How Legal and Privacy Concerns Around Employee Health Data Are Evolving

Man working on computer

When organizations gather health-related data from employees, data protection must also be a focus.

In response to the pandemic, employers must play an active role in preventing the spread of the virus within their workforce. That requires engaging with employees to gather relevant health-related data.

As the information and data that organizations gather from their workforce becomes more personal — such as temperatures and other health data — there's a greater need for data protection in the workplace. Establishing sound, consistent protocols that earn your workforce's confidence is critical.

Be upfront with employees

According to Cécile Georges, Global Chief Privacy Officer for ADP, to gain employee support and ensure their cooperation, employers should be candid regarding why they need to gather data related to employee health and the virus.

"Clearly define the purpose and be transparent about the type of information you plan to collect and analyze," says Georges.

She also encourages companies to use government guidelines to develop questions to ask employees, as those typically require yes or no responses, and to avoid collecting unnecessary information. This allows businesses to assess an employee's health and safety to either stay or re-enter the workplace without creating excessive risk that comes when an organization gathers too much personal data from its employees.

Establish a short shelf life

As companies gather employee data related to COVID-19, they should place limits on how long they keep the data. This accomplishes two goals. First, it allows an organization to demonstrate its commitment to using the data for purposes of mitigating the effects of the virus. Second, it reduces the potential for the data to become lost, stolen or compromised.

Georges notes that while there may be exceptions, generally, there isn't a specific time frame that has been enacted or decided by law regarding how long organizations should retain the data gathered during the pandemic. However, she recommends that organizations research the existence of guidelines from domestic as well as international authorities regarding the types of data companies can collect, and how long they can keep it.

"Here in the United States, companies might find different recommendations by state. In the European Union, regulatory perspectives may vary by member state," says Georges.

Nonetheless, she does not recommend holding the data indefinitely. Instead, once there is consensus that the global health event has run its course, businesses should consider deleting virus-related employee data.

Lean on your service providers for help

When faced with the need to gather data from employees to assess their health and ascertain their willingness to return to the workplace, organizations may find themselves struggling to find the right technology tools to do so. In those circumstances, it makes sense to engage with a third-party service provider to help deploy robust technology solutions. This can streamline the process and ensure the appropriate security is in place to prevent data theft or leakage. It can also provide a central repository for businesses to store the data — and eventually help to facilitate its destruction.

Data protection in the workplace is a top concern for organizations at the best of times. Now that businesses find themselves the custodians of additional employee data, it is important to develop policies and procedures regarding its handling and ultimate destruction. While it may not feel like it today, the pandemic will eventually end, and with it, so too will the need to capture and retain such data.

Learn about our committment to payroll and data security by visiting ADP.com/trust.