In various parts of the world, the COVID-19 pandemic has prompted the development and deployment of various contact tracing applications that are designed to help mitigate contagion risks and facilitate medical intervention. There are many variations in how the apps work, but, generally, the idea is that the software uses geo-location and user-provided data to notify a person if that person has come in contact with someone that has tested positive for the COVID-19 virus. Generally, this allows public health officials to track the virus spread and allows impacted individuals to seek medical care.
As the US moves toward opening up the economy and allowing employees to return to work, some employers are considering use of contact tracing apps in the workplace. However, there are some important legal issues that must be evaluated. Essentially, tracing apps are another form of data collection. As such, all legal requirements with respect to data collection must be honored. Here are the key legal concerns:
- Notice to employees — employees are entitled to notice with respect to any workplace application that will be tracking their movements and collecting other data; the notice disclosure must be full and complete including what data is being collected, where the information is stored, what the business purpose is for which the data is being collected, etc.
- Consent from employees — employees must consent to the data collection; consent can be obtained contractually in the same manner as other workplace rules and regulations
- Biometrics — some apps record health information like heartbeat, blood pressure, temperature, etc.; consideration should be given to whether such information is biometric data and such should be factored into the choice of app; notice and consent must be obtained according to various biometric data privacy statutes
- Business purpose — generally, protecting the health and safety of workers and consumers is a legitimate business purpose for requiring contract tracing; geo-location data is clearly legitimate since areas where an infected employee worked must be sanitized, for example; but the software used must be narrowly tailored to the business purpose
- Which app to choose? — legal and financial risks to the employer are increased as the level of data collection increases; these risks should be balanced against the business purpose; more intrusive tracing apps will draw more attention from privacy and employee advocates
- Impact on worker collective action — where applicable, employers should evaluate any adverse impacts of the tracing app on worker collective action, which is protected by state and federal laws
- Privacy protection of the collected data — as with any data collected, the privacy of the individuals involved must be protected; the data must be secured, used only for authorized purposes, access limited, not shared with outside vendors, and more
- Repurposed use of the data — similarly, the data must be guarded against later repurposed use for which no notice was provided or consent obtained; for example, likely, the contact tracing geo-location data cannot be used in a worker in-house disciplinary hearing
- Availability to law enforcement — along the same lines, the data might be available to law enforcement through proper applications of warrants; were employees informed of this possibility and did they consent?
- Cybersecurity — the data must be reasonably protected from hacking and exfiltration by cybercriminals
A simple example can demonstrate some of the complex legal issues. Assume that the app choice is a simple geo-location app, but that it operates constantly without the ability of the employee to disable the tracking feature. Potentially, there is a legal problem with notice and consent if the employees are not informed that the app operates during non-working hours. Further, there are debatable reasons why an employer might want the app to run constantly, for example, because an employee infected outside of work is not infected “while working,” which has implications for workers compensation liability. However, there are strong arguments on the other side. Round-the-clock data collection may also have a chilling effect on unionizing activity which could cause complaints to be filed with the National Labor Relations Board.
As can be seen, contact tracing apps in the workplace present complex legal issues. Your company will need to retain the experienced data privacy and business lawyers at Revision Legal. Contact us at 231-714-0100.