As the number of Covid-19 cases continues to rise around the world, many businesses are eager to get back to work and try to make up for the lost time. With the first signs of the pandemic subduing, we’ve seen organizations rush their staff back to the office, deploying different methods to protect employee health. One of the methods, whose popularity has gone up again, is contact tracing, or better said, contact tracing apps.
And while contact tracing apps can help curb the spread of the infection, they do create room for data mishandling and privacy infringements: where is that data stored and who governs it?
Contact Tracing App: An (In)effective Spin on an Effective Method?
Contact tracing has been around for quite some time. Back in 2014, it helped battle the outbreak of Ebola in West Africa, where medical teams were able to quickly find and identify all potential infections