Revised Privacy Bill Exempts Employee Screening Data

A COVID-19 pandemic-related related privacy bill put forward by key Republican senators exempts “employee screening data” from its general requirement that companies must obtain individuals’ express consent before gathering data on geolocation, proximity, or health for purposes of determining whether an employee is permitted to enter a workplace.

An earlier draft of the measure would have required employers to obtain consent for, and allow individuals to opt out of, the collection, processing, or transfer of information for tracking the spread, signs, or symptoms of COVID-19.

The newly introduced bill, which is largely aimed at tech solutions such as Apple and Google's joint contact tracing venture, was revised to exclude the data of employees, owners, directors, officers, staff members, trainees, vendors, visitors, interns, volunteers, or contractors. The measure also exempts as a covered entity any service providers that process or transfer covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity to which it is not related.

The revisions appear to respond to concerns voiced last week by the HR Policy Association (HRPA) that the draft bill language would have made it harder for employers to reopen their workplaces in a way that does not exacerbate the pandemic.

“While the draft bill’s protections requirements may be appropriate in a consumer context, they would prevent an employer from mandating broad workforce participation in COVID-19 protective measures right at the time companies are working to reopen workplaces and get the economy moving again,” HRPA President and CEO Tim Bartl said in a letter to bill sponsor and Senate Commerce Committee Chairman Roger Wicker (R-MS). 

Outside of the employment context, the COVID-19 Consumer Data Protection Act would require companies to obtain affirmative express consent from and provide prior notice to individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. It would also require covered entities to: 

  • Allow individuals to opt out of the collection, processing, or transfer of such information; 
  • Provide a public transparency report at least 30 days after the bill's enactment describing data collection activities related to COVID-19, and every 60 days thereafter;
  • Direct companies to disclose to individuals at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained;
  •  Take "reasonable measures" to ensure accuracy of data and provide an effective mechanism for individuals to report inaccuracies; 
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity; and
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency. 

The legislation preempts any state or local regulation of the covered data and includes no private right of action. 

Republican supporters hope to win some support from Democrats for the bill and include it in a future coronavirus relief package, but the outlook is uncertain. Wicker and other lawmakers have tried to negotiate a broader bipartisan privacy bill that would set new federal safeguards for the collection and use of consumer data. That push has faltered over partisan differences over whether a national standard should override state laws or allow consumers to sue companies. The debate is set to heat up again, however, amid the drive to slow the pandemic and as employers strive to make their workplaces are as safe as possible as return-to-work efforts advance.

Geoff Manville
by Geoff Manville

Principal, Mercer’s Law & Policy Group

Register for Mercer US Health News to receive weekly e-mail updates.