Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Privacy in a Pandemic: What You Can (and Can't) Ask Employees

Businesses struggle to strike a balance between workplace health and employees' privacy rights in the midst of a global health emergency.

The balance between employee health and privacy rights is difficult to strike, especially at a time when organizations are making critical decisions based on health-related information.

Collecting and sharing information is necessary but must be done with employees' privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws, says Christine Lyon, privacy partner at Morrison-Forrester LLP. What health-related inquiries are acceptable? Can employers require a doctor's note or medical exams? 

"The interesting aspect of this is there aren't straight-line answers," Lyon explains. "Even legal analysis changes as the facts evolve." As an example, Lyon points to the increasingly common question of whether businesses can take temperatures at work. This typically is considered a medical exam and is prohibited under the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) states in guidance related to pandemics.

However, as COVID-19 continues to spread across the United States, the Center for Disease Control (CDC) has begun to recommend employers take temperatures. Daily "health checks," which include screening for temperature and respiratory symptoms, have been encouraged in CDC guidance for Santa Clara County, California, and Seattle-King, Pierce, and Snohomish counties, Washington.

"It's challenging for employers because there's no clear-cut answer," Lyon says. The CDC may recommend taking temperatures but doesn't suggest what to do if someone has a fever. It's one of many areas in which businesses should proceed with caution. If an office visitor has a high temperature, the company likely would not turn that person away. Instead, she says, it would likely call the person the visitor had planned to meet and say they'll schedule a phone call.

"Keep as much confidentiality as possible," she says. "What is the information that we really need to know?" This concept, she says, also applies to storing health-related information. Many employers are collecting minimal health data, including the temperatures they record. If you're keeping temperature data, it's considered a medical record and confidentiality rules will apply.

Privacy rules and regulations differ by company, industry, and state. As a result, it's difficult to provide detailed guidance on what employers should do. Modern privacy and data protection laws, like the European Union's General Data Protection Regulation and the California Consumer Privacy Act, don't prevent businesses from recording certain information, says Bart Willemsen, research vice president at Gartner. For example, employers must record data necessary to determine if salaries are being paid, or information related to the workspace physician providing treatment to an employee. However, health-related data must be treated differently.

The Do's and Don'ts of Health-Related Questions
"Health information is information of a sensitive nature, a special category of data," Willemsen continues. "Every person has the right to not share such information — but they can share metadata." Employers can collect data related to insurance payment (for example, if something happens in the workplace). They can also record employees' adjusted work environments, if they start to work remotely. But employers are not doctors, he emphasizes, and they should not assume the position of collecting detailed health data unless under specific circumstances. 

So, what can employers ask their employees to ensure a safe workplace without violating privacy rules? Lyon says it's "generally fine" to ask if they have been experiencing cold or flulike symptoms, especially if there is a pandemic. The CDC states employees who fall ill with flulike symptoms during a pandemic should leave the workplace. Companies can ask about the expected duration of absence if an employee calls out sick; however, they can't ask why.

"Though it's important to know how long an employee may be absent, it is not for the employer to inquire in detail after why that absence is a fact," Willemsen adds. People do not have to share the details of their illness unless it has direct influence on their job function (for example, if they are a healthcare worker). It's fine if they want to volunteer that information, but even if they do, employers should refrain from recording and processing the data they share.

Employers should be careful with pointed questions about specific illnesses and diagnoses. Questions like "Have you been tested for coronavirus?" and "Do you have any medical conditions that make you susceptible?" are crossing the line into ADA territory, says Lyon. "An employer has to show a justification for asking those sorts of questions," she continues. If an employee returns from travel, the company may ask if they are returning from a country with a known outbreak, even if the travel was personal and the employee does not have symptoms.

Doctor's notes can also be tricky. The CDC suggests companies do not require a note to validate illness or return to work because in times like these, "healthcare provider offices and medical facilities may be extremely busy and not able to provide such documentation in a timely way."

If a company wants to verify someone is fit to return to the office, they may ask for a note saying as much because it doesn't disclose a specific condition, Lyon explains. However, if a company wants a note stating an employee has tested negative for a particular condition, such as coronavirus, that ventures into dangerous territory.

Companies are encouraged to record only health-related information that is factual, and the minimum amount of information necessary. This data should only be shared with employees on a "need-to-know" basis and used as anonymously as possible, Willemsen says. It should be stored securely and only for as long as it is necessary. If it must be disclosed, it should only be shared with external parties as mandated by law — for example, with local health agencies.

Lyon suggests businesses establish a centralized place where employees can view information about what is and isn't appropriate. "Make sure these questions are going to the right people so managers aren't on their own for what they can and can't ask," she explains. Creating a list of frequently asked questions for managers and employees can be helpful in times like these.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
3/27/2020 | 6:47:18 AM
Liked this one. Thank you a lot.
Recently I've heard of some unpleasant situations in companies (dealing with the virus). Some people make scenes as if they're ill, saying that a company is guilty. Firms got fines( 
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...