Reopening and Worried You Are Infecting Your Employees as They Come Back to Work?

15 May 2020 Blog
Authors: Chanley T. Howell Carrie Hoffman Steven M. Millendorf
Published To: Coronavirus Resource Center: Back to Business Labor & Employment Law Perspectives Privacy, Cybersecurity & Technology Law Perspectives

The New Face of Employee Workplace Surveillance and Monitoring in the Age of COVID-19

Employers and employees are bracing themselves for a new heightened level of surveillance in the workplace not seen since the aftermath of 9/11. These new measures will leverage advanced technologies such as artificial intelligence and deep learning, and they will have privacy and security implications for employers and employees alike. 

Employers are purchasing new technology solutions, as well as repurposing existing technology, such as surveillance cameras already in place. Many new surveillance measures and tools include several advanced techniques, such as:

  • Thermal cameras that measure body temperatures.

  • AI cameras that monitor and alert in real-time employee proximity and social distancing.

  • Smart phone apps that trace employee contacts and proximity to other employees in the office, and alert managers to problematic circumstances.

  • Categorizing employees into separate groups based on health risks.

  • Detailed mandatory disclosure of personal health information, including about family members.

  • Questionnaires, temperature checks and other health screening upon entering a building.

  • Markers on the ground to designate appropriate distancing for waiting and foot traffic.

  • Smart phone apps that “pre-check” an employee’s health before coming to work.

  • Creating a “floor-safety coordinator” for a “boots on the ground” presence.

As states begin to lift stay and work at home orders and employees prepare to return to work, more than 80% of landlords and office managers are already planning design changes to address surveillance and social distancing according to a study of 400 participants by VergeSense, a San Francisco-based property-technology (proptech) company.

Keep Your Distance

Source: VergeSense and Wall Street Journal

If you were in the work force after 9/11, you likely remember when building security was ratcheted up in response to the emergency, such as turnstiles in lobbies, front desk for ID cards and photographs, visitor ID badges, and screening for bombs. What was once unsettling and sometimes an annoyance shortly became commonplace. The same is occurring in response to COVID-19, but with heightened surveillance, use of technology, and previously unheard of intrusions into personal privacy. While most workers likely will get used to these new measures, the transition is guaranteed to be a bit rocky – more for some employers than others. 

The question then becomes, how to best ensure safety and comply with the law without venturing too far over the line to severally impact employee morale. Generally speaking, Federal and state laws are not particularly specific or detailed with respect to the legal parameters for employee and workplace monitoring. In the U.S., the overriding factor is an employee’s “expectation of privacy.”

For example, several of the proptech solutions have functions or purposes to map and trace an employee or visitors exposure to coronavirus (commonly referred to as, “contact tracing”), which is widely accepted as not only advisable, but a requirement under some federal and state reopening guidelines. Contact tracing is the process of identifying who an infected individual has been in contact with recently so that those individuals can be notified and take appropriate isolation and quarantine actions. On May 14, the CDC issued new guidance on reopening of business in the form of decision treaties for different industry such as restaurants, schools and office-based workplaces. See Foley’s guidance found here. The workplace guidance stresses ongoing monitoring.

Workplace Decision Tree

Source: CDC 

Contact tracing is a critical aspect of the pandemic recovery and reopening, and is part of the CDC’s multipronged approach to fighting COVID-19. CDC guidelines state that contact tracers should identify people who were within six feet of an infected person for at least 15 minutes starting from 48 hours before illness onset until the time the patient is isolated. These “contacts” should be warned “of their exposure, assess their syndromes and risk, and provide instructions for next steps.” 

The tension then becomes how does an employer effectively contact trace without violating an employees expectation of privacy. For example, employees may be uncomfortable or embarrassed to disclose all persons they have had contact with to their employers (i.e., affairs, visits to taboo stores or shops, etc.). Without a realistic and detailed plan to handle confidentiality and disclosure of the information in accordance with the law, in addition to legal challenges from employees for invasions of privacy, employees may also be strongly tempted to lie or withhold information.

