COVID-19 Screening in the Workplace: CCPA and Other Privacy Implications
This alert is the third in our series of Privacy Topics: Practical Guidance from Gunderson Dettmer – a collection of practical privacy and data security guidance and accompanying materials designed to facilitate your company’s compliance efforts. As companies throughout the U.S. are starting to reopen their offices after months of lockdown due to the COVID-19 pandemic, today’s alert focuses on privacy considerations under the California Consumer Privacy Act (CCPA) and other laws in connection with COVID-19 screening in the workplace. The CCPA went into effect on January 1, 2020, and enforcement by the California Attorney-General began on July 1, 2020, with no delay in enforcement despite the COVID-19 pandemic.
For an overview of the CCPA, including guidance on which employers must comply, click here. Please click here for a form CCPA privacy notice that can be used for COVID-19 screening of employees, contractors and visitors in California workplaces.
COVID-19 SCREENING IN THE WORKPLACE
As businesses start to reopen their workplaces and employees prepare to return to the office, employers need to consider how to reduce the risk of exposure to COVID-19 in the workplace. Implementing a COVID-19 screening process is an important part of an organization’s response protocol, but there are important privacy and employment law considerations to take into account.
What information can an employer collect for purposes of COVID-19 screening?
The information that an employer may collect from individuals who will be physically entering the workplace for the purposes of COVID-19 screening include: (i) if the individual has COVID-19, or symptoms associated with COVID-19, or if they have been tested for COVID-19; (ii) whether the individual has had contact with anyone who the individual knows has been diagnosed with COVID-19, or who may have symptoms associated with the disease; (iii) body temperature; and (iv) recent travel information.
Does the CCPA require a specific COVID-19 privacy notice?
The CCPA requires employers to provide specific privacy notices to California residents (including to your California-based employees and job applicants) that describe the categories of personal information an employer collects, the purposes for which the employer uses the personal information, and any third parties with whom the employer shares the personal information. For most employers, the standard employee CCPA privacy notice does not cover information collected in connection with COVID-19 screening, which means that a separate, specific notice is required. For more information about the CCPA privacy notice requirement for employees and job applicants, together with links to template general notices, please see our prior client alert here.
Also note that if an organization is collecting personal information (including COVID-19 screening information) from non-employee guests to its facilities, the organization will need to provide such individuals with a CCPA notice if they are California residents.
What should my notice look like?
For simplicity, we recommend using one CCPA COVID-19 screening privacy notice for employees, contractors and visitors to your facilities. A template notice can be found here. This template is provided as an example, and we recommend that you contact your Gunderson Dettmer attorney to customize the template for your business.
Can an employer take the temperature of employees?
Yes. Although measuring an employee’s body temperature generally constitutes a medical examination, in response to the COVID-19 pandemic, the U.S. Equal Employment Opportunity Commission (“EEOC”) has stated that employers may measure the body temperature of employees. The California Department of Fair Employment and Housing has similarly stated that “employers may measure employees’ body temperature for the limited purpose of evaluating the risk that employee’s presence poses to others in the workplace as a result of the COVID-19 pandemic.” Employers should be aware, however, that some people with COVID-19 do not have a fever.
Can the employer ask employees about symptoms?
Yes. The EEOC allows employers to ask employees who will be physically entering the workplace if they have COVID-19, or symptoms associated with COVID-19, or ask if they have been tested for COVID-19. Employers should rely on guidance from public health authorities such as the CDC and reputable medical authorities to stay abreast of known and emerging symptoms of COVID-19. Symptoms associated with COVID-19 include cough, sore throat, fever, chills, and shortness of breath. Additional symptoms may include new loss of smell or taste and gastrointestinal problems, such as nausea, diarrhea, and vomiting. Limit your questions to symptoms of the employee (or visitor), and avoid asking about family members (see “Other legal considerations” below).
Can the employer screen visitors?
Yes. Employers may screen visitors to the workplace. However, employers will want to ensure that they make their COVID-19 privacy notice readily available to visitors (see “Does the CCPA require a specific COVID-19 privacy notice?” and “Practical Tips”).
