How to Build a Successful Privacy Strategy for Employees Returning to Work: Being Compliant + Building Trust
By Ekaterina Lyapustina and Casey Berman
Never before have businesses been required to shut down, close their doors and reduce their operations in the name of public health as we have seen in the past 4 months. And now debates continue around the best way to safeguard against the spread of the virus, what more the government can do to stimulate the economy and how best to weather the “second spike”.
This article will probe on one sensitive area that every company must “get right” as it re-opens: implementing a data and information privacy strategy that not only protects customers, clients and employees, but also reinforces trust and a culture of transparency with all of its stakeholders.
The Status of Privacy as America Opens Up Again
“The best way to find out if you can trust somebody is to trust them.”
― Ernest Hemingway
On April 16, 2020, the US federal government issued comprehensive guidelines on a three phase approach to “Opening Up America Again,” on the advice and recommendation of public health experts.
As federal and state health authorities in the US allow some businesses to reopen, there is no doubt that the return of workers and customers to the office, stores and restaurants will usher in the next frontier when it comes to employers’ responses to the COVID-19 pandemic.
And this new frontier will surface a broad set of unique information storage, usage and protection challenges and concerns. Our initial work with Slalom clients has reinforced that weak privacy policies and continuity plans could leave you exposed to regulatory fines, employee lawsuits, eroded employee and customer trust, reputation loss, which could hamper your ever important digital and online presence.
A robust privacy plan, however, empowers you to retain skilled employees, increase internal productivity, create greater “customer love,” digitally innovate and minimize legal and IT risk.
This strategy then needs to be correctly implemented.
To help you build a successful plan, we’ve laid out the five following principles your organization can follow to ensure your privacy practices align with your employees’ needs and expectations:
Let’s dive in and we can show you how.
The Five Principles to an Effective Workplace Privacy Strategy
#1 Creating Purpose and Transparency for Data Collection
You want to be up front and transparent around the reasons for collecting, sharing and storing data. Or, as Steve Jobs pointed out “Privacy means people know what they’re signing up for, in plain English. Let them know precisely what you’re going to do with their data.”
There are many tools and solutions offered now to drive real time to situational awareness information emergency managers, operational experts and data scientists. Quarantine Facilities Management, Situational Awareness Dashboards, Mobile Functionality, Asset Tracking and Personal Protective Equipment (PPE) Tracking are a few. Regardless of which solution you use to track, gather and assess information, you want to clearly communicate how this information will be used. So if your organization is planning to use the workplace contact tracing apps, you need to make sure to be very transparent with your employees about what data you plan to collect and why.
#2 Ensuring Date Collection and Sharing Limitations
During the current coronavirus outbreak, it is reasonable for employers to adopt specific screening methods designed specifically to assess and evaluate the risk of any employee attending the workplace carrying the coronavirus. The kind of information an employer collects should be limited strictly to assessing whether or not an employee attending the workplace might be carrying COVID-19.
When considering whether or not to gather or examine the information from employees regarding the coronavirus risks, it is essential first to review the company’s current privacy policies. There may be a need to change or even supplement policies in order to cover important information pertaining to the coronavirus.
#3 Placing Guard Rails on Data Retention
Employers should ensure that the employees’ personal data collected is useful in meeting the company’s needs, to minimize data storage for only what is necessary for a defined purpose. There should be suitable security measures and data retention times and rules for information related to an employee’s COVID status.
Its important to maintain any coronavirus information individuals in a secure and safe environment, separate from the employee’s personnel file, limiting access to this employee confidential information. Please consult The Department of Labor’s Occupational Safety and Health Agency (OSHA) on the latest retention timeline requirements for employee medical records.
#4 Empowering the Users’ Control of Their Data
You probably know that many privacy laws, such as the CCPA, mandate that a company provide individuals or employees notice of the data collected, the purpose or aim of collecting the data, and to whom they disclose the data.
It is also important to give users more control over their data and the option to exercise their rights. If leaders in companies want access to valuable employee data, they will have to forge a new “give and get” relationship with their employees and share more control with them over their personal data. There is considerable risk involved in managing the collection of sensitive employee data, especially when used in large volumes. This is why companies need a reliable system that builds in all the right checks and balances.
#5 Abiding by Data Governance and Security
The purpose of data governance is to ensure that an organization’s data is available as needed for business purposes, but that it also remains secure and private under all circumstances. To ensure data is protected, business units must work closely with Information Security specialists to resolve data governance issues that are emerging during the COVID-19.
Its important to develop robust data disclosure policies and procedures for ongoing monitoring, evaluation of data processing, while ensuring suitable safeguards are implemented and remain in place. This is crucial because any unauthorized disclosure of an employee’s personal information is likely to trigger the company’s security breach notification requirements. And you may have to pay claims under the applicable privacy regulations and laws.
Also, note that disclosures are usually essential to protect the health and well-being of others in the workplace and the smooth, safe and secure operation of the business. So, for instance, if a particular worker tests positive for the coronavirus, disclose specific information to other workers who are at risk of exposure while limiting the infected individual’s access to the workplace.
Final Thoughts: Being Pound Wise
When bringing employees back to work, it’s important to consider the sensitive nature of data that may be collected by COVID-19 applications and incorporate data protection principles from inception. When employees return to a physical work location, the employer must bear the responsibility of ensuring pandemic-related data collection, protection and retention best practices.
By having a plan in place and by preserving access to crucial information and assets, companies can reduce the risk of a data breach or privacy violation, sustain critical functions, and reduce the potential for first-and third-party losses.
This begins first and foremost with (re) building that trust between companies and their employees and customers.
There will likely come a time when the coronavirus crisis has passed. And note that when it eventually does, there will likely be a reckoning for those employers who have made the grave mistake of assuming that their employees’ privacy rights went on a hiatus during this global pandemic. Inevitably, they can expect a backlash, and even legal claims, from employees whose employers failed to balance their privacy rights.
Organizations need to do the up front work now to give their customers and employees a reason to feel confident in them. As the actor Gary Busey is famous for saying, “If you take shortcuts, you get cut short.” We don’t want that to happen to you.
To discuss how you and your organization can apply this guidance, or to discuss specific privacy challenges, please reach out to Ekaterina Lyapustina or Casey Berman at Slalom.
