The Matrix
{ Blog Post Bio Photo }

COVID-19 Operations: How to Keep Vaccine-Related Data Safe

Posted by

Post authored by Mahja D. Zeon, an Associate in Honigman's Detroit office and Lauren Legner, a 2021 Summer Associate in the firm's Detroit office.

Employers have a right, and in some industries, even a requirement, to implement vaccine-related policies to promote workplace safety, but they must be mindful of the privacy implications.  There are several competing concerns to weigh when deciding whether to implement vaccine-related policies. On the one hand, data regarding employee vaccination status may play an essential role in keeping the workplace safe from COVID-19 outbreaks. On the other hand, collecting and using such data implicates individual privacy and data security concerns. Should an employer choose to collect vaccine-related data, it must take the appropriate steps to keep this information safe. Here are three ways employers can implement vaccine-related, data-safe policies:

1. Implement a Well Defined Service Agreement

Many employers are utilizing workplace monitoring apps to administer daily questionnaires and track vaccine status. Employers should ensure that the service agreement with that app provider includes provisions that adequately protect employees’ information. As an additional safeguard—and in some states a requirement—service agreements should also include “flow down” provisions that require app providers to impose on any third parties that may also process or handle employee information the same protections as outlined in the service agreement.

2. Give Appropriate Notice

Before implementing vaccine-related policies, employers should review applicable state laws to see if any require employee notification and consent. For example, both California and Connecticut have laws that specifically restrict vaccine-related disclosures. Specifically, the California Consumer Privacy Act requires employers to provide employees with a specific “notice at collection” before collecting an employee’s personal information, including but not limited to an employee’s name, email address, social security number, health data, and internet activity. In addition, about twenty other states have data-breach notification laws that cover health information and may require employers to notify employees of a data breach.

3. Ensure Secure Storage of All Vaccine-Related Data

Vaccine-related data is sensitive, private information. The Americans with Disabilities Act (“ADA”) requires employers to maintain the confidentiality of employee medical information, such as documentation or other confirmation of COVID-19 vaccination. Like all medical information, this information must be kept confidential and stored separately from the employee’s personnel files under the ADA.  Employers should also be mindful of state laws. Several states specifically require companies to provide reasonable data security for health data. Many define individually identifiable health data as sensitive personal information that may trigger data-breach notification obligations if accessed or acquired without authorization.

Jump to Page