Sikov - stock.adobe.com
How can HR protect employee data privacy during COVID-19?
Collecting health-related employee data in your HR system -- even during the COVID-19 pandemic -- isn't a simple issue, due to the many regulations that protect employees.
Collecting COVID-19 workforce health information is riddled with potential missteps. That's why HR needs to revisit compliance and data collection basics.
While rules vary by country and region, health-related data is typically defined as data that is specific to the medical history of an individual. This can include such information as hospital records, diagnoses, procedures and any other health events. In the context of COVID-19, health information can refer to whether an individual has been diagnosed with COVID-19 or has been in contact with individuals who have been diagnosed with COVID-19. Health information also pertains to the individuals' personal and professional geographical movements. HR can typically capture this data by asking employees to provide the information, and HR or managers can also input this data on behalf of employees.
In the United States, HIPAA manages the regulations around storage and use of employee health data. In the European Union (EU), GDPR provides more wide-ranging rules and regulations about storage of employees' personal data and the mechanisms for seeking acceptable consent to store data.
As an HR professional, you'll need to understand health data privacy rules. There are specific regulations across countries and states within the EU, U.S. and other regions of the world. These regions have clear legislation prohibiting employers from collecting certain employee health information and these rules can be a significant barrier to your plans to collect, store and process employee data -- even during the COVID-19 pandemic.
Importance of data anonymization
Safely storing personally identifiable information is critical and your team must work with the appropriate stakeholders -- such as information security teams -- to make that happen.
Part of that process means anonymizing data. However, even with data anonymization, there is the possibility that someone could identify employees and their information. The depth of anonymization will depend on the type and scope of the data that you collect, but you will need to ensure that the data in your reports can't be decompiled to identify individuals in the data set. If anyone can identify an individual from your report, then you have not anonymized your data sufficiently.
Regionalizing health data collection
Because laws and regulations vary across countries and regions, a single policy to collect and process employee health information is virtually impossible for global organizations. This is particularly critical as new rules develop around COVID-19 tracking. Even within each country or region, there are a myriad of rules and regulations to navigate. You should seek legal assistance in each country or region and make sure to involve any necessary stakeholders, such as the data protection officer, works council members or health officer.
The tricky issue of employee consent
Although it may seem to be in the best interest of the workforce to simply ask employees if they are sick or have COVID-19, there are regulations that protect employee information and prevent collection of health-related data. In some cases, it is necessary to gather consent. And in some of these scenarios, consent is not necessarily valid between employer and employee.
In the EU, GDPR makes it clear that the employer-employee relationship doesn't necessarily provide consent. Even if an employee provides consent to COVID-19 health data, there is an inherent imbalance of power between the employer and employee. That can make employees feel obligated to provide consent, even if they are against the actions to which they are consenting.
COVID-19 doesn't negate data protection
No matter whether you choose to collect or store health-related information, the rights of individuals and the need to safely store, process and protect their data remain just as strong as before the COVID-19 pandemic, even with all the new responsibilities in HR. It is important to consider if the use case for this data is necessary and whether you are legally protected in your initiatives.
With no federal COVID-19 liability shield, states go it alone
Dig Deeper on Core HR administration technology
Related Q&A from Luke Marson
What SAP product supports project-based teams?
SAP's SuccessFactors Dynamic Teams could help support project-based teams in the workplace and solve associated challenges. Learn more about the new ... Continue Reading
How can SAP Work Zone for HR help enable a digital workplace?
Part of SAP SuccessFactors HXM, Work Zone for HR is a digital workspace meant to boost employee experience. Learn more about its features and ... Continue Reading
What Qualtrics integration questions should IT ask of SAP?
Qualtrics has certain technical integration challenges, and IT needs to address questions to uncover what they are and how they will affect the ... Continue Reading