As we know from years and years of litigation involving the “invasion of privacy” concept, the standard to when an employee crosses the line is not clear and can vary widely depending on the facts and circumstances of the situation, applicable state laws, and the decision makers in the particular incident. Complicating the compliance and risk analysis are federal and state privacy and security laws, such as HIPAA, the ADA with respect to individuals with disabilities, the Family Medical Leave Act and state biometrics laws (with Illinois’ law being the most stringent, permitting employees to sue for violations). 

While often, the temptation on the part of the employer and the employee will be to identify the affected individual, whether or not the organization is covered under HIPAA, generally speaking the identity of the individual should not be disclosed to potentially infected employees without consent from the infected employee. Often the identity will become apparent or otherwise apparent, however, unless the employer obtains the infected employee’s consent, the employer should not be the one providing that information. Under certain circumstances involving potentially significant threats to public health and safety, it is generally permissible (and often advisable) to disclose the identity of an infected individual to public health authorities, such as federal, state or local agencies or authorities charged with public health and safety responsibilities, or if required by applicable law. For example, OSHA’s position is that employers must report to OSHA any confirmed COVID-19 illness diagnosis that is both (i) work-related, and (ii) involves OSHA general recording criteria, such as medical treatment beyond first aid or days away from work.

While surveillance and monitoring at the workplace has been in place for many years and is generally legal in many circumstances, the boundaries of surveillance and monitoring of an employee while away from the workplace have not been significantly tested, particularly in the context of a pandemic and widespread at-home and other remote working. For example, what about an app an employer uses to track the employees movements while away from the workplace to assess potential risks (e.g., an employee that frequently goes out to restaurants and bars at night will be more likely to contract the virus than a “homebody” employee)? Or a questionnaire that asks where the employee has been when not at the workplace? Finally, how long should enhanced surveillance and monitoring measures stay in place after the virus has dissipated?

To deal with these issues office-based businesses should consider some or all of the following steps, keeping in mind that due to the vast differences among infection rates geographically, business sizes, employee density, customer interaction, etc. do not allow for a one-size-fits-all solution.

  • Screen employees for signs and symptoms of the virus daily before entering the company’s facility making sure to update those screening questions/efforts based on most up to date guidance.

  • Strongly encourage employee showing signs or symptoms to stay at home and consider being tested, based on current testing guidelines.

  • Have contingency plans in place for increased absenteeism and/or continuation of remote work where feasible.

  • Notify public health authorities of significant outbreaks or troubling developments.

  • Communicate constantly and consistently with employees regarding actions being taken by the company to deal with the virus, and in particular, any significant changes in infection rates or absenteeism (without identifying infected employees).

  • Strongly encourage and enforce social distancing, including layout and design to workspaces, such as increased spacing between work areas and during meetings, limiting close clustering of individuals, staggering shifts, limiting large events, etc.

  • Consider whether to close employee break rooms and/or coffee bars.  If coffee bars remain open, use only disposable cups, plates, plastic ware, etc.

  • Use flexible leave policy for those experiencing signs or symptoms, or testing positive.

  • Train and educate all employees on appropriate hygiene, handwashing and masks where appropriate, including providing hand washing stations and/or hand sanitizer.

  • Increase cleaning and disinfection both before and after reopening.

  • Consult your legal counsel regarding the legalities of your workplace surveillance, monitoring, contact tracing, and reporting activities.

  • For use of third-party technology solutions and particularly if health or other sensitive data will be accessed or stored by the service provider (e.g. cloud-based solutions), ensure appropriate data security and privacy compliance due diligence of the service provider and include protective contractual provision such as explicit confidentiality, privacy, and data security requirements, warranties, indemnification, and exclusions from contractual limitations of liability.

A proactive approach that incorporates privacy and security by design (on the front end) will significantly enhance company’s legal compliance and mitigate the risk of legal actions, claims, regulatory enforcement, damage to reputation and other risks and hazards of legal non-compliance. Such an approach should also take into account not only legality, but also the company’s philosophy and “personality” when it comes to employee monitoring and surveillance – particularly if measures will or could be tracking or soliciting information about employees’ activities outside of work. The company should proactively address this issue with employees, or at a minimum, be prepared to provide a transparent response to employees when these questions arise.

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.