Lyon points to the increasingly common question of whether businesses can take temperatures at work. This typically is considered a medical exam and is prohibited under the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) states in guidance related to pandemics.

However, as COVID-19 continues to spread across the United States, the Center for Disease Control (CDC) has begun to recommend employers take temperatures. Daily "health checks," which include screening for temperature and respiratory symptoms, have been encouraged in CDC guidance for Santa Clara County, California, and Seattle-King, Pierce, and Snohomish counties, Washington.

"It's challenging for employers because there's no clear-cut answer," Lyon says. The CDC may recommend taking temperatures but doesn't suggest what to do if someone has a fever. It's one of many areas in which businesses should proceed with caution. If an office visitor has a high temperature, the company likely would not turn that person away. Instead, she says, it would likely call the person the visitor had planned to meet and say they'll schedule a phone call.

"Keep as much confidentiality as possible," she says. "What is the information that we really need to know?" This concept, she says, also applies to storing health-related information. Many employers are collecting minimal health data, including the temperatures they record. If you're keeping temperature data, it's considered a medical record and confidentiality rules will apply.

Privacy rules and regulations differ by company, industry, and state. As a result, it's difficult to provide detailed guidance on what employers should do. Modern privacy and data protection laws, like the European Union's General Data Protection Regulation and the California Consumer Privacy Act, don't prevent businesses from recording certain information, says Bart Willemsen, research vice president at Gartner. For example, employers must record data necessary to determine if salaries are being paid, or information related to the workspace physician providing treatment to an employee. However, health-related data must be treated differently.

The Do's and Don'ts of Health-Related Questions
"Health information is information of a sensitive nature, a special category of data," Willemsen continues. "Every person has the right to not share such information — but they can share metadata." Employers can collect data related to insurance payment (for example, if something happens in the workplace). They can also record employees' adjusted work environments, if they start to work remotely. But employers are not doctors, he emphasizes, and they should not assume the position of collecting detailed health data unless under specific circumstances. 

So, what can employers ask their employees to ensure a safe workplace without violating privacy rules? Lyon says it's "generally fine" to ask if they have been experiencing cold or flulike symptoms, especially if there is a pandemic. The CDC states employees who fall ill with flulike symptoms during a pandemic should leave the workplace. Companies can ask about the expected duration of absence if an employee calls out sick; however, they can't ask why.

"Though it's important to know how long an employee may be absent, it is not for the employer to inquire in detail after why that absence is a fact," Willemsen adds. People do not have to share the details of their illness unless it has direct influence on their job function (for example, if they are a healthcare worker). It's fine if they want to volunteer that information, but even if they do, employers should refrain from recording and processing the data they share.

Employers should be careful with pointed questions about specific illnesses and diagnoses. Questions like "Have you been tested for coronavirus?" and "Do you have any medical conditions that make you susceptible?" are crossing the line into ADA territory, says Lyon. "An employer has to show a justification for asking those sorts of questions," she continues. If an employee returns from travel, the company may ask if they are returning from a country with a known outbreak, even if the travel was personal and the employee does not have symptoms.

Doctor's notes can also be tricky. The CDC suggests companies do not require a note to validate illness or return to work because in times like these, "healthcare provider offices and medical facilities may be extremely busy and not able to provide such documentation in a timely way."

If a company wants to verify someone is fit to return to the office, they may ask for a note saying as much because it doesn't disclose a specific condition, Lyon explains. However, if a company wants a note stating an employee has tested negative for a particular condition, such as coronavirus, that ventures into dangerous territory.

Companies are encouraged to record only health-related information that is factual, and the minimum amount of information necessary. This data should only be shared with employees on a "need-to-know" basis and used as anonymously as possible, Willemsen says. It should be stored securely and only for as long as it is necessary. If it must be disclosed, it should only be shared with external parties as mandated by law — for example, with local health agencies.

Lyon suggests businesses establish a centralized place where employees can view information about what is and isn't appropriate. "Make sure these questions are going to the right people so managers aren't on their own for what they can and can't ask," she explains. Creating a list of frequently asked questions for managers and employees can be helpful in times like these.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/8/2020 | 6:43:03 AM
Totally agree
We should take care about what we said to our employeers or chiefs
User Rank: Apprentice
3/27/2020 | 6:47:18 AM
Liked this one. Thank you a lot.
Recently I've heard of some unpleasant situations in companies (dealing with the virus). Some people make scenes as if they're ill, saying that a company is guilty. Firms got fines( 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.