Data privacy considerations at workplace
Most states in the US are entering the final phases of the reopen plan that seeks to gradually re-establish business operations in light of the ongoing COVID-19 pandemic. While a welcome sign for many businesses and employees, the phased re-opening of businesses brings about a flurry of return-to-work issues, one of which is how businesses can introduce or reinforce health screening measures, capture data for contact tracing and minimize physical touch points in the workplace. While these new processes improve compliance and safety, organizations are grappling with employee data privacy questions and rights, especially as some of the data can be considered health and biometric data which has even more heightened data protection requirements. To complicate things further, the answer may vary depending on the local state regulations.
The Oloid team has been consulting several legal experts and have reviewed the intricacies of this issue with several customers including Fortune 500 companies with national presence and tens of thousands of industrial workers. The good news is that the laws and regulations in most parts of the US provide a good balance of extending data protection and privacy to the employees while not making it too burdensome for the employers as long as the basics in terms of technology infrastructure and processes are in place. For most organizations that already have strong information security practices in place, this would be simply an extension of those practices.
The objective of this article is to summarize the key learnings from our research and the important considerations for employers to keep in mind when evaluating the data protection and privacy capabilities and features of technology vendors. Our research on data protection and privacy focuses on two main areas:
Management of Facial Biometric Data
For hourly employees, one of the most frequented physical touch points in the workplace is the time clock. Be it a keypad, fingerprint, or touchscreen time clock, nearly every clock-in/clock-out device used by businesses requires repeated physical contact by employees. Therein lies the dilemma: how can a business resume “regular” operations as quickly as possible but allow employees to record hours worked without coming into contact with one of the most heavily trafficked physical touchpoints in the workplace? Oloid’s contactless facial time clock is an elegant solution to this problem which can be installed as an app on off-the-shelf tablets. Not only does facial biometric recognition help eliminate buddy punching, Oloid’s time clock requires no physical contact from employee-users.
Most employers, especially ones that already employ fingerprint scanning or other existing biometric technology like an iris scan or palm reader have a legal framework for biometrics already in place. The existing employment consent/agreements are likely to cover the capture and retention of employee pictures for badges and HR systems. In most cases, it is preferable to leverage this existing legal framework which provides adequate coverage for most locations.
However, certain states in the US viz. California and Illinois require a special mention because of their very specific and stringent privacy laws. The CCPA provides California consumers and employees certain privacy rights and protections over their personal information collected by businesses. Under this law, employers must provide disclosures about the types of personal information collected from employees and why they collect them. One form of personal information regulated by the CCPA is biometric data. The CCPA does not restrict an employer’s ability to implement facial recognition technology to track an employee’s work hours; the covered employer must simply provide its employees with a notice at the collection that sets forth specific information regarding the facial recognition time clocks and the use of the employee’s biometric data. This can be accomplished with proper signage at the enrollment and check-in points.
Illinois is even more restrictive. Like the CCPA, the BIPA sets forth various notice requirements for private entities that collect “biometric identifiers” and “biometric information,” which include a scan of a person’s facial geometry. From there, the BIPA goes further than the CCPA by requiring employers to obtain consent before collecting their employee’s biometric data. Among other things, the BIPA also requires employers to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied, or within three years of the employee’s termination, whichever occurs first.
While on-site signage and employee agreements are the responsibility of the employer, as a responsible and highly vested partner, Oloid provides the ability
for our customers to manage biometric data in a regulatory compliant manner for all US jurisdictions.
Management of employee wellness data
In order to support safety measures and screening procedures at workplace entry points, Oloid’s Certify and Thermal products provide contactless and automated procedures for administering symptoms and travel questionnaires and thermal scanning.
While Oloid’s products are not meant to deliver a medical service, the wellness attestation application may capture responses about health symptoms and/or skin temperature. Specifically, when using thermal scanning, the assessment of normal or elevated skin temperature could be deemed as data that needs to be treated as private health information.
Oloid helps organizations stay compliant with such health information privacy requirements by providing features/capabilities that protect the privacy of the users:
No Loud Audio or Prominent Visual Alerts
- Certain systems rely on a loud alarm or a beeping buzzer or a prominent red or green light to draw attention towards an individual who may be identified at-risk either as a result of the responses to the wellness questionnaire or as a result of elevated skin temperature. Such loud alarms can be easily heard by other individuals in the vicinity. Not only such “at-risk” determination is an imperfect science, but it is also at best indicative. Even if an individual were to be truly “at-risk” such information needs to be handled sensitively. A broadcast of such information could put the individual in an awkward public situation, which in certain circumstances can also be deemed as a health information privacy rights violation of the individual protected under HIPAA.
- Oloid has carefully considered these issues and therefore provides a very subtle visual feedback which is designed to be only visible to the user. Additionally, the sound can be turned off on the device to ensure and protect auditory and visual privacy of the user
Access control for data
- Organizations may find it useful to retain the collected wellness attestation form data and the elevated skin temperature screening results for any future audits and for contact tracing purposes.
- Oloid lets the organization control who has access to the collected wellness attestation form data and the elevated skin temperature screening results.
- The organization can determine on a per device/entry level, who would be recipient of the data and/or alerts; this can be an individual or a group/alias comprising of multiple individuals.
- Additionally, if the organization does not want any named individual to have access to the data, the organization IT team can create an email address email@example.com or similar and the data can be transferred to this account. The IT access controls of this account will determine the access control of the data.
- When a QR code is used to provide attestation data at entry points, the wellness attestation form data and the elevated skin temperature screening results are pushed into the company’s servers and data is automatically purged from the Oloid system.
- The wellness attestation form data and the elevated skin temperature screening results which is pushed into the company’s servers can be setup by the organization’s IT team such that the data is automatically purged from the email account every 30 days or whatever period is deemed adequate for audit and contact tracing as per the organization’s policies.
Disclaimer: This is not a legal opinion.