COVID-19 Raises Many Privacy Questions

The COVID-19 pandemic has unfortunately brought about an explosion of cyber scams, with bad actors preying on fear, uncertainty and doubt. But it’s also raising some big challenges regarding data privacy because of both the escalated cyber threat and the direct effects of the outbreak itself.

The International Association of Privacy Professionals (IAPP) recently held a web conference on the impact of the health crisis on data privacy. The event featured speakers from the U.S. Department of Health and Human Services, along with senior attorneys who work on privacy issues in the health sector.

The discussion followed the spread of the virus throughout the United States and the associated shifts in government regulations (like easing enforcement of certain Health Insurance Portability and Accountability Act (HIPAA) provisions). Starting with the first U.S. patient in the state of Washington in late January, privacy challenges emerged. Simply by news reporters saying a given hospital had a patient with the virus, it became possible for at least a small group of people to identify the person. Given the intense interest in the outbreak, scrutiny escalated with each new case.

Fast-forward nearly three months, and privacy issues now extend well beyond the domain of health care facilities. With so many people affected, we are in new territory with regard to privacy rights.

Employers are in a spot that’s surely uncomfortable for many. The Equal Employment Opportunity Commission (EEOC) prepared pandemic preparedness guidelines in 2009 for the H1N1 virus scare, and many employers have turned to them and the Americans with Disabilities Act for guidance. But as the situation has grown worse, employer confusion has increased. Some may be inclined to lean on HIPAA guidelines, but HIPAA only applies to covered entities – medical providers and insurance companies – and not all employers.

Employers are legally allowed to ask employees about specific health issues if there is a “direct threat” to the rest of the workforce. The IAPP panelists noted that there is a very high legal bar for proving a direct threat exists, but a pandemic qualifies. That means employers can now make health inquiries of their employees. Recent EEOC guidelines even grant employers the right to take employees’ temperatures if they interact with other people. But where does that leave the affected individuals and their families?

Other areas are even less clear. Think about mobile technicians entering homes to perform work, like security system installation and repair. Do they need to know if someone in the home is infected? What, then, is the impact on the occupant’s privacy? Who else might that technician tell?

There are also new privacy and security issues resulting from so many people working at home. Is an employee using an employer-issued asset to perform work or a personally-owned device? If personal, what rights do employers have to see what’s on the computer? Employers may issue security policies and offer employee training, but can they enforce accountability for behaviors outside the workplace? What about physical safeguards for home workstations? Might unauthorized people see sensitive data? What degree of electronic monitoring can employers conduct? What are the privacy implications for the rest of the household?

There’s another issue with landlords, particularly in multiple occupancy buildings. An infected tenant could put others in the building at risk, so does the landlord have a right to know a resident’s health status? Do other tenants?

There are many questions posed here for which there are no black and white answers. This is a radically disruptive time. New boundaries will be pushed, some for good reason, but where will the line be drawn? This will likely play out in both the legal system and the court of public opinion. For now, it’s best that while maintaining vigilance regarding health and safety, we also remain respectful of everyone’s privacy.

Kathy Stershic is the founder of Dialog Research & Communications.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.