The Atlanta Lawyer June/July 2020 Vol. 19, No. 1 | Page 23

employers in the US are encouraged to
take action to notify other employees of
a possible infection in the workplace, the
rules and guidance in other countries may
counsel against the employer shouldering
this responsibility. For countries with more
active centralized health authorities, the
employer may be required or encouraged
to notify the local health authority and let
the authority manage the contact tracing via
conversations with the infected employee.
Some vendors have offered contact tracing
apps for use by US employers to help
manage symptom reporting and infection
management.8 While the allocation of
privacy compliance while utilizing these
apps is currently unclear, especially if
employers take the position that employees
are required to use them, employers remain
responsible for complying with privacy laws
applicable to their use of the personal data
collected.
Practical Guidance for Employers
An employer faces a delicate balancing act in
the US. In order to maintain a safe workplace,
it must take care to isolate infected employees
and notify co-workers who have been
potentially exposed. On the other hand, the
employer must protect the confidentiality
of an infected employee. Maintaining this
balance is especially difficult in a workplace
of a small or medium sized company. What
is an employer to do?
Safety of the employees in this pandemic
is, and should be, a key priority. In order
to comply with the OSHA and CDC
recommendations to inform employees
of a potential exposure, employers should
not name the infected employee. Any
conversations with an employee who has
developed COVID-19 symptoms while at
work, or who has notified the employer prior
to coming into the workplace, should be held
with such person’s supervisor or the human
resources department, and maintained
in a discrete area, out of sight of other
employees. Conversations should be kept
confidential, and records kept separately and
in secure locations, in accordance with Equal
Employment Opportunity Commission
(EEOC) guidance. It is up to the employer,
based on the risk profile of its particular
business, whether to conduct temperature
and other in-person symptom testing each
day. If the employer determines that it
must do so, the tests should be conducted
in a private area outside of the presence
of other employees, and any documented
health records kept in relation to these tests
must be maintained in accordance with
EEOC, Health Insurance Portability and
Accountability Act (HIPAA), and other
guidelines that are appropriate to its business.
While informing potentially impacted
employees, the employer should refrain
from identifying the infected employee, and,
to the extent possible, limit ‘clues’ that may
identify the infected employee. While the
employer cannot prevent other employees
from drawing their own conclusions (“Why
is John not in the office today?”), these
steps should be taken to minimize the risk
of breaching the employer’s obligations to
maintain confidentiality.
It’s All Over Now?
While impossible to cover all privacy-related
concerns raised by the use of electronic
contact tracing apps, whether in the
employment context or in a general privacy
sense, the above topics should be on the mind
of any practitioner, regardless of the type of
law they practice. This is because, much like
pandemic-level diseases like COVID-19,
privacy concerns do not discriminate based
on a person’s profession,9 and neither of
these concerns are going away. When so
many unknown variables affect so many
important aspects of our day-to-day lives,
even if we do not directly come into contact
with the virus or take careful measures to
avoid sharing our data electronically, the
outcome of these topics inevitably impacts
how we live and interact with others.
This is the spirit behind the Atlanta Bar
Association’s newest Section - Privacy
and Cybersecurity Law. – we don’t know
what we don’t know, but our clients will
inevitably seek guidance on these matters,
or will be impacted in ways that affect our
engagement with them, in ways many would
not otherwise anticipate.
For up to date information on the
development and use of contact tracing
apps around the world, follow this
tracker: https://www.technologyreview.
com/2020/05/15/1001736/changelog-covidtracing-tracker-updates-as-they-happen/.
__________________________________
https://www.cdc.gov/coronavirus/2019-ncov/php/
principles-contact-tracing.html
https://www.reuters.com/article/us-health-
coronavirus-europe-tech/germany-flips-to-apple-
google-approach-on-smartphone-contact-tracing-
idUSKCN22807J
https://www.research.ox.ac.uk/Article/2020-04-
16-digital-contact-tracing-can-slow-or-even-stop-
coronavirus-transmission-and-ease-us-out-of-
lockdown
https://www.commerce.senate.gov/2020/4/wicker-
https://www.cdc.gov/coronavirus/2019-ncov/
community/guidance-business-response.html
See CDC Interim Guidance for Business and Employers
Responding to Coronavirus Disease 2019, May 2020;
and OSHA Guidance on Preparing Workplaces for
COVID-19
thune-moran-blackburn-announce-plans-to-
introduce-data-privacy-bill
https://www.eeoc.gov/wysk/what-you-should-know-
See
about-covid-19-and-ada-rehabilitation-act-and-other-
eeo-laws
https://www.cnbc.com/2020/05/06/pwc-is-
building-coronavirus-contact-tracing-software-for-
companies.html).
IN THE PROFESSION
Certainly, the details and overall context of a person’s
profession can affect whether that person is more likely
to come into contact with a communicable disease or
intrusive data collection, but that person’s title alone
makes no difference. Similarly, and consistent with
the spirit behind this article which covers data privacy
and employment-based concerns, the type of law we
practice does not always matter in this day and age
when it comes to data privacy and cybersecurity – the
moment we think it does not affect our practice is the
moment we find ourselves years behind the curve.
www.atlantabar.org THE ATLANTA LAWYER 23