Can job applicants be screened for COVID-19 symptoms?
Yes. An employer can screen job applicants for COVID-19 symptoms after the employer makes a conditional job offer, if the employer does so for all entering employees in the same type of job.
Can an employer require COVID-19 testing?
Yes. The EEOC has stated that it is permissible under the Americans with Disabilities Act (“ADA”) for an employer to administer COVID-19 testing to employees before they enter the workplace to determine if they have an active case of COVID-19. Employers should ensure that the tests are accurate and reliable by reviewing guidance from the U.S. Food and Drug Administration, the CDC and other public health authorities. Employers may wish to consider the incidence of false-positives or false-negatives associated with a particular test. Employers should be mindful that accurate testing only identifies if the COVID-19 virus is currently present in an individual, while a negative test does not mean the individual will not acquire the virus later.
Can the employer require antibody testing?
No. On June 17, 2020, the EEOC issued new guidance in which it stated that requiring antibody testing before allowing employees to re-enter the workplace is not allowed under the ADA.
Other legal considerations
Laws enforced by the EEOC, such as workplace anti-discrimination laws, including the ADA and the Rehabilitation Act, Title VII of the Civil Rights Act, the Age Discrimination in Employment Act, and the Genetic Information Nondiscrimination Act (“GINA”) continue to apply during the COVID-19 pandemic. In particular, GINA prohibits employers from asking employees medical questions about family members. Other federal, state and local laws may provide employees with additional protections. However, these laws do not prevent employers from following the guidance issued by the CDC and state/local public health authorities about steps employers should take regarding COVID-19 and maintaining workplace safety.
If an employer wants to ask only a specific employee questions to determine if they have COVID-19, or require that this employee alone have their temperature taken, the ADA requires the employer to have a reasonable belief based on objective evidence that this person might have the disease. The EEOC has provided the following example: “if an employer notices that an employee has a persistent, hacking cough, it could ask about the cough, whether the employee has been to a doctor, and whether the employee knows if she has or might have COVID-19.”
The EEOC has advised that guidance from public health authorities may change as the COVID-19 pandemic evolves, so employers should continue to check these authorities for updates to ensure that they are following the most current recommendations.
Implement a Procedure for Providing the COVID-19 Screening Notice: An employer should provide the COVID-19 privacy notice to employees, contractors and visitors (collectively, “Individuals”) to the employer’s facilities at or before the point at which the employer is collecting personal information. For example, an employer may prominently post the notice outside the entrance to the employer’s facilities and at any physical location in which an Individual is undergoing COVID-19 testing, answering screening questionnaires or surveys, and/or having their temperature taken. An employer may also provide the notice to employees by email to their company accounts and post it on the employer’s intranet page. Similarly, if an employer is collecting any personal information online from Individuals in accordance with the employer’s COVID-19 health and safety measures, the employer should post a conspicuous link to the notice on the company’s home page and on all webpages where such information is collected.
Apply Screening Policies Uniformly: For example, if your policy is to take the temperature of employees prior to entry, make sure that policy is applied uniformly and no group (or protected class) is singled out.
Minimize collection and retention of personal information: The collection and storage of medical and other sensitive information carry inherent risks, in particular in the event of a data breach. We recommend that employers minimize the amount of personal information that they collect and store as part of the COVID-19 screening process. For example, avoid maintaining logs of results of temperature checks, and delete answers to screening questions promptly once the purpose has been fulfilled (for example, once a “yes” or “no” decision has been reached regarding entry to the facilities).
While it is good practice to minimize and delete personal information collected in the COVID-19 screening context, we recommend that you document your procedures for providing the required notice, which should form part of your organization’s privacy compliance documentation.
If you are storing the information, ensure that reasonable security procedures and practices are in place: The ADA requires that an employer maintain all medical information about employees as a confidential medical record, which must be stored separately from the employees’ personnel files. Medical information includes (i) information that an employee has symptoms of, a diagnosis of, or suspects having, COVID-19, (ii) the results of temperature checks, and (iii) the employer’s notes or other documentation from questioning an employee about symptoms. An employer, however, may store COVID-19-related medical information in existing medical files.