Privacy Protection During COVID: Can Employers Disclose Employee Health Information?

Written By Rick Klumpenhouwer

Privacy Protection During COVID: Can Employers Disclose Employee Health Information?

Employers are faced with a variety of challenges due to the pandemic, but one pressing concern is how we can best manage employee outbreaks while still respecting personal privacy. Employers are asking: what information can we collect and share?

In this article, we explore privacy considerations and provide practical advice on how to manage and maintain employee privacy and safety during the continuing COVID-19 pandemic.

Does an employee need to inform their employer if they contract COVID-19?

  • First of all, employers can’t administer COVID-19 tests – they can only screen for symptoms and, accordingly, restrict anyone who fails the screening from entering the workplace. All individuals with symptoms, contacts with confirmed cases, or who have travelled from certain areas are required to self-isolate. If you’re looking to develop a screening questionnaire for your workplace, health authorities have provided lists of appropriate questions you can ask, available here: www.alberta.ca/assets/documents/edc-covid-19-screening-questionaire-english.pdf

  • Employers may not report a failed screen to anyone but should guide the employee to follow the mandated isolation protocols. You may encourage that employee to get a COVID-19 test, but ultimately, testing is their choice. All you can do is continue to ensure they stay away from the workplace until they have no symptoms, or the requisite isolation period has passed, or both.

  • Public health officials administering COVID-19 testing, not the employer, will be the first to know if an employee has tested positive for the virus. And those health officials will contact you if that is the case.

  • Organizations can help ensure employees disclose relevant health information by guiding employees to Occupational Health and Safety (OHS) and provincial health rules and regulations, such as the Alberta Public Health Act, which governs testing, contact tracing and notifications. You should also institute a workplace policy that requires employees to self-disclose and remove themselves from the workplace when they are experiencing symptoms or have tested positive for the virus.

  • In Alberta, private employers are required to follow the Personal Information Protection Act, SA 2003, cP-6.5, which states employers can collect and use personal information for purposes that are “reasonable.” Because of the obligation to protect all employees under Alberta’s Occupational Health and Safety Act, it would be considered “reasonable” for employers to collect some additional information from an employee, after a positive test notification. You may collect and use a limited amount and type of information you need to assist and manage the affected employee, and to protect other employees. There are similar collection, use, and disclosure provisions for public bodies under the Alberta Freedom of Information and Protection of Privacy Act (FOIP), and health care bodies under the Health Information Act (HIA).

What should you do after you find out an employee has tested positive for COVID-19, and what information can you share with others?

  • Once local health authorities have let you an employee has tested positive, they will assist with next steps, including contact tracing. They will let you know who, within or external to your organization, you should and may, contact and notify.

  • It’s important to keep in mind the golden rule in privacy: disclose the least amount of information possible for the intended purpose. This means you have an obligation to protect, as much as possible, the identity of the individual who has tested positive, and any specific information relating to the individual’s medical condition or symptoms, as you work to inform other employees about the exposure to the virus, the risks involved and the precautions that need to be taken. Once again, health authorities will be your guide.

Will there ever be a time when the employee who tested positive for COVID-19 can or should be identified to inform staff members?

  • The short answer is maybe. In some cases, especially within smaller businesses or when employees share a workspace, an employee absence may be easily noticeable to the rest of the team. Certainly, these days everyone will be speculating! Be very careful not to get drawn into responding to or substantiating the workplace rumours. It may be challenging to protect the identity of the infected individual. Still, official information sharing must come from you and should be guided both by public health and privacy rules.

  • Depending on the province, territory or industry you work in, there are parts of the access and privacy laws that allow you to disclose some information about the individual who has contracted COVID-19. The laws allow the disclosure of personal and personal health information if there is some other law that mandates or allows the disclosure, such as OHS or the Public Health Act. Or, if the disclosure is necessary to protect the health and safety of individuals, groups or the public at large. Under these sections, disclosures are limited by type and amount, on a ‘need to know’ basis. And sometimes, you may find that somebody ‘needs to know’ who tested positive.

  • Rest assured, if one of your employees has a positive test, health authorities in your jurisdiction will help and tell you what information you can and should be giving to the rest of your staff, or to others who may have been exposed. Just do a double-check with applicable privacy law and don’t be afraid to ask questions if you see a conflict.

What kinds of policies should an employer have in place to manage all this?

  • Your starting point is a well-crafted set of general information privacy and security policies. If those are robust according to the laws in the jurisdiction, they will guide the collection, use, disclosure, and security of information pertaining to COVID-related issues.

  • Also, seriously consider implementing a policy to manage COVID-related and workplace illness absences generally.

  • If you don’t have policies or think you need a review or update, now is the time!

Effective privacy management directly supports all aspects of your business or public body. At Cenera, we know precisely how to achieve the right balance between protecting employee privacy rights and protecting public health. Why risk a mistake? Contact us today to see how we can help.

Let’s Connect

Never miss an update, click here to subscribe to our monthly newsletter.

Plus, follow us on LinkedIn!

Share This Story, and Choose Your Platform!

Rick Klumpenhouwer

A passion for strategic information management and a strong academic background make Rick Klumpenhouwer a highly capable advisor for those seeking to integrate compliance with real-world management. In addition to his Masters degrees in Archival Studies and History, Rick is also certified with the Canadian Institute of Access and Privacy Professionals (CIAPP) at Master status, and as a Specialist in Electronic Content Management with the Association of Information and Image Management (AIIM). For many years, he has played the role of hockey and Irish dancing dad while indulging his love of European and world soccer leagues and tournaments.

Previous

Workplace Bullying: Causes, Effects and Prevention
Next

Why Workplace ‘Bored-Out’ is the New Burnout (And What Employers Can Do About It)