The COVID-19 pandemic has dramatically changed the business landscape and, over the past few months, employers have found themselves in uncharted waters on more than one occasion. First, it was getting entire workforces up-and-running from home practically overnight. And now, as employees are welcomed back onsite, employers are required to follow new health and safety protocols to prevent the virus’ spread and maintain near-normal operations.
One health initiative causing confusion (and often tension) within many organizations is the use of contact-tracing applications. The Center for Disease Control (CDC) believes contact tracing is key to slowing the spread of COVID-19, putting business owners and managers under pressure to use these applications.
Many are also sensitive to how this measure might affect employee privacy rights. Contact-tracing applications require employers to collect all kinds of employee health data that they never had to worry about before – temperatures, health symptoms and travel history, for example – and they aren’t sure how to use and protect this data in a way that balances health and safety with privacy.
Data protection guidance
Employee health data is considered personally identifiable information (PII) and should be protected accordingly. This is easier said than done, though. In the U.S., there’s no single federal law that regulates the protection of PII or a certification body for compliance. Instead, there’s a mix of federal (e.g., the FTC and Gramm-Leach-Bliley Act) and state laws (e.g., the California Consumer Privacy Act), sector-specific regulations (e.g., the Health Insurance Portability and Accountability Act) and self-regulatory programs developed by industry groups. It’s up to individual organizations to become familiar with the federal, local and industry requirements applicable to their business and ensure they are in full compliance with all relevant policies.
For organizations that aren’t aware of these PII protection mandates and don’t have a documented data classification policy in place, protecting COVID-19-prompted employee health data can be an overwhelming concept. To help get you started on the right path, here is a 10-point plan for securing PII, including new employee health data collected through COVID-19 contact-tracing applications and other healthcare tracking systems.
1. Identify a single point of contact who will be responsible for the privacy and security of PII
This best practice is self-explanatory, but it’s worth taking a moment to discuss why it’s so important in the data protection process. There are many business departments involved in the collection and usage of PII, including security teams, compliance teams, the legal department, HR, business units, etc. Without a designated leader to define roles, responsibilities and processes, it’s likely that PII privacy and protection activity will be minimal, because each employee will assume someone else is taking care of it.
2. Determine your goal for collecting employee health data
Why are you collecting employee health data? Your answer will determine which data fields you need to collect and store. For example, if your goal is to prevent the spread of COVID-19, you might document an employee’s name, number, temperature or location data. It’s important to note here, that in the world of security, less is better – don’t collect data that is irrelevant to your goal.
3. Store only the minimum data necessary for the minimum amount of time necessary
To reiterate the point I just made: The less data you have on file, the less you have to secure and there’s a lesser chance of a privacy or security breach. This is why it’s so important to keep only the data you absolutely need to achieve your health and safety goals for only the required length of time – and no longer.
4. Implement strict access controls based on job requirements
In addition to determining why you’re collecting employee health data, it’s also important to identify who will be accessing the information, so you can implement the proper security controls. Role-based access control (RABC), as its name implies, can help you restrict access to PII based on employees’ roles within the company. Once access controls are put in place, it’s important to implement consistent monitoring measures to prevent unauthorized access that could lead to privacy or security issues.
5. Only store PII in documented and approved locations within the network
Make sure employee health data is stored within the trusted internal network and not in a DMZ network (i.e., a demilitarized zone). Housing this data on external-facing systems that sit on untrusted networks, such as the internet, can greatly escalate security risk. Data flow charts are a great way to keep track of which applications are storing data and where they reside.
6. Vet your vendors and business partners to ensure they meet your organization’s security standards
Before partnering with a third-party vendor to manage employee health data and systems, assess their internal security and compliance processes and how they apply to their work with customers. Ensure contracts include:
- Protocols for safeguarding your data.
- Breach notification requirements.
- A defined process for the destruction or handing back of your data at the end of the contract.
7. Protect data by encrypting it at rest and during transit
According to data from nCipher Security, fewer than 50% of enterprises have an encryption strategy applied consistently across their organizations. Encryption is a basic best practice in any security program, but it plays a critical role in protecting PII from both insider and external threats. The reason is, even if employee data falls into the wrong hands, when encrypted, the attacker won’t be able to use the stolen information.
8. Ensure data is regularly archived in accordance with your organization’s disaster recovery/business continuity (DR/BC) plan
In addition to storing and archiving data in accordance with compliance mandates, make sure your data archiving processes follow your DR/BC plan requirements as well. Additionally, if you need to add systems to your infrastructure for employee health data tracking, you must update your DR/BC plan accordingly. Given the rate at which environments change, it’s always a good idea to review DR/BC plans on a periodic basis to make sure they reflect your current IT estate.
9. Destroy PII when it’s no longer needed
Remember how I mentioned only storing data for the minimum amount of time necessary? Once you no longer need employee health data, you must eliminate it from your network to reduce security and privacy risk. To keep up with data hygiene, implement a process to ensure all unneeded employee health data is destroyed on an established schedule.
10. Implement privacy principles
There are several privacy principles that should be included in any data classification program. These include:
- Notice – Let your employees know what data is stored and why.
- Consent – Offer employees an authorization form, so they can give their consent to the collection, use and disclosure of PII for specific purposes.
- Withdrawal – Make sure employees understand that they have the right to withdraw consent at any time.
- Policy – Create policies that lay out the collection, use and disclosure of PII.
- Limited purpose – Only collect PII that is relevant, and do not exceed the stated business goal.
- Accessibility – Give employees the right to access their data at any time.
- Accuracy – Give employees the ability to request corrections.
Balancing the scales
Preventing the spread of COVID-19 is a top priority for companies around the world, but it must be done in a way that adheres to security requirements and maintains employee privacy. Hopefully, this 10-point roadmap will get you on your way to creating a data classification program that gives equal weight to health, safety and employee privacy considerations. Doing so will result in not only healthy employees, but happy employees as well.