Privacy Considerations for Safely Getting Back to Work
As state and local restrictions are lifted and business leaders kick off their plans to get employees back to the office, the consideration top of mind to all is preventing the spread of COVID-19 in the workplace. Contact tracing, a core disease control measure employed by local and state health department personnel for decades, has become an integral part of the multipronged approach to fighting the COVID-19 pandemic in the U.S., per the CDC. As businesses begin to reopen, enterprise contact tracing and complementary procedures like temperature scanning will be key to safely bringing employees back physical office locations.
According to CNBC, digital contact tracing in the workplace can be highly effective if widely adopted. It can decipher where an employee has been and who they have been in contact with, enabling employers to send anyone showing symptoms home and automatically mandate that they and anyone they’ve come into contact with isolate — potentially preventing wider outbreaks.
Mark Barnes, health partner at law firm Ropes and Gray says, “Electronic contact tracing and testing are useful,” but he acknowledges that employers must take the time to educate themselves about these systems and that adoption is more complex than simply mandating the use of an app. Per Barnes, employee privacy comes up frequently in his conversations with business leaders, and striking the delicate balance between privacy and employee safety will be critical to the successful implementation of any contact tracing program in the workplace.
Per leading consultancies like McKinsey, companies should take a “need to know basis” approach to collecting and anonymizing only the lowest common denominator of data needed in order to create a safe work environment. This decreases their risk of collecting “extra” data that can not only drum up employee distrust, but can also make the organization more vulnerable to cyberattacks. This can be achieved through what we at Domo call the “traffic light” approach — avoiding the tagging and storage of personal data, rather, flagging data segmentations such as temperature levels as red/amber/green. Instead of being alerted as to each and every employee’s temperature every day, smart contact tracing and temperature scanning systems will encrypt this data and instead only flag a high temperature of concern to an employer, so that the safety risk can be quickly acted upon accordingly.
Alongside the changes in process and protocols that come with implementing a contact tracing app, businesses will also have to lead a cultural change in emphasizing the critical importance of self-reporting temperature and contact status during the get back to work process for the greater health and safety of the organization. This will be especially important in the U.S., where employees are not accustomed to providing their employers with this level of personal data. Indeed, more than half of Americans believe that retaining their personal privacy is more important than surrendering it to the authorities in order to fight the spread of the pandemic. To avoid the risk of confusion and noncompliance among the workforce, prioritize immediate, transparent communication. Brett Davis, General Manager of ConvergeHEALTH at Deloitte says:
“The key is that asking employees and contractors for this sensitive data requires robust consent management and transparency in data use and a platform built for managing sensitive personal information, and in some cases health information.”
In order to walk the line, organizations will need to minimize the data privacy impact of enterprise contact tracing and temperature scanning, while retaining high levels of safety.
McKinsey has broken down best practices in roughly four key areas:
- Notice: Provide employees with complete and repeated communication about how their data will be collected, stored, secured, and shared. Inform all employees that their data is appropriately protected, that processing is properly documented and that it will be stopped as soon as it is no longer needed to protect workplace safety.
- Data minimization: Follow the principles of data minimization, purpose limitation, transparency, and data protection. Employers should collect as little employee data as possible for a specific health and safety purpose, whether contact tracing, temperature scanning, productivity indication and more.
- Consent: Employers should default the use of apps to opt-in unless mandated by government regulation. But when consent is not a practical consideration, such as when notifying the specific employees who have worked in close proximity to an infected person, discretion should remain priority.
- Security: In addition to storing health data in only highly restricted and secure systems, consider appointing a data-privacy leader as part of your COVID-19 response team to ensure early evaluation and discussion of possible measures affecting data privacy. This stakeholder should also be charged with making key decisions for balancing privacy and workplace health needs.
Lastly, choose your vendor wisely. According to Laura Becker, an IDC analyst covering employee experience and benefits, the potential market for enterprise contact tracing apps is expected to rapidly reach $4.3 billion. From established technology giants to nascent startups to NGOs and professional services firms, countless organizations are quickly launching contact tracing and related post-pandemic resiliency apps. But not all apps are created equal, nor do they uphold the gold standard of data privacy and cybersecurity. To avoid risk, ensure that your appointed data privacy subject matter expert(s) evaluate appropriate vendors to find possible security gaps and to develop solutions for closing them.
At Domo, we take pride in the robust privacy and access control architecture that is at the center of all of our Get Back to Work products, including our Contact Tracing and Temperature Scanning apps.
Our suite of products is:
- Secure and Private: Rather than storing employee responses to questions, statuses are marked as red/amber/green. Symptomatic information and COVID-19 testing status is safeguarded by existing access control and PDP controls.
- Highly Customizable: Domo does not log the values of the answers for the questionnaires employers submit for employees, and questions are all highly customizable and configurable by employers.
- Opt-In: Location information is purely opt-in and by default, Domo does not use device location tracking nor track the individual using their device.