As we continue our series on steps business owners should take to mitigate the risk of reopening, it is clear from the guidance that has been issued by several states that effective screening and contact tracing are issues that need to be addressed. Businesses embarking on the collection of personal information through screening and contact tracing, need to consider privacy considerations that might be raised and determine how to use, store, and protect that information.

Many of the reopening guidelines require businesses to screen individuals who have COVID-19 and communicate such data to public health authorities for the purpose of contact tracing. In their screening efforts prompted by these guidelines, many businesses will take the temperatures of employees, customers and visitors, or start tracking attributes of “wellness” such as who reports in sick. As an example of contact tracing, some guidelines encourage businesses such as restaurants to maintain a record of personal information for customers or visitors on their premises.

As time goes on, technology will play a greater role. Facial recognition and other biometric technologies may offer solutions for identifying individuals who have tested positive or need to be quarantined based on contact tracing more broadly.  Apple and Google recently announced that they are developing ways to use location data culled from smartphones to track people who have tested positive for the disease and notify all users with whom the infected individual recently had contact.

The increasing use of biometric and geolocation technologies was raising privacy concerns before COVID-19. Presently, there are a number of laws at the city, state and federal level that address in one form or another private sector usage of facial recognition or biometric data. These laws may soon be modified or in some cases preempted by legislation that is specific to the COVID-19 pandemic.  Although it is too early to predict the contents of any  legislation, it is fair to assume it will provide individuals with some measure of control over how their personal health, geolocation and proximity data are being collected and used to combat the pandemic. Legislation introduced in the U.S. Senate on May 7, 2020 would also require companies that fall under the Federal Trade Commission’s jurisdiction to obtain affirmative express consent from individuals to collect, process or transfer their personal information for COVID-19 tracking purposes and would give consumers the ability to opt out of these practices at any time. Certain state laws and regulations, including the California Consumer Privacy Act (CCPA) already require, and new federal and state regulations are also anticipated to require, that companies disclose to consumers and, to a limited extent their employees, how their data will be handled, to whom it will be transferred and for how long it will be retained. In addition, it is anticipated that companies will be required to delete or eliminate access to personally identifiable information that is not required to be maintained for public health reasons.

Other countries are moving toward similar regulations governing the use of data collected for contact tracing and other public health purposes. In Europe, the General Data Protection Regulation (GDPR) already places significant limits on the collection and use of personal information, and particularly sensitive information relating to an individual’s health. The European Data Protection Board (EDPB), which oversees consistent application of the GDPR across individual EU member states, recently issued guidance recommending that EU member states require location data to be used anonymously, to ensure that individuals and their movements cannot be traced. The EPDB also emphasizes that location data should be used only for a defined purpose and deleted when no longer necessary.

The common thread in all of these initiatives is the balancing of concerns for the safety and privacy for personal data on the one hand, and the critically important public health need for screening and contact tracing on the other.

Practical Tips for Businesses

The requirements for COVID-19 screening and contact tracing are rapidly evolving, and will undoubtedly vary from place to place depending on the overlay of federal, state and local laws, regulations and executive orders.  Nevertheless, there are a few basic privacy principles that will help companies implement effective screening and contact tracing and minimize exposure to potential liability.

1. Privacy Notice. Companies should ensure that they provide clear notice to individuals (including employees) describing the personal data that will be collected, the means used to collect it, and how the data will be used, shared and stored. The privacy notices should be transparent and in a concise, easy to read format. Avoid technical and legal jargon that will make the notice difficult to read and understand.

2. Consent. Businesses should consult local and state laws for the inclusion of consents and disclosures. Where consent is required, it should be clear and unambiguous, and should encompass all forms of processing of COVID-19 screening data. For example, the Illinois biometric privacy law requires that a person be informed that biometric information is being collected or stored, the purpose and length of time the information is being collected, stored and used, and a written release executed by the person whose information is collected, stored, or used. Also, if your company is considering requesting access to health information directly from health care providers, note that there are separate authorization and consent requirements under state and federal law, including HIPAA, regarding how such consent must be obtained and confirmed in writing by the individual involved. Businesses should be sure to understand and abide by these requirements.

3. Data Retention. Businesses should have a process that anonymizes or deletes location and other personal data on a rolling basis (subject to legal or regulatory requirements). This will help minimize the risk that the personal data is used for purposes unrelated to contact tracing. For instance, with respect to employee information, there are separate requirements under state and federal law regarding how employee health information must be maintained in personnel files, so businesses should be sure to comply with such requirements related to employee health data.

4. Data Sharing. Information should only be shared with governmental public health authorities or other third-party service providers needed to provide the services to support contact tracing. Obtain written certification from service providers that shared data will not be used for advertising or other purposes unrelated to contact tracing.  Service providers should be willing to indemnify for any liability resulting from their misuse of data you provide for content tracing purposes. Data shared with government partners should be similarly limited to data the agency certifies as necessary for pandemic-response efforts and not for any other purpose. Executive orders or regulations may provide immunity from suit for companies that comply with prescribed content tracing protocols, but this will not always be the case and may require analysis and interpretation of government requirements or further outreach to government representatives.

5. Data Security. Companies should apply security measures that are appropriate for the most sensitive information. This would include limiting access to the contact tracing data to key employees and service providers, and using a system that monitors their access.  Security systems should provide secure storage and continuously encrypt data whether in transit and at rest? The business owner should make every effort to ensure that no one other than key employees is able to see any of the data collected and that records are secured from disclosure, transmission, or release. These requirements apply to both electronic and hard copy records.

6. Data Breach. Current and anticipated privacy legislation often requires companies to have a system in place for providing regulators and consumers with prompt and detailed notice of any data breaches that resulted in disclosures of certain types of personally identifiable information. This will likely encompass COVID-19 screening and contact tracing information.

The continuing impact of COVID-19 and government’s response to the pandemic on businesses and their relationships with employees, customers and guests requires careful, individual analysis.