Sikov -

How can HR protect employee data privacy during COVID-19?

Collecting health-related employee data in your HR system -- even during the COVID-19 pandemic -- isn't a simple issue, due to the many regulations that protect employees.

Collecting COVID-19 workforce health information is riddled with potential missteps. That's why HR needs to revisit compliance and data collection basics.

While rules vary by country and region, health-related data is typically defined as data that is specific to the medical history of an individual. This can include such information as hospital records, diagnoses, procedures and any other health events. In the context of COVID-19, health information can refer to whether an individual has been diagnosed with COVID-19 or has been in contact with individuals who have been diagnosed with COVID-19. Health information also pertains to the individuals' personal and professional geographical movements. HR can typically capture this data by asking employees to provide the information, and HR or managers can also input this data on behalf of employees.

In the United States, HIPAA manages the regulations around storage and use of employee health data. In the European Union (EU), GDPR provides more wide-ranging rules and regulations about storage of employees' personal data and the mechanisms for seeking acceptable consent to store data.

As an HR professional, you'll need to understand health data privacy rules. There are specific regulations across countries and states within the EU, U.S. and other regions of the world. These regions have clear legislation prohibiting employers from collecting certain employee health information and these rules can be a significant barrier to your plans to collect, store and process employee data -- even during the COVID-19 pandemic.

Importance of data anonymization

Safely storing personally identifiable information is critical and your team must work with the appropriate stakeholders -- such as information security teams -- to make that happen.

Part of that process means anonymizing data. However, even with data anonymization, there is the possibility that someone could identify employees and their information. The depth of anonymization will depend on the type and scope of the data that you collect, but you will need to ensure that the data in your reports can't be decompiled to identify individuals in the data set. If anyone can identify an individual from your report, then you have not anonymized your data sufficiently.

Regionalizing health data collection

Because laws and regulations vary across countries and regions, a single policy to collect and process employee health information is virtually impossible for global organizations. This is particularly critical as new rules develop around COVID-19 tracking. Even within each country or region, there are a myriad of rules and regulations to navigate. You should seek legal assistance in each country or region and make sure to involve any necessary stakeholders, such as the data protection officer, works council members or health officer.

The tricky issue of employee consent

Although it may seem to be in the best interest of the workforce to simply ask employees if they are sick or have COVID-19, there are regulations that protect employee information and prevent collection of health-related data. In some cases, it is necessary to gather consent. And in some of these scenarios, consent is not necessarily valid between employer and employee.

In the EU, GDPR makes it clear that the employer-employee relationship doesn't necessarily provide consent. Even if an employee provides consent to COVID-19 health data, there is an inherent imbalance of power between the employer and employee. That can make employees feel obligated to provide consent, even if they are against the actions to which they are consenting.

COVID-19 doesn't negate data protection

No matter whether you choose to collect or store health-related information, the rights of individuals and the need to safely store, process and protect their data remain just as strong as before the COVID-19 pandemic, even with all the new responsibilities in HR. It is important to consider if the use case for this data is necessary and whether you are legally protected in your initiatives.

Next Steps

With no federal COVID-19 liability shield, states go it alone

Dig Deeper on Core HR administration technology

Business Analytics
Content Management
and ESG