I felt there were more than enough folks posting advice about COVID-19 and HRTECH, so having made my position clear, I had promised myself not to add to the exponential curve, but nevertheless, here I am (note, I am neither a lawyer nor an epidemiologist).
I have noticed many enterprise tech vendors and consulting firms rapidly building out applications, screens, reports, bots, remote temperature trackers and mobile apps to track employees and workers with COVID-19, or symptoms (temperature and even diagnosis, etc). Tracking employees that are ill or could be falling ill in these times seems like a responsible thing to do. Modern applications enable you to easily add fields, or spin up a dashboard, so it would seem an ideal use case for an extension application, either for HR, employee engagement, analytics, or service centre products.
However, I’m going to suggest you proceed with caution.
There are specific laws and rules for gathering, processing, and storing medical related information. Pandemic or not, these rules exist for good reason. These rules may vary.
Health Data Regulations
Many countries have specific rules for how you treat medical records. For instance, in the US, HIPAA and Health and Safety rules, such as OSHA, lay out specific rules for how you record and report illness, treatments and injury. There is a complex trade off between medical privacy, company, insurer and government reporting needs. As a health care systems expert told me, propagating personal health information outside of “minimum necessary use” systems is a cardinal sin. Specific applications for H&S and medical records have been developed to carefully address this balance (There is much more to this that I’m saying here).
Regular readers will have known that was coming.
The Australian Information Commissioner has published some guidelines here, It is easy to follow, and has good links to other relevant legislation and guidelines. It makes the key point of data minimization.
In order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19
I’ll focus on my more familiar territory of GPDR:
The EDPB chair made the following statement the other day.
“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
Indeed, the clever people who penned the GDPR thought about epidemics, and Recital 46 specifically refers to some types of processing that serve the goals of vital interest and public safety “including for monitoring epidemics and their spread”. However, this doesn’t mean you can just process health stuff as you please because there is a pandemic.
As usual, even within the EU, countries do things a little bit differently. The article here by Bird&Bird is well worth a read. I quote extensively from it.
In both France and Italy, the data protection supervisory authorities (the CNIL and the Garante respectively), have stated that employers should not actively collect information about their employee’s state of health.
The Future of Privacy forum (FPF) reported on the 10th of March
the key recommendation made by the Italian DPA was for employers to “refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to individual workers or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside of the work environment”.
And furthermore from Bird & Bird.
If employers decide to collect information about symptoms from visitors and employees, they will need to ensure that the processing relies on a valid condition under Article 9 of the GDPR, as the employer will be processing sensitive personal data. This will require a thorough analysis; in addition to national data protection laws in each member state implementing the GDPR, which vary when it comes to sensitive personal data, national health regime laws may apply.
This will make it difficult for international companies to adopt a unified approach on collecting health-related information for coronavirus prevention across the EU.
It is pretty clear that relying on consent as a basis of processing in the employment relationship is problematic.
Yet more from Bird & Bird on this.
Employers who seek to rely on consent (by requesting employees and visitors to tick a consent box or by making the questionnaire optional) should consider the fact that, in an employment context, consent is often deemed to be invalid due to the imbalance of power between the employer making the request and the employee, who may feel compelled to provide the information. Consent under the GDPR must also be revocable, which may undermine the organisation’s monitoring process.
The FPF noted that Irish DPO noted.
Not only that the processing needs to be necessary and proportionate, but it also “needs to be informed by the guidance and/or directions of public health authorities, or other relevant authorities.”
In other words, if an authority says please store health data x, then do it, otherwise don’t.
So, if you are planning to track employee health information, do so carefully. Ideally you should have existing health and safety applications and processes in place already with the appropriate safeguards for the various jurisdictions in which you do business.
If you are deploying something new for COVID-19, you really need to sit down with your data protection and health officer first, urgent though deploying a solution may seem.
Some suggestions for corporates and organizations
Here are some suggestions and comments, mainly related to GDPR. These don’t replace talking to your DPO or lawyer, and healthcare experts, and there are probably a good few I have forgotten.
- Check your data inventory / record of processing that you set up for GDPR, and see if you aren’t already storing the relevant health data elsewhere in your environment. If you haven’t got a data inventory, then you have a new project to keep you busy while you are at home (Art. 30)
- Health data is sensitive data, so you will need to look at Art. 9 as well as the usual Art. 6 processing rules, and be very clear why you are processing the data in the first place.
- Every country (even in Europe) will have a slightly different take on sensitive data, so don’t assume one size fits all. (So much for the GDPR bringing consistency).
- Consent would be very unlikely as valid basis for processing as it is in the employment relationship (see above) There is lots of guidance on this from authorities.
- Be especially clear on data limitation (adequate, relevant, limited to what is necessary) and security (are your procedures etc adequate for protecting sensitive data?). Can the generic application provide the right role based security you require? Should managers of managers be able to see which employees are ill, do you have an access role for medical officer etc? What about deletion/retention?
- You would need to precisely document what data you are processing and for what purpose, and update your inventory / record etc (Art. 30).
- This data is could be considered high risk, so you may need a DPIA. (Art. 35) This is in essence documented risk assessment.
- You will need to comply with other regulations such as health and safety laws. What data precisely are health authorities requiring you to report and about whom?
- This is a moving target, and government disclosure requirements may change.
- If you plan to use the data for modelling and simulation, tread carefully. It could be unlikely you would be able to anonymise the data adequately.
- If you plan to share data outside your organization, make sure that process and legal safeguards are in place, if you are moving it across borders, be doubly careful. If the 3rd party messes up, it is your company that the employees and an army of lawyers will be after.
- Demand that the vendor explain how they used the principles of Privacy by Design when conceptualizing, building and supporting the application. (Art. 25 and Recital 78).
- Make sure that the application meets accessibility regulations (WCAG 2.1 for instance) For instance, if you are only “protecting” employees that can see and hear, then you have a discrimination problem.
- Discrimination in dismissal or redundancy is a big deal and not fun, unless you are a labour lawyer. If you planning any RIF etc, make sure that the medical data isn’t anywhere near that exercise, and that you can prove it isn’t.
- Make sure that your data processor is aware of their obligations in terms of processing sensitive data, especially if this is an add on to an application that doesn’t usually process health data.
- Even if something is free, read the contract, and get the DPO an your lawyer to approve it.
- In many European countries this sort of deployment would need worker representative involvement and sign off.
Many of the vendors are offering free solutions to help against COVID-19 are doing so with genuine altruistic motives, but this doesn’t mean you should deploy these solutions without careful due diligence. However, if vendors say we just build the app, make sure it is compliant is your problem, then I’d suggest more than just social distancing.
Advice to vendors
It is tempting to get something out the door quickly to help your customers, and yes, it can be smart marketing too. But remember you are building applications that process really sensitive data that really impacts people’s lives. Privacy By Design is a good place to start. Treat their data and the laws that protect that data with respect. Ask how you would feel if your medical data, or that of a dear one was treated poorly. If you have never built health data applications before, do some research first.
If you have all this nailed, brilliant.
(Cross-posted @ Otter Advisory)