Privacy

FAQs on US employee privacy issues related to the COVID-19 vaccine

By Sarah Bruno, Michael Lombardino & Brad Rostolsky on 9 September 2021

In addition to the issue of mandated COVID-19 vaccine policies, employers must also manage the related privacy risks. Below are some of the frequently asked questions surrounding the issues of employee privacy as it relates to the COVID-19 vaccine. We also have a downloadable version of our privacy FAQs.

Question: Does it matter what type of information the company asks employees to provide to confirm their vaccine status?

Answer: Absolutely. Asking employees to confirm yes/no information seeks different information than, for example, requesting a copy of the employee’s vaccination card or more detailed records (such as lab results confirming presence of antibodies from a medical provider). Companies should be mindful of what information they are requesting because the inquiry might trigger heightened data-privacy and document-retention requirements. Companies should request only the information they require to confirm the vaccination status of the employee and should not collect any other information that is not necessary for that purpose. Companies should also be mindful of the privacy, security and other legal requirements involved in communicating with employees about any requested exception to a mandatory vaccine program based on a medical condition. The interactive process would likely include asking employees disability-related questions—and potentially questions implicating genetic nondiscrimination and health-data privacy laws (such as GINA or HIPAA).

Question: Our company plans to require employees to provide proof of their vaccine status by emailing human resources a copy of their vaccine card. Does this present any data-privacy concerns?

Answer: There are several issues to consider. How secure is your company’s email system? Can employees access their work email on their phones? If so, are there password and other security measures in place to prevent unauthorized access to that information? What does HR plan to do with the information once it receives it? Will it be printed out and stored in a paper file? Does the company plan to insert that information into the employee’s personnel file and/or HR database? Who would have access to that information? If the company plans on storing the data electronically, does the company have sole possession, custody and control of the servers where the data will be stored? If so, the company may want to confirm where those servers are physically located, and whether any state or local laws of that jurisdiction impose additional data-privacy, data-security and breach-notification requirements.

It’s worth noting here that HIPAA does not typically apply to the relationship between an employer and its employees. That being said, employers should still follow best practices and remain sensitive to the fact that they requesting and maintaining potentially sensitive employee health data. Additionally, if an employer performs services that are regulated under HIPAA, employees could be due additional protections. In this set of circumstances, an employer could be maintaining different data sets about an employee – of which one is regulated under HIPAA, and the other is not.
Continue Reading FAQs on US employee privacy issues related to the COVID-19 vaccine

California privacy, harassment and discrimination considerations during the coronavirus outbreak

By Michele Haydel Gehrke & Ronnie Shou on 17 March 2020

In addition to considerations under federal law and California’s wage and hour laws, California employers should consider privacy, harassment and discrimination laws that are unique to California. California laws tend to be more protective of employees than federal counterparts and these differences may impact how an employer needs to respond to coronavirus concerns.

Privacy

Unlike federal law and most states, California’s state constitution contains an express right to privacy that is generally understood to encompass actions by private individuals and entities which violate a privacy right. California courts, in turn, have held that this right to privacy extends to an individual’s medical information. Not only would an employee’s right to privacy be one reason employers should carefully consider and consult legal counsel before requiring a medical examination to test for COVID-19 (as further discussed below), but in the event an employer receives any information about an employee’s medical condition – like a positive diagnosis of COVID-19 – the employer must take care to keep such medical information confidential and separate from the employee’s personnel file, as required under federal and California law.

California’s right to privacy, however, does not prohibit employers from asking employees if they are planning travel or have traveled to areas with a high risk of exposure to the coronavirus. Further, employers do not violate an employee’s privacy interest if the employee voluntarily discloses medical information to the employer without any solicitation.Continue Reading California privacy, harassment and discrimination considerations during the coronavirus outbreak

Accessing Facebook Through Employers: Is The Juice Worth The Squeeze?

By Rania Afram on 10 April 2012

Employers are becoming more aware of the impact of Facebook and the type of information it can reveal. Some employers use Facebook to find background or character information about their employees or job applicants. Other employers use Facebook to find out whether employees have disclosed information about the employer’s business. Some employers are taking it a step further by requesting that job applicants and/or current employees disclose their Facebook user name and password. Other employers are asking applicants and/or employees to "friend" its human resource manager or log into a company computer during interviews to view their Facebook content.

Continue Reading Accessing Facebook Through Employers: Is The Juice Worth The Squeeze?

U.S. Supreme Court Upholds Public Employer’s Search of Employer-Provided Communication Devices

By Kimberly A. Craver, Joel S. Barras & Eugene K. Connors on 28 June 2010

Scott E. Blissman also contributed to this post.

The U.S. Supreme Court held that a public employer’s review of transcripts of an employee’s text messages on an employer-issued pager constituted a reasonable search under the Fourth Amendment of the United States Constitution. City of Ontario, Calif. v. Quon, No. 08-1332 (June 17, 2010). Although the case involved a public employer, it has some important lessons for private sector employers as well.

Factual Background

Quon worked for the City of Ontario, California, as a police sergeant and as a member of its SWAT team. In 2001, the police department issued pagers to its SWAT team members to help them mobilize and respond to emergency situations. The City’s contract with its wireless service provider had a monthly character limit for each pager, and the City required officers to reimburse it for the additional fees incurred for monthly usage over that limit. When the reimbursement process became burdensome, the City reviewed the communications to determine if the existing character limit was too low for work-related purposes or if the overages were for personal messages.

An initial review showed that several officers had used their pagers for extensive personal text messaging. For instance, many messages sent and received on Quon’s pager were personal in nature, and several were sexually explicit. This prompted the Police Department’s Internal Affairs Division to investigate whether Quon had violated department rules by pursuing personal matters while on duty. The investigation concluded that he had done so, noting for instance that of the 28 messages Quon averaged per shift, only three were work-related.

The City had a “Computer Usage, Internet and E-mail Policy” that permitted incidental, personal use of City-owned computers and equipment. The policy warned employees that personal communications could be monitored, and that employees had no expectation of privacy in such communications. Although the policy did not mention text messages, the City made clear to employees that such messages would be treated like e-mails. The police lieutenant responsible for the City’s wireless contract, however, told Quon that “it was not his intent to audit [an] employee’s text messages to see if the overage [was] due to work related transmissions.” Quon interpreted that comment to mean that the City would not examine the content of his text messages.Continue Reading U.S. Supreme Court Upholds Public Employer’s Search of Employer-Provided Communication Devices

New Jersey High Court Limits Employer’s Right To Review Employee Emails

By Don A. Innamorato & E. David Krulewicz on 29 April 2010

Lessons for Employers in a Social Media World

Recently, in Stengart v. Loving Care Agency, the New Jersey Supreme Court held that an employee had a reasonable expectation of privacy in her Internet-based emails to her lawyer, despite the fact that she sent such emails from a company-owned laptop and was on notice of the employer’s written policy that emails may not be considered “private or personal.” The opinion is significant not only in recognizing a privacy interest for employees’ communications to their attorneys using company-owned-and-monitored networks, but also in providing important guidelines for employers drafting or updating their policies on use of email and the Internet. In addition, Stengart issues a warning to both in-house and outside counsel involved in the forensic review of employees’ computer-based data and communications.Continue Reading New Jersey High Court Limits Employer’s Right To Review Employee Emails

Employment Law Watch