Employers and employees are bracing themselves for a new heightened level of surveillance in the workplace not seen since the aftermath of 9/11. These new measures will leverage advanced technologies such as artificial intelligence and deep learning, and they will have privacy and security implications for employers and employees alike.
Employers are purchasing new technology solutions, as well as repurposing existing technology, such as surveillance cameras already in place. Many new surveillance measures and tools include several advanced techniques, such as:
As states begin to lift stay and work at home orders and employees prepare to return to work, more than 80% of landlords and office managers are already planning design changes to address surveillance and social distancing according to a study of 400 participants by VergeSense, a San Francisco-based property-technology (proptech) company.
If you were in the work force after 9/11, you likely remember when building security was ratcheted up in response to the emergency, such as turnstiles in lobbies, front desk for ID cards and photographs, visitor ID badges, and screening for bombs. What was once unsettling and sometimes an annoyance shortly became commonplace. The same is occurring in response to COVID-19, but with heightened surveillance, use of technology, and previously unheard of intrusions into personal privacy. While most workers likely will get used to these new measures, the transition is guaranteed to be a bit rocky – more for some employers than others.
The question then becomes, how to best ensure safety and comply with the law without venturing too far over the line to severally impact employee morale. Generally speaking, Federal and state laws are not particularly specific or detailed with respect to the legal parameters for employee and workplace monitoring. In the U.S., the overriding factor is an employee’s “expectation of privacy.”
For example, several of the proptech solutions have functions or purposes to map and trace an employee or visitors exposure to coronavirus (commonly referred to as, “contact tracing”), which is widely accepted as not only advisable, but a requirement under some federal and state reopening guidelines. Contact tracing is the process of identifying who an infected individual has been in contact with recently so that those individuals can be notified and take appropriate isolation and quarantine actions. On May 14, the CDC issued new guidance on reopening of business in the form of decision treaties for different industry such as restaurants, schools and office-based workplaces. See Foley’s guidance found here. The workplace guidance stresses ongoing monitoring.
Contact tracing is a critical aspect of the pandemic recovery and reopening, and is part of the CDC’s multipronged approach to fighting COVID-19. CDC guidelines state that contact tracers should identify people who were within six feet of an infected person for at least 15 minutes starting from 48 hours before illness onset until the time the patient is isolated. These “contacts” should be warned “of their exposure, assess their syndromes and risk, and provide instructions for next steps.”
The tension then becomes how does an employer effectively contact trace without violating an employees expectation of privacy. For example, employees may be uncomfortable or embarrassed to disclose all persons they have had contact with to their employers (i.e., affairs, visits to taboo stores or shops, etc.). Without a realistic and detailed plan to handle confidentiality and disclosure of the information in accordance with the law, in addition to legal challenges from employees for invasions of privacy, employees may also be strongly tempted to lie or withhold information.
As we know from years and years of litigation involving the “invasion of privacy” concept, the standard to when an employee crosses the line is not clear and can vary widely depending on the facts and circumstances of the situation, applicable state laws, and the decision makers in the particular incident. Complicating the compliance and risk analysis are federal and state privacy and security laws, such as HIPAA, the ADA with respect to individuals with disabilities, the Family Medical Leave Act and state biometrics laws (with Illinois’ law being the most stringent, permitting employees to sue for violations).
While often, the temptation on the part of the employer and the employee will be to identify the affected individual, whether or not the organization is covered under HIPAA, generally speaking the identity of the individual should not be disclosed to potentially infected employees without consent from the infected employee. Often the identity will become apparent or otherwise apparent, however, unless the employer obtains the infected employee’s consent, the employer should not be the one providing that information. Under certain circumstances involving potentially significant threats to public health and safety, it is generally permissible (and often advisable) to disclose the identity of an infected individual to public health authorities, such as federal, state or local agencies or authorities charged with public health and safety responsibilities, or if required by applicable law. For example, OSHA’s position is that employers must report to OSHA any confirmed COVID-19 illness diagnosis that is both (i) work-related, and (ii) involves OSHA general recording criteria, such as medical treatment beyond first aid or days away from work.
While surveillance and monitoring at the workplace has been in place for many years and is generally legal in many circumstances, the boundaries of surveillance and monitoring of an employee while away from the workplace have not been significantly tested, particularly in the context of a pandemic and widespread at-home and other remote working. For example, what about an app an employer uses to track the employees movements while away from the workplace to assess potential risks (e.g., an employee that frequently goes out to restaurants and bars at night will be more likely to contract the virus than a “homebody” employee)? Or a questionnaire that asks where the employee has been when not at the workplace? Finally, how long should enhanced surveillance and monitoring measures stay in place after the virus has dissipated?
To deal with these issues office-based businesses should consider some or all of the following steps, keeping in mind that due to the vast differences among infection rates geographically, business sizes, employee density, customer interaction, etc. do not allow for a one-size-fits-all solution.
A proactive approach that incorporates privacy and security by design (on the front end) will significantly enhance company’s legal compliance and mitigate the risk of legal actions, claims, regulatory enforcement, damage to reputation and other risks and hazards of legal non-compliance. Such an approach should also take into account not only legality, but also the company’s philosophy and “personality” when it comes to employee monitoring and surveillance – particularly if measures will or could be tracking or soliciting information about employees’ activities outside of work. The company should proactively address this issue with employees, or at a minimum, be prepared to provide a transparent response to employees when these questions arise.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.