Since well before businesses started grappling with the decision to resume in-person operations, with or without a mask, the question of vaccine requirements has been front and center. The emergence of the delta variant spurred companies to action, and now omicron is proving that mandates will be even more prevalent than anticipated.
Companies big and small are implementing vaccine requirements or regular COVID-19 testing, with social distancing and mask wearing in the office, and more employers are requiring full vaccination as a criterion to being hired. Many organizations are now struggling to determine how they will collect and manage this information — particularly as it may be analyzed to manage COVID-19 response and business activities. Should employers maintain records of vaccinations in their system? Do they have a system that can manage it well? Do they need to contract with a third-party provider? Who will have access to the data?
“When systems move from voluntary to mandatory, that’s when you have to really sit up and pay extra attention,” said Pam Dixon, founder and executive director of the World Privacy Forum, which received a grant to study vaccine credentialing systems globally. “We have to make sure the system itself doesn’t hurt people.”
The World Privacy Forum will use the grant to help understand how vaccine credentialing systems work, identify similarities and differences among various systems, and determine what’s working and what’s not.
From the research thus far, Dixon said what’s emerging is a globally “profound misunderstanding of public health data,” and in the U.S., an assumption that public health data is covered under the Health Insurance Portability and Accountability Act (HIPAA). Dixon said data covered under HIPAA is generally not the same kind of data as public health data and protections are usually not the same
Without significant protections restricting the use of public health data for only public health purposes, and only by public health authorities, Dixon said it’s difficult to “constrain.” “We really need some guardrails here and if we don’t have them it’s going to be a really big problem at the end of the day,” she said. “The end result will be that people will lose trust in the public health system.”
In addition, government, states and employers could be implementing different credentialing systems, resulting in individuals utilizing multiple systems. According to Dixon, the question then becomes whether there should be a single system for vaccine credentialing that has privacy controls with a legal apparatus connected to it versus “1,000 vaccine credentialing systems that may or may not be operating the way all of us would like.” Vaccine credentialing systems’ policies should also state that vaccination status will be guarded as protected health information, she said, and data collected for vaccine credentialing should only be used for its intended purpose not advertising, marketing or research, for instance. “There is going to be an extraordinarily complex patchwork of all these various systems. It’s going to be very challenging for people to know what law is covering their system, if any.”
According to Philip Gordon, Littler Mendelson shareholder, Privacy and Background Checks Practice Group co-chair and expert in workplace privacy, vaccine mandates in the U.S. are subject to exemptions for disabilities and “sincerely held” religious beliefs, as regulated in the Americans with Disabilities Act and Title VII of the Civil Rights Act. In Montana, state law prohibits discrimination based on vaccination status, so while employers can inquire about employees’ vaccination status, “treating unvaccinated and vaccinated workers differently in any material way could constitute discrimination.” Gordon also noted that, “from a matter of fair information principles and good data security, to reduce the risk of a security breach the fewer people who have access to the data, the better.”
Proof of vaccination or vaccination status is not likely to be covered by HIPAA for most employers, Gordon said, but those that collect and store employees’ vaccination cards could be subject to data breach notification laws in approximately 20 states, where health information is personal information. Therefore, employers should provide the same types of procedures to proof of vaccination information as they would to other medical records, he said.
Although asking employees for their health information can be a privacy dilemma, it’s important to keep group health in mind. Derek Care, Uber’s Legal Director of Privacy & Cybersecurity said, “it’s one of those situations where I do think you have to invest more on safety rather than on individual privacy and in that case that doesn’t mean you throw privacy out the window, but you figure out how to mitigate the privacy risks as best you can while trying to achieve that safety goal.”
Uber implemented a voluntary return to the office in early January 2021 with a self-certification process. Before going into the office, employees have been required to fill out a questionnaire via an application that asks a series of questions directed by regional health authorities, like if they are experiencing COVID-19 symptoms or if they have been in contact with anyone diagnosed with the virus. Employees confirm they are aware of the requirements and cannot access the office if they identify any risk factors. With offices around the world and more than 25,000 employees, Uber is taking into consideration a multitude of factors, including local legal requirements, health conditions, availability of vaccines and testing, as well as other factors such as union requirements and what works best for employees amidst these privacy and data-handling sensitivities.
“In all cases, it’s relatively sensitive data from whether it’s actual health data or test results, to even data that allows you to infer something about someone’s health. In all cases we treat it sensitively and we think that means having a safe place to put this data,” Care said.
Plans to safely store the data will likely include different levels of access for those within the company who need to know the information and an appropriate time to maintain the data, he said. “From a data retention and deletion standpoint, it’s sensitive; we do need to collect this data to help prevent risk of COVID, but that doesn’t mean we’ll have any need for the data in seven years, or at one year or even six months from now. So, we have to figure out what is right given the sensitivity of the information, the legal requirements and what’s right by employees.”
When employees of advertising and technology company Ampersand formally return to the office, they will need to provide proof of vaccination. The U.S.-based company has offices throughout the country. Chief Privacy Officer and General Counsel Noga Rosenthal, CIPP/E, CIPP/US, said employees can upload a copy of their COVID-19 vaccination card into an encrypted system, accessible only by human resources and separate from their personnel file.
Rosenthal previously spoke with other general counsels about their course of action and learned of instances when individuals were not truthful about receiving the vaccine. “If I found out somebody was lying, and we have people who are immunocompromised coming into the office, what do we do? Somebody lies, someone gets sick,” she said. “We had to balance the harm, the privacy harm of keeping the data, versus someone getting sick. The potential of getting sick, and keeping employees safe, won out.”
Mathieu Gorge, CEO of VigiTrust and author of “The Cyber Elephant in the Boardroom,” urges businesses to examine a framework he calls the five pillars of security when considering how to move forward: physical security, people security, data security, infrastructure security and crisis management. Doing so can help to mitigate risks, handle data with care, comply with appropriate data protection regulations, and prevent potential breaches.
“I would urge any organization that’s wanting to embark on an employee vaccination plan to use the five pillars as an initial, very simple benchmark,” he said. “If we go back to the basics and look at the concepts of cyber-accountability, they need to understand they are held accountable for making sure they take appropriate security measures to protect their good name, the reputation of the company, the data, the employees, third parties and so on.”
The simplest choice for businesses in a traditional office environment, Gordon said, is to make vaccinations voluntary and ask employees to continue to engage in established safe practices, like wearing masks and social distancing. “Big picture, it’s almost like any other data collection issue,” he said. Employers should first ask themselves whether they really need the information for specific business purposes, then use that information responsibly.