How to Ensure the Privacy Rights of Employees During a Pandemic Crisis
As companies develop their crisis and communications plans around the coronavirus (Covid-19) threat, they will need to take into account their employee privacy rights.
The European and U.S. principles of data protection and privacy, which guarantee the rights and freedoms of the data subjects, still stand and should be still taken into account. This is especially true when it comes to gathering, processing or transferring health data, the identification of the next of kin of possible infected people or possible reporting obligations.
Ensure the Protection of Your Employee Privacy Rights
To ensure of being in line with data protection and privacy regulations in specific situations such as the spreading of the coronavirus that we are currently experiencing, this FAQ provides the most frequently asked questions and answers on common data protection topics in relation to the fight against the coronavirus and your employee privacy rights.
As a company, do I have to report a potential infection to the authorities?
No. According to neither U.S. or German law, there are no reporting obligations for companies. In fact, doing so could violate laws, including the GDPR. The exception to this are particular healthcare organizations: doctors and hospitals that detect infected patients need to report such cases to the authorities.
Can I pass on the name of the possibly infected person to the staff?
Here, the necessity rule applies. Unless it is strictly necessary, the name of the person who contracted the virus should NOT be disclosed in order to maintain employee privacy.
Disclosing the name of the person affected by the virus may be permitted without consent only and exclusively when it is necessary to identify the people that got in contact with him/her to be tested so that measure can put in place in order to for their own safety and the positive employee is not reachable due to his/her sever conditions or is unable to provide direct consent.
Am I allowed to ask my employees whether they have been infected with the coronavirus?
In the U.S., the ADA places restrictions on the inquiries that may be made. For instance, in the U.S., you cannot take a temperature of an employee or make disability-related inquiries unless it is part of the employee’s job or the person poses a “direct threat”. To err on the side of caution, it is not advised unless there is specific guidance provided. An employer can ask an employee to seek medical attention and get tested for the virus, and under most circumstances you can ask them to leave work.
These are some of the most common questions. If you need help understanding applicable privacy regulations in your region or wish to develop a comprehensive policy, please reach out and contact 2B Advice directly.
This document is not intended to be exhaustive, and we encourage you to supplement your knowledge of coronavirus by visiting the website of the Centers for Disease Control and Prevention (CDC) at www.cdc.gov.
Get the details on the latest 2B Advice PrIME release 7.0. Now with even more features to support automated GDPR and CCPA compliance.How to Appoint a Data Protection Officer (DPO)?
Here is how to appoint a Data Protection Officer (DPO) to comply with the GDPR in the EU or to support US privacy regulations such as CCPA.What is a Data Protection Officer (DPO)?
One of the distinctions between the (GDPR) and the California Consumer Privacy Act (CCPA) is the definition of a Data Protection Officer