In addition to the issue of mandated COVID-19 vaccine policies, employers must also manage the related privacy risks. Below are some of the frequently asked questions surrounding the issues of employee privacy as it relates to the COVID-19 vaccine. We also have a downloadable version of our privacy FAQs.

Question: Does it matter what type of information the company asks employees to provide to confirm their vaccine status?

Answer: Absolutely. Asking employees to confirm yes/no information seeks different information than, for example, requesting a copy of the employee’s vaccination card or more detailed records (such as lab results confirming presence of antibodies from a medical provider). Companies should be mindful of what information they are requesting because the inquiry might trigger heightened data-privacy and document-retention requirements. Companies should request only the information they require to confirm the vaccination status of the employee and should not collect any other information that is not necessary for that purpose. Companies should also be mindful of the privacy, security and other legal requirements involved in communicating with employees about any requested exception to a mandatory vaccine program based on a medical condition. The interactive process would likely include asking employees disability-related questions—and potentially questions implicating genetic nondiscrimination and health-data privacy laws (such as GINA or HIPAA).

Question: Our company plans to require employees to provide proof of their vaccine status by emailing human resources a copy of their vaccine card. Does this present any data-privacy concerns?

Answer: There are several issues to consider. How secure is your company’s email system? Can employees access their work email on their phones? If so, are there password and other security measures in place to prevent unauthorized access to that information? What does HR plan to do with the information once it receives it? Will it be printed out and stored in a paper file? Does the company plan to insert that information into the employee’s personnel file and/or HR database? Who would have access to that information? If the company plans on storing the data electronically, does the company have sole possession, custody and control of the servers where the data will be stored? If so, the company may want to confirm where those servers are physically located, and whether any state or local laws of that jurisdiction impose additional data-privacy, data-security and breach-notification requirements.

It’s worth noting here that HIPAA does not typically apply to the relationship between an employer and its employees. That being said, employers should still follow best practices and remain sensitive to the fact that they requesting and maintaining potentially sensitive employee health data. Additionally, if an employer performs services that are regulated under HIPAA, employees could be due additional protections. In this set of circumstances, an employer could be maintaining different data sets about an employee – of which one is regulated under HIPAA, and the other is not.
Continue Reading FAQs on US employee privacy issues related to the COVID-19 vaccine

As technology continues to rapidly evolve, so do hiring and recruiting practices. A number of start-up companies have emerged in recent years offering employers the ability to use artificial intelligence (AI) to screen job candidates and determine their employability. These AI-driven recruiting practices, such as those that use facial and voice recognition technologies, are touted as a means of lowering recruiting costs and eliminating bias in the hiring process. But there is growing concern that the use of AI may threaten a job candidate’s privacy and might result in the inadvertent perpetuation of discriminatory hiring practices.

These concerns and others were raised in a recent complaint filed with the Federal Trade Commission (FTC), urging an investigation into one such company’s business practices. The complaint was filed by the Electronic Privacy Information Center (EPIC), a public interest watchdog located in Washington, D.C. EPIC’s complaint challenges the AI-driven recruiting solutions developed and sold by a company called HireVue, which currently has more than 700 corporate customers that use its technology as part of their hiring process.
Continue Reading Tech industry watchdog challenges AI-driven recruiting practices

The United States Bankruptcy Code prohibits an employer from taking adverse action against an existing employee because of a bankruptcy filing.

In December, the United States Court of Appeals for the Third Circuit refused to extend that same protection to applicants for employment. In Rea v. Federated Investors, the court ruled that the phrase

Scott E. Blissman also contributed to this post.

The U.S. Supreme Court held that a public employer’s review of transcripts of an employee’s text messages on an employer-issued pager constituted a reasonable search under the Fourth Amendment of the United States Constitution. City of Ontario, Calif. v. Quon, No. 08-1332 (June 17, 2010). Although the case involved a public employer, it has some important lessons for private sector employers as well.

Factual Background

Quon worked for the City of Ontario, California, as a police sergeant and as a member of its SWAT team. In 2001, the police department issued pagers to its SWAT team members to help them mobilize and respond to emergency situations. The City’s contract with its wireless service provider had a monthly character limit for each pager, and the City required officers to reimburse it for the additional fees incurred for monthly usage over that limit. When the reimbursement process became burdensome, the City reviewed the communications to determine if the existing character limit was too low for work-related purposes or if the overages were for personal messages.

An initial review showed that several officers had used their pagers for extensive personal text messaging. For instance, many messages sent and received on Quon’s pager were personal in nature, and several were sexually explicit. This prompted the Police Department’s Internal Affairs Division to investigate whether Quon had violated department rules by pursuing personal matters while on duty. The investigation concluded that he had done so, noting for instance that of the 28 messages Quon averaged per shift, only three were work-related.

The City had a “Computer Usage, Internet and E-mail Policy” that permitted incidental, personal use of City-owned computers and equipment. The policy warned employees that personal communications could be monitored, and that employees had no expectation of privacy in such communications. Although the policy did not mention text messages, the City made clear to employees that such messages would be treated like e-mails. The police lieutenant responsible for the City’s wireless contract, however, told Quon that “it was not his intent to audit [an] employee’s text messages to see if the overage [was] due to work related transmissions.” Quon interpreted that comment to mean that the City would not examine the content of his text messages.Continue Reading U.S. Supreme Court Upholds Public Employer’s Search of Employer-Provided Communication Devices

Lessons for Employers in a Social Media World

Recently, in Stengart v. Loving Care Agency, the New Jersey Supreme Court held that an employee had a reasonable expectation of privacy in her Internet-based emails to her lawyer, despite the fact that she sent such emails from a company-owned laptop and was on notice of the employer’s written policy that emails may not be considered “private or personal.” The opinion is significant not only in recognizing a privacy interest for employees’ communications to their attorneys using company-owned-and-monitored networks, but also in providing important guidelines for employers drafting or updating their policies on use of email and the Internet. In addition, Stengart issues a warning to both in-house and outside counsel involved in the forensic review of employees’ computer-based data and communications.Continue Reading New Jersey High Court Limits Employer’s Right To Review Employee Emails