Privacy in a Pandemic: What You Can (and Cant) Ask Employees

Businesses struggle to strike a balance between workplace health and employees privacy rights in the midst of a global health emergency.

The balance between employee health and privacy rights is difficult to strike, especially at a time when organizations are making critical decisions based on health-related information.
Collecting and sharing information is necessary but must be done with employees privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws, says Christine Lyon, privacy partner at Morrison-Forrester LLP. What health-related inquiries are acceptable? Can employers require a doctors note or medical exams?
The interesting aspect of this is there arent straight-line answers, Lyon explains. Even legal analysis changes as the facts evolve. As an example, Lyon points to the increasingly common question of whether businesses can take temperatures at work. This typically is considered a medical exam and is prohibited under the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC)
states
in guidance related to pandemics.
However, as COVID-19 continues to spread across the United States, the Center for Disease Control (CDC) has begun to recommend employers take temperatures. Daily health checks, which include screening for temperature and respiratory symptoms, have been encouraged in CDC guidance for
Santa Clara County
, California, and Seattle-King, Pierce, and Snohomish
counties
, Washington.
Its challenging for employers because theres no clear-cut answer, Lyon says. The CDC may recommend taking temperatures but doesnt suggest what to do if someone has a fever. Its one of many areas in which businesses should proceed with caution. If an office visitor has a high temperature, the company likely would not turn that person away. Instead, she says, it would likely call the person the visitor had planned to meet and say theyll schedule a phone call.
Keep as much confidentiality as possible, she says. What is the information that we really need to know? This concept, she says, also applies to storing health-related information. Many employers are collecting minimal health data, including the temperatures they record. If youre keeping temperature data, its considered a medical record and confidentiality rules will apply.
Privacy rules and regulations differ by company, industry, and state. As a result, its difficult to provide detailed guidance on what employers should do. Modern privacy and data protection laws, like the European Unions General Data Protection Regulation and the California Consumer Privacy Act, dont prevent businesses from recording certain information, says Bart Willemsen, research vice president at Gartner. For example, employers must record data necessary to determine if salaries are being paid, or information related to the workspace physician providing treatment to an employee. However, health-related data must be treated differently.
The Dos and Donts of Health-Related Questions
Health information is information of a sensitive nature, a special category of data, Willemsen continues. Every person has the right to not share such information — but they can share metadata. Employers can collect data related to insurance payment (for example, if something happens in the workplace). They can also record employees adjusted work environments, if they start to
work remotely
. But employers are not doctors, he emphasizes, and they should not assume the position of collecting detailed health data unless under specific circumstances.
So, what
can
employers ask their employees to ensure a safe workplace without violating privacy rules? Lyon says its generally fine to ask if they have been experiencing cold or flulike symptoms, especially if there is a pandemic. The CDC states employees who fall ill with flulike symptoms during a pandemic should leave the workplace. Companies can ask about the expected duration of absence if an employee calls out sick; however, they cant ask why.
Though its important to know how long an employee may be absent, it is not for the employer to inquire in detail after why that absence is a fact, Willemsen adds. People do not have to share the details of their illness unless it has direct influence on their job function (for example, if they are a healthcare worker). Its fine if they want to volunteer that information, but even if they do, employers should refrain from recording and processing the data they share.
Employers should be careful with pointed questions about specific illnesses and diagnoses. Questions like Have you been tested for coronavirus? and Do you have any medical conditions that make you susceptible? are crossing the line into ADA territory, says Lyon. An employer has to show a justification for asking those sorts of questions, she continues. If an employee returns from travel, the company may ask if they are returning from a country with a known outbreak, even if the travel was personal and the employee does not have symptoms.
Doctors notes can also be tricky. The CDC
suggests
companies do not require a note to validate illness or return to work because in times like these, healthcare provider offices and medical facilities may be extremely busy and not able to provide such documentation in a timely way.
If a company wants to verify someone is fit to return to the office, they may ask for a note saying as much because it doesnt disclose a specific condition, Lyon explains. However, if a company wants a note stating an employee has tested negative for a particular condition, such as coronavirus, that ventures into dangerous territory.
Companies are encouraged to record only health-related information that is factual, and the minimum amount of information necessary. This data should only be shared with employees on a need-to-know basis and used as anonymously as possible, Willemsen says. It should be stored securely and only for as long as it is necessary. If it must be disclosed, it should only be shared with external parties as mandated by law — for example, with local health agencies.
Lyon suggests businesses establish a centralized place where employees can view information about what is and isnt appropriate. Make sure these questions are going to the right people so managers arent on their own for what they can and cant ask, she explains. Creating a list of frequently asked questions for managers and employees can be helpful in times like these.
Related Content:
4 Ways Thinking Childishly Can Empower Security Professionals
What Cybersecurity Pros Really Think About Artificial Intelligence
Working from Home? These Tips Can Help You Adapt
State of Cybersecurity Incident Response
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
Beyond Burnout: What Is Cybersecurity Doing to Us?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Privacy in a Pandemic: What You Can (and Cant) Ask Employees