Do Your Pandemic Measures Violate Employees’ Privacy Rights?
A pandemic represents a serious threat to your workforce and business. Regrettably, most organizations are unprepared to deal with the threat. And if you do have a pandemic preparation and response plan in place, you need to give it a good hard look.
In so doing, you need to account for something that tends to go overlooked: the privacy ramifications. Explanation: Many of your pandemic preparation and response measures will require you to collect, use and disclose (for simplicity’s sake, we’ll refer to the 3 verbs collectively as “use” unless the context requires otherwise) personal information about your employees. For example, you might have to ask employees if they have a medical condition that increases their vulnerability to flu. Here’s a look at the risks and how to avoid them based on guidelines from the Privacy Commissioners of Canada, Alberta and BC (the “Guidelines”).
The Privacy Rights of Your Employees
Most employees do have some privacy rights vis-à-vis their employers. These rights stem from:
- PIPEDA and provincial personal privacy laws, especially in Alberta, BC and Québec which specifically cover employees (as does PIPEDA for employees of federally-regulated businesses);
- Medical privacy laws that protect patients but come into play when you seek to use your employees’ personal health information;
- Common law, i.e., law made by judges in individual cases that serve as precedent for future cases;
- Provisions of employment contracts, both individual and collective agreements with union employees;
- Privacy assurances contained in your own HR policies and Codes of Conduct; and
- Any other things you do to foster reasonable privacy expectations among your employees.
The Practical Impact of Employee Privacy Rights
General Rule: The most significant privacy restriction for employers, especially in the pandemic planning and response context, is the requirement to get employees’ consent to use their medical and other personal health information. Getting proper consent is an issue unto itself. The consent form must be clearly written so employees know what they’re signing; and their decision to sign must be totally voluntary. Any signs of trickery or coercion nullify the consent.
Exceptions: However, where consent is required, it’s also subject to broad exceptions. One allows employers to use employees’ personal information without consent to carry out legitimate and essential business operations. or a wide variety of purposes without consent. As explained by an official Alberta information sheet, “an employer has a legitimate need to collect, use and disclose certain types of personal information about employees in order to operate the business and fulfill its obligations to employees.” Examples of legitimate functions justifying use of personal information without consent:
- Verifying an employee’s eligibility for sick leave or disability benefits;
- Determining what accommodations to make for employees or job applicants with physical or mental disabilities required by human rights laws; and
- Filing workers’ compensation claims.
Another exception allows for disclosure of employee personal information without consent in the event of a public emergency involving a serious and imminent threat to public health. During an emergency, all bets are off and government health officials will have broad power to demand access to your employees’ private health information. But for such a public emergency to exist, the provincial (or territorial) government would have to declare it.
HOW TO COMPLY
Unless and until a public emergency is declared, your pandemic preparation and response measures will have to follow the privacy laws in what the Guidelines call “the usual way.” Let’s break down the 6 privacy rules you must follow in carrying out your pandemic preparation and response planning:
Rule 1: Consent Is Required
As we noted above, while consent is generally required, employers also have leeway to use personal employee information without consent to carry out legitimate business functions. If you take only one thing from this story let it be this: That exception doesn’t apply to pandemic preparation and response.
According to the Guidelines, “employers should remember that they will need consent to collect even [limited] personal information from employees,” the Guidelines specify.
Equally problematic, the Guidelines state that employees don’t have to provide their employers personal information to help in pandemic planning and response unless they want to. In fact, the Fact Sheet for Employees that accompanies the Guidelines (which we’ll call “Employee Guidelines”), recommends that employees not cooperate with employer requests for personal health information. “We would generally discourage you from sharing your health status, including any diagnosis made by a physician with your manager.”
Rule 2: Information Collected Must Be Kept to Minimum Necessary
The second key “usual way” privacy rule is that the personal employee information you do use they need to carry out the pandemic planning or response function involved. Thus, for example, it would be inappropriate to ask employees to consent to a physical exam or submit a complete medical record to assess their vulnerability to infection.
Rule 3: Employees Must Be Notified of Information Use
The Guidelines also make it clear that you must notify employees that you’ll use the personal information you collect from for planning purposes only and indicate when it will be destroyed.
Rule 4: Information Must Be Kept Secure and Properly Destroyed
You must maintain the security of any personal health information you collect from employees. Security measures include:
- Physical barriers such as keeping files locked;
- Electronic measures such as password protection and encryption; and
- Administrative controls such as keeping the number of staffers with access to the information limited to the minimum necessary.
Finally, you must ensure that the personal information you collect from employees is properly destroyed after it’s no longer needed.
6 PANDEMIC PRIVACY POINTERS
At A Glance: Pandemic, Privacy & Practical Limits
|X What You CAN’T Do||√ What You CAN Do|
|Ask: “Do you have kids or older parents that you might have to stay home and care for?”||Hand out a survey asking employees if they might have to make alternative work arrangements without specifically asking who they live with.|
|Ask: “Do you have asthma or other medical condition that makes you at high risk of flu infection?”||Notify ALL employees that certain medical conditions heighten the risk of flu and advise any employee who has such conditions to take special measures to protect themselves.|
|Ask: “Have you and your family been vaccinated?”||Encourage employees to get vaccinated and provide information, such as vaccination schedules and clinic locations, to help them do so.|
|Asking employees for personal emails or other contact information in case you need to notify them of flu developments.||Ask employees what contact arrangements they want to make and explore ways to maintain contact that don’t involve getting private emails, e.g., letting employees call in themselves at agreed intervals.|
|Asking an employee who calls in sick: “Do you have the flu?”||Asking an employee who calls in sick: “How long do you expect to be out of work?”|
|Telling an employee’s colleagues: “Joe has the flu.”||Telling an employee’s colleagues: “Joe has called in sick and isn’t expected to return until Thursday.”|
The Guidelines also discuss some of the specific things employers can and can’t do to ensure that their pandemic planning related activities don’t violate employees’ privacy:
- Identifying Employees Who May Need Alternative Work Arrangements
Situation: Employers generally have no right to ask employees who they live with. But gathering this information could become important to pandemic planning for determining which employees might require alternative work arrangements.
Wrong: Asking: “Do you have young children or elderly parents at home that you might have to stay home and care for in the event of a pandemic?”
Right: The Guidelines suggest distributing a survey asking employees if they may have to make alternative work arrangements to care for kids or elderly parents. “This way,” the Guidelines explain, “employers will be able to estimate how many employees could be absent without collecting detailed personal information.”
- Identifying Employees Susceptible to Infection
Situation: You might want to warn any employees that have asthma, immunity deficiencies or other medical conditions that make them vulnerable to the flu to get vaccinated and take special precautions. But asking about an employee’s general medical condition raises a privacy red flag.
Wrong: Asking employees to furnish detailed information about their medical condition, e.g., asking them to tell you if they have asthma.
Right: The Guidelines say that employers would be better advised to let all employees know that individuals with certain kinds of conditions are at risk and need to consider taking additional precautions.
- Asking Employees If They’ve Been Vaccinated
Situation: Employers have an obvious interest in ensuring that their employees get vaccinated. But this again is personal information protected by privacy laws.
Wrong: Asking employees: “Have you and your family members gotten your flu vaccine?”
Right: Encouraging employees to get vaccinated and giving them information about vaccinations, such as vaccination clinic schedules.
- Asking Employees for Personal Contact Information
Situation: Assuming you don’t already have this information, you might want to ask employees for contact information in case you have to provide them updates about a pandemic situation. Of course, this is private information that employees might be unwilling to provide.
Wrong: Asking—and especially requiring—employees to give you their personal email or phone number.
Right: The Guidelines recommend asking employees to advise you how they prefer to be contacted and, if possible, give them alternative ways to get information from you without having to disclose their private contact information, such as having the employee agree to call in to the office at agreed-upon intervals.
- Asking Employees Who Call In Sick If They Have the Flu
Situation: Employers might want to keep track of how many employees have been diagnosed with flu or other infectious illness at the center of the particular pandemic.
Wrong: Asking employees who call in sick: “What’s wrong with you? Do you have the flu?”
Right: Asking employees who say they’re sick how long they expect to be out and when they plan to return. In short, asking for a prognosis is okay; but asking for a diagnosis is not.
- Notifying Other Employees that a Co-Worker Has the Flu
Situation: If managers learn that an employee has the pandemic flu, they might want to notify others in the company, including the employee’s co-workers.
Wrong: Disclosing an employee’s diagnosis to somebody else in the organization is just as impermissible as asking an employee to furnish his diagnosis to begin with.
Right: Letting others at the company know that the employee isn’t available, and if necessary, when she/he’s expected to return.
Although it’s between the lines, the message the Guidelines are delivering to employers is clear and very strong: Unless and until there’s a declaration of a public health emergency, you can’t take liberties with your employees’ privacy to implement pandemic protections. The Guidelines suggest that the proper role for employers in protecting their businesses from flu risk is to tell employees what they need to know, make prevention measures available and trust in employees to look after themselves. But once they start digging for information about the medical information of employees and their family members, they’re subject to the usual privacy laws.