Privacy Laws, Duty to Warn and Communication Considerations Concerning COVID-19
Last updated April 2, 2020
Privacy professionals and healthcare providers are struggling to find the right balance between the ability to track the spread of the virus – literally and figuratively – and the need to respect the right of individuals to not to have their movements monitored – at least not without their consent.
The Washington Post reported last week that “400 Israelis received text messages directing them to self-isolate immediately.” Data gathered by Israel’s internal security service from citizens’ cellphones were used to track the location of persons with confirmed or suspected cases of Covid-19 and the people with whom they had come into contact.
While the goal was laudable – to notify people that they may have been exposed to the virus, these people had not consented to the gathering of their location data.
The practice was ruled illegal by the Israeli courts, but issue remains in the forefront of the discussion as to how to best control and track the spread of the virus. This debate continues here in the U.S. as well as around the world.
In the meantime, many companies otherwise subject to new privacy laws, such as the California Consumer Privacy Act (or CCPA) are pressing to push the effective date to January 1, 2021 (or at least its enforcement, which is to begin on the earlier of six months following issuance of the regulations – which are still not final – or July 1, 2020). The companies are arguing that their work forces are either furloughed or focusing on the business of working remotely. Companies’ resources are already spread thin geographically and otherwise. To now begin enforcing fines for companies that do not have the resources to respond to a request to know what that company has gathered about an individual (let alone to verify the source of the request) would require that company to have personnel who are already stressed and strained to now put aside essential corporate functions to focus on a potential floodgate of requests.
Consumer advocates, on the other hand, maintain that it was no “secret” that the CCPA would be effective by July 1, 2020, and businesses should have been prepared already. They further argue that with the increase in data that is being collected by companies in the face of the virus (employers can now require employees to allow their temperature to be taken before they will be granted access to facilities), all the more reason privacy laws are essential and should be effective and enforced as currently scheduled.
For more information about CCPA, please see our prior alert.
In the midst of all this, the proactive aspects of the New York Stop Hacks and Improve Electronic Data Security Act (the NY SHIELD Act) became effective on March 21, 2020. These provisions:
- Apply to any business that has personal information (“PI”) regarding any New York resident
- Require those businesses to adopt proactive measures to safeguard that PI
- Require businesses to vet vendors entrusted with or with access to that PI
If your company did not already adopt appropriate measures, you may find yourself struggling to manage a remote work force while trying to catch up with this legislation’s now effective mandates.
The amendment to the SHIELD Act creates stricter data security over confidential personal information and breach notification requirements to protect New Yorkers following a breach.
For most businesses, HIPAA will not apply to information regarding its personnel and will not, then impact disclosures regarding an employee who becomes infected with COVID-19. Privacy considerations and data protection laws, however, will still come into play, and will need to be balanced with the duty of companies to disclose a foreseeable risk.
If you are located in certain states (including New York), then you are subject to legislation that requires you to keep confidential, sensitive, health and employment related information that you may collect, and maintain the privacy of those individuals from whom you have collected such information. This does not, however, mean that business should not be disclosing – and in fact have a duty to warn – of the foreseeable risk created by exposure to or a diagnosed case of COVID-19.
The fact that COVID-19 does spread so quickly, and can be without symptoms for up to two weeks, dictates that companies give timely notice to personnel, invitees, landlords, tenants and others if those companies know that a particular employee, client, visitor or vendor who has been to the offices recently was diagnosed with COVID-19 and/or was exposed to someone with a confirmed case. Notice, however, should be limited to only the information reasonably necessary for recipients of that notice to take appropriate measures (we recommend including CDC guidelines in your notice).
Needless to say, it is not appropriate to say “Sally Smith just returned from China and was diagnosed with COVID-19 after walking around the office undiagnosed for the last 2 weeks.” However, it is reasonable and appropriate to disclose that “An employee [or visitor] to our third-floor offices has been diagnosed with COVID-19.” Impacted businesses should also take measures consistent with [CDC] guidelines to clean and disinfect impacted areas as best possible, and may want to include in its notice the fact that such measures (generally) have been taken.
Remember that businesses, even if not subject to proactive privacy laws, are still subject to breach notification laws if they disclose or have compromised personally identifiable information about individuals (whether employees or otherwise). As such, companies should also be mindful of what personal information is collected during this, or any other, crisis about its personnel and other office visitors, how long that information is retained, and who in the office should have access to that information. If third parties are used by the company to process this data, even with the limited health emergency exceptions, the data should be still be collected, stored and then disposed of, securely.
The EEOC offers some information as to what employers can and cannot require its personnel to disclose, and refers to the CDC guidelines. Note, however, that the EEOC information is from the 2009 flu outbreak. These guidelines may change as COVID-19 spreads further.
Our employment practice group also shared insights and you can view that information here.
If you are subject to the General Data Protection Regulation (GDPR), several European Union members are already dealing with the intersection and collision of privacy obligations and the need to try to contain the spread of COVID-19 or any other such communicable illness. Italy recently suspended certain data protection rights with the adoption of Decree No. 630 by the Italian Data Protection Agency on February 3, 2020, to combat the spread of the Corona virus. Other EU members may be following suit in the near future as the virus spreads to other European countries. The GDPR recognized the need to share personal information even without a data subject’s consent for humanitarian purposes, including for monitoring epidemics and their spread …” (Recital 46).
Singapore is sharing where infected people work, which hospital they have been admitted and other personal information. Hong Kong is also disclosing such information.
Remember: what you share with health agencies – and what you are required to report to departments of health – is not and should not be the same as to what you share with personnel when you are giving them a reasonable and appropriate warning of an infected or exposed office employee or visitor.
If you are struggling with the right balance of informing your staff while respecting privacy, or are considering retention policies for this information, please contact our office for further guidance.
For additional information pertaining to the coronavirus outbreak, please visit CSG’s COVID-19 Resource Center.
This publication contains general information on recent legal developments and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. Attorney Advertising. Prior results do not guarantee a similar outcome.