5 Questions Employees Should Ask About Workplace Contact Tracing

Contact tracing required to go back to work? Here are five questions employees should ask their employers about the health data that gets collected.

Put aside the concerns over whether we’ll ever go back to work again.

Put aside all the questions about how we’re going to arrange our desks and our lives once we get back to work.

Put aside the concerns that the workplace (whether we’ve ever left it or not) is rapidly becoming one of the most surveilled spots on earth.

Put aside all the questions about what existing laws say about gathering data on employees, and about what changes to existing laws will say, and about whether there will ever be a federal privacy law offering the clarity we’re all clamoring for.

Put aside all this and ask yourself: what do you want to know about your employer’s efforts at collecting and tracking your health data before you go back to work?

(I want to recognize right here that the amounts and type of data gathered will differ dramatically from company to company, running the gamut from a simple self-assertion of good health right on up to full contact tracing, using an app or a locator that tracks proximity at work and possibly even away from work.)

5 Basic Questions

Make no mistake, the desire to contain the spread of COVID-19 will bring about higher levels of data collection in the workplace. This will likely include the collection of health data completely unrelated to HIPAA, our existing health data law.

That means it’s up to all of us—whether we’re making the policies or simply living with them—to ask some basic questions about what information we disclose and how it’s used.

What’s the goal of data collection?

You may assume you know the answer, but it’s important your employer has a clearly stated goal for data collection so you will know the collection will cease when the goal has been met.

What information do you need to meet the purpose?

It’s far too easy for those collecting data to ask for more than they need, just in case. It’s easier than coming back later to ask for more. But you’d be right to ensure your employer is collecting the minimum data needed to meet their goal.

How will you be storing this data?

You have a right to know what is being done with the health data being collected, from how it’s stored (encryption is a must for digital data; lock and key for any physical records) to how long it is being held. You should know what’s required to access the data, including whether access requires multi-factor authentication. These are security questions as much as privacy questions—but that’s just fine, because the two are closely related.

Who will have access to my data?

COVID-related data collection is going to be like no other, as it may involve outside health professionals or even other people from your company who don’t normally handle employee data. You have a right to know who is collecting and accessing this data, and how they’ve been trained to protect it.

Who are you sharing this data with?

If the goal of COVID-related data collection is to reduce the spread of disease in your community, it may be your employer is sharing data with a local health agency. If this is the case, you deserve to know so you can assure yourself this entity is also doing the right thing when it comes to your data. Ideally, your company will also share with you the precise details of data sharing agreements it has signed.

Just Scratching the Surface of Data Privacy

Keep in mind that these questions and my brief answers barely scratch the surface of the possible questions that arise out of employment-related health data collection.

On any one of these questions, further digging would reveal much more about your company’s understanding and embrace of such critical privacy principles as data minimization, data usage, data sharing, etc.

With any luck, you’re already familiar with most of these principles, likely because you work at a company with a good privacy and security awareness program (that also follows guidelines such as those promoted in this simple infographic published by the International Association of Privacy Professionals, or IAPP).

Such programs equip employees to understand the key privacy and security principles underlying all data collection, and to apply their understanding to both their work and their personal lives. Such programs make people better employees and better citizens, equipping them to function in today’s digital world. If you don’t have the kind of program that equips your employees to ask these kinds of question, well … why not?

Bonus Question: Are You Tracking Me Outside the Workplace?

If the questions above satisfy your need to know, that’s probably a good sign that you feel comfortable with what your employer is asking—and that they haven’t overstepped their bounds.

But some proposed solutions to track COVID infection also expect to monitor employee movement outside the office and outside work hours, possibly alerting you (and your employer) to contacts and movement you may well wish to keep to yourself. Up to now, this type of tracking has been more imagined than reality—and I for one hope it stays that way.

In the end, the best approach, no matter who you are giving your data to for whatever reason, is to be informed and active in managing your own personal data.


Like What You Read?

Check out more content from Tom Pendergast on his blog Confessions of an Awareness Nerd.

Explore the Blog

Share this Post