New data protection issues brought about by the COVID-19 pandemic were discussed by Behnam Dayanim, partner and global chair of privacy and cybersecurity practice at Paul Hastings LLP, during a session at the RSAC 365 Virtual Summit.
With COVID-19 vaccines now being rolled out across the world, many organizations are preparing to enable the safe return of staff to their offices. In the view of Dayanim, it is important to question and challenge the storing of sensitive personal data related to this return. He cited a recent IAPP/EY study analyzing data collection by organizations of staff returning to physical work locations. Among the findings, 76% of organizations have asked employees to notify them if they are diagnosed with COVID-19, 53% asked the staff about personal travel and 23% have taken temperature tests of employees. He asked: “Is there really a need to record that, or is it simply enough to know that you have that process in place?”
Dayanim also said that, over the next few months, it is likely employers will ask their staff to notify them about whether or not they have been vaccinated. “All of these things are quite novel; not the types of questions that one would normally have expected employers to be asking of their employees,” he added.
Another data privacy issue regards organizations sharing sensitive COVID-related data about their employees with third parties. For instance, it has been shown that three in 10 organizations have been asked to share anonymized COVID data with governmental bodies or NGOs, while 20% have shared the names of staff diagnosed with other employees or government agencies.
Over the coming months, procedures must be put in place to safeguard the collection and use of data of this nature, according to Dayanim. This includes considering whether it is necessary to hold such data, who collects it and how this information should be communicated to other employees. “Those are the kinds of questions that are important to think about now before we have wide-scale reopening, because even post-vaccination, there will be quite a large number of people that have not been vaccinated and therefore might be susceptible to the virus,” he noted, adding that “having in place a process to deal with it will be really important.”
US-based organizations also need to take note that COVID-19 testing or temperature checks do not fall under the provisions of the federal Health Insurance Portability and Accountability Act (HIPAA). This means that when they are working with third parties to conduct such tests, it is important to carefully review the contract for its provisions on privacy, as simply stating data privacy falls under the HIPAA will not be sufficient. Dayanim explained: “You have to modify that provision to say either they will comply with HIPAA requirements irrespective of whether HIPAA applies, or to build in specific requirements for privacy and security.”
Concluding, Dayanim advised organizations to be “reviewing your reopening protocols, understand what kind of data you’re collecting and how you protect it, and ask, question, challenge: do we need to collect this information?”