In addition to the issue of mandated COVID-19 vaccine policies, employers must also manage the related privacy risks. Below are some of the frequently asked questions surrounding the issues of employee privacy as it relates to the COVID-19 vaccine. We also have a downloadable version of our privacy FAQs.

Question: Does it matter what type of information the company asks employees to provide to confirm their vaccine status?

Answer: Absolutely. Asking employees to confirm yes/no information seeks different information than, for example, requesting a copy of the employee’s vaccination card or more detailed records (such as lab results confirming presence of antibodies from a medical provider). Companies should be mindful of what information they are requesting because the inquiry might trigger heightened data-privacy and document-retention requirements. Companies should request only the information they require to confirm the vaccination status of the employee and should not collect any other information that is not necessary for that purpose. Companies should also be mindful of the privacy, security and other legal requirements involved in communicating with employees about any requested exception to a mandatory vaccine program based on a medical condition. The interactive process would likely include asking employees disability-related questions—and potentially questions implicating genetic nondiscrimination and health-data privacy laws (such as GINA or HIPAA).

Question: Our company plans to require employees to provide proof of their vaccine status by emailing human resources a copy of their vaccine card. Does this present any data-privacy concerns?

Answer: There are several issues to consider. How secure is your company’s email system? Can employees access their work email on their phones? If so, are there password and other security measures in place to prevent unauthorized access to that information? What does HR plan to do with the information once it receives it? Will it be printed out and stored in a paper file? Does the company plan to insert that information into the employee’s personnel file and/or HR database? Who would have access to that information? If the company plans on storing the data electronically, does the company have sole possession, custody and control of the servers where the data will be stored? If so, the company may want to confirm where those servers are physically located, and whether any state or local laws of that jurisdiction impose additional data-privacy, data-security and breach-notification requirements.

It’s worth noting here that HIPAA does not typically apply to the relationship between an employer and its employees. That being said, employers should still follow best practices and remain sensitive to the fact that they requesting and maintaining potentially sensitive employee health data. Additionally, if an employer performs services that are regulated under HIPAA, employees could be due additional protections. In this set of circumstances, an employer could be maintaining different data sets about an employee – of which one is regulated under HIPAA, and the other is not.
Continue Reading FAQs on US employee privacy issues related to the COVID-19 vaccine

New York state employers, it’s time to dust off and update your employee handbooks again.  Earlier this month, Governor Andrew Cuomo signed a law that protects employees against discrimination on the basis of their reproductive health decision-making. The law, which mirrors a recent bill passed by New York City lawmakers, also requires that employers in

A recent European Court of Human Rights (ECHR) case (Barbulescu -v- Romania) has attracted much publicity in the UK press as giving employers the green light to read employees’ private emails. Is that correct and does this case really change things?

Background

Mr Barbulescu was employed as an engineer in charge of sales. His employer had a strict policy of not permitting private use by employees of its computer and telecommunications systems. Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account so that Mr Barbulescu could communicate with customers.

Sometime later, the employer notified Mr Barbulescu that it has been monitoring his account and they believed that he had been using it for private communications. Mr Barbulescu denied this at which point his employer presented him with a 45 page transcript of all his Yahoo Messenger communications, including private communications with his fiancée and brother. Mr Barbulescu was dismissed for breaching the employer’s policy on personal use of computer systems.

Mr Barbulescu subsequently brought employment claims in the Romanian courts alleging that his dismissal was void since the employer had breached his right to privacy by accessing his private communications. Mr Barbulescu was unsuccessful before the Romanian courts but his case was brought before the ECHR. Mr Barbulescu’s argument was that Romania had failed to protect properly his Article 8 right to respect for his private and family life, his home and correspondence.
Continue Reading Do employers have the right to read employees’ private emails?