Reconciling the Collecting and Keeping of Employees Health Data during the COVID-19 Pandemic with Colorado’s Consumer Data Privacy Protections

By Andrew Neiman

In accordance with public health guidance, employers across Colorado are adopting various workplace data-gathering and record-keeping scenarios involving millions of employees, all taking place under the enormous stress and fear of the COVID-19 pandemic. As many of these actions involve data which employers have never collected prior to the COVID-19 pandemic, employers must examine their data privacy practices to ensure they comply with the Colorado Protections for Consumer Data Privacy (the “Protections”), which became effective on September 1, 2018.

These laws apply to most employers. Covered entity is defined broadly under the Protections as an individual or entity that maintains, owns, or licenses personal identifying information in the course of business. “Personal identifying information” or “PII” applies to information or documents that  identify an individual, including by their name, social security numbers, personal identification number, passwords or pass codes, government-issued driver’s license or identification card numbers, passports, employer identification numbers, and even some biometric markers.

The Protections require employers to take various precautions to protect PII. First, the Protections require that employers adopt written policies governing the disposal of both paper and electronic records containing PII. Second, the Protections require employers to take reasonable steps to protect PII if they collect it. Third, if a data security breach happens, employers must give detailed notice to consumers and, in certain circumstances to the Attorney General. No financial penalty is spelled out, but the attorney general could force a company to provide relief to recover from the economic damage of a breach.

Employers should Identify what PII they are collecting from employees and where it is stored in both paper and electronic form. When processing health data—which includes whether employees show symptoms of COVID-19 or have been infected with the virus—companies should collect the minimum necessary to fulfill their obligations to protect the safety of their employees and the public. Many employers are taking the temperatures of all employees and members of the public before allowing access to their workplace. This does not mean the temperature reading or information regarding whose temperature was taken should be recorded and kept. In many cases, workplaces which have required employees to work full-time from home have eliminated the need to collect this information.

Employers must evaluate current recordkeeping practices and information handling processes and determine if these must be changed to address new data-gathering scenarios prompted by the pandemic. Establish a chain of custody for any personal data that is recorded on either hard copy or electronically. Employee’s health data should only be accessible to specified persons with a legitimate need to know it. Employers should take care to train any employee who handles covered records on how to comply with the Protections. It is important to remind employees that breaches happen. Ensure that a procedure is in place for reporting breaches internally and to the Attorney General if necessary.

Colorado’s employers have been resilient in adopting measures to prevent the spread of the novel coronavirus and protect their workforce. Now is the time take steps to protect employee’s personal data in accordance with Colorado’s Consumer Data Privacy laws.

Share: