06.17.20
The focus of reopening plans has, quite understandably, centered around employee and customer safety. However, employee privacy is quickly emerging as another possible cause for concern. Some employers have announced reopening plans involving contact tracing technology to help maintain workplace safety. While this new technology may be valuable, contact tracing technology also presents several potential legal issues.
What is Contact Tracing?
Contact tracing has been used by health officials for at least 100 years to help understand and limit the transmission of infectious diseases. Historically this process has involved a time-consuming process of in-person interviews.
Today, Technology Assisted Contact Tracing (TACT) is being used by some businesses and governments to automate this process. Although TACT is a broad term, much of the attention has focused on the use of mobile phone location data to track the movements of individuals and determine if they have been exposed to the virus. Privacy advocates have raised concerns over the use of TACT by governments. However, for reasons discussed below, employers should also be aware of the risks.
TACT covers a broad range of practices, but the most controversial involves downloading an application to the user’s smartphone. The application uses a combination of health and location data to determine whether the user has encountered a person who has tested positive.
Several important technical distinctions in TACT technology have arisen from the initial experience of governments and employers. The most significant distinction is how the technology tracks a user’s location data. The use of GPS data can lead to a centralized repository of information more likely to give rise to privacy concerns. Alternatively, the use of Bluetooth technology appears to avoid many of these potential problems.
TACT in the Workplace
Employers face the difficult task of balancing employee safety and employee privacy. Employers have a duty to ensure their workplace is safe for employees and customers. As a result, many employers are considering implementing some form of TACT. As employees gradually return to work and stay-at-home orders are lifted, it is difficult to know which employees have been exposed. TACT offers the attractive prospect of assisting employers maintain a safe workplace during the reopening process.
Employers should be mindful of the potential risks arising from utilizing this technology. Under OSHA, employers have a general duty to provide workers with “employment and a place of employment, which are free from recognized hazards that are causing or are likely to cause death or serious physical harm.” OSHA and the CDC do not appear to have provided specific guidance on contact tracing technology. Although the EEOC released updated return-to-work guidance regarding workplace discrimination, it does not address contact tracing technology specifically.
Potential Sources of Liability
Notwithstanding general OSHA and CDC requirements, employers should be aware of the following risks before including TACT in their return to work plan:
Many states, most notably California, have some form of data privacy laws which may be implicated. The California Consumer Privacy Act (CCPA) contains several exceptions for employee data, but these exceptions are not unlimited. For example, employers with California employees may be required to provide disclosures before implementing TACT. Employers should be aware the CCPA contains a private right of action for violations.
Like temperature screenings and other COVID-related safety procedures, application of TACT in an uneven manner could give rise to discrimination claims. Employers should make sure to avoid targeting policies towards specific groups, even if these groups have been identified by health experts as being at an elevated risk (older workers, etc.). Any reopening plan should ensure compliance with Title VII, the ADEA, the ADA, and other federal laws. Employers considered covered entities under HIPAA will likely face additional restrictions while using contact tracing technology.
Many state and local governments have Orders specific to businesses operating during the reopening process. Most states also have their own data breach notification laws. These local requirements vary by jurisdiction and often carry significant penalties.
Recently, twelve contact tracing apps were reported to contain malware. Hackers used these apps to infect devices with viruses and steal user’s data. Although it remains unclear how many users fell victim to the breach, the event underscores the importance of conducting appropriate due diligence on any product before implementation.
Other practical problems can arise, particularly if employers make the use of TACT mandatory for employees. For example, if downloading a contract tracing app is a mandatory component of an employer’s reopening plan, employees without smartphones may be unable to resume normal operations. Furthermore, the actual effectiveness of TACT remains unresolved. To be effective, both employees and a large majority of other individuals in the community must carry a smartphone with them at all times. Also, the potential for false positives and other technology malfunctions will need to be addressed.
Conclusion
The level of risk created by including TACT in a workplace reopening plan depends on the details of the program and the technology. Important variables include, but are not limited to; the extent to which the program is mandatory, whether the program allows employers access to employee data, the type of geolocation technology involved, and whether apps are installed to an employer-issued versus an employee’s personal device.
It should be noted that competing COVID-19-related data privacy proposals have been introduced in Congress. While the future of these proposals is not clear, their enactment would likely have a direct impact on employers using TACT to maintain a healthy workplace environment.
Employers should ensure the personal health information of employees is kept private and secure. This requires a thorough understanding of any technology prior to implementation in the workplace. Maintaining a balance between employee safety and employee privacy has never been more difficult. Unfortunately, this may be another aspect of the “new normal” for employers for the foreseeable future.
The Coronavirus Task Force at Klehr Harrison stands ready to assist you in your business and legal needs. We will continue to provide additional information and guidance as the COVID-19 situation develops.