Three ways to get ahead of employee privacy concerns during COVID-19

There are few topics as private as an individual’s health information. When regulations are trying to keep up with the rapidly changing environment caused by COVID-19, how can HR be sure that companies are doing everything in their power to keep employee information confidential and employees safe?In times of uncertainty, it’s normal to open lines of communication and increase transparency. But balancing transparency with employee privacy and the need to keep employees safe in this environment is hard work.

Since COVID-19 first started to expand across the globe, Envoy’s people team has weighed these considerations. By monitoring regulations, talking with privacy experts, adhering to best practices, and listening to employees, we have been able to prioritize employee privacy while minimizing health risks and keeping employees informed. In the process, we’ve learned a lot. Here are three of our biggest takeaways:‍

Know what you are allowed to collect and store

‍First, you need to know which regulatory bodies govern data collection and storage, such as the EEOC, ADA, and HIPAA. Make sure you stay up to date on changes to agency guidance. Signing up for their newsletters or bookmarking their updates pages will make the task easier. In some cases, you may be required to record and report employee instances of Covid-19 to OSHA. Make sure you know what is required by your industry and within your state. A best practice for collecting and storing employee health data is to collect only the information that is required — and know precisely how you will use the data. For example, if you are taking temperatures of employees, you shouldn’t obtain or record an exact temperature. Instead, record just a “yes” or “no” if the temperature was within the acceptable range. Make sure you are aware of local regulations. In some states, such as New York, employers are prohibited from collecting the specific temperature.Information like temperature is not personnel information, which can have specific retention timelines. Keep it separate from other employee records. And unless there is a need to retain it, dispose of it as soon as possible. For example, ask yourself if there is a need to retain the results of a passed temperature check at all. Consistency is essential — make sure that your data retention policies treat all employee information with the same standards and care.

‍Consider who can access data and prepare your stakeholders

‍When it comes to employee data, limit access to those who need to know the information. For instance, an employees’ manager may not need to know that an employee failed a temperature screen or was potentially exposed to Covid-19. They may just need to know that they are unable to work due to company policy. Help managers understand the importance of data privacy by providing training about what information can be requested and how it can be shared. Help them understand the ramifications of a failure to comply. If you are already providing manager training on what data can be collected, relate the importance of privacy to all stages of the employee life cycle. Interview training — for example — is a great place to start.

‍Have a communications plan if an employee tests positive for COVID-19

‍Companies, HR professionals, and managers all hope they don’t have employees test positive for COVID-19. But it is a possibility we need to be prepared for. Knowing how to communicate sensitive information will help everyone involved feel confident that the situation is under control. Here are steps you can take when an employee is diagnosed with COVID-19:

• As soon as you have reliable data, inform employees that possible workplace exposure has occurred. Don’t disclose any identifying information about the individual who tested positive, including the individual’s name. Remind everyone that this is sensitive health information. There are regulations on what you can and cannot share. If you share too little or too much information, you risk losing employees’ trust. At Envoy, we found that 37% of people would consider leaving their job if their employer improperly shared or stored their health information.  
• Determine who needs to know what information. Did the employee come into contact with other employees in the workplace? If you have a method for determining where employees were located during the day using a product like Envoy Protect, reviewing that information is an excellent place to start. Ask the employee who else they may have come into contact with. Depending on the size of your workplace, you may need to notify more or fewer people. For instance, if you have ten employees who all work together in the same room or office where they cross paths frequently, you may want to notify everyone.
• Assemble a template for sharing the information before you need it. Preparing will allow you to focus on identifying the people who need to receive the data, rather than crafting the right language. Let employees who test positive know what you will be sharing, so they feel secure that their information is not being exposed.
• If employees talk about someone’s medical condition (even if it’s their own), remind them to keep this information private. Reintroducing the golden rule and let employees know that if they had fallen ill, they likely wouldn’t want their information shared.

Employee privacy should always be top of mind for HR teams and leadership, but the stresses of COVID-19 have elevated the topic to new heights. The best way to stay ahead of privacy issues is to use common sense, understand your obligations, and know where to obtain reliable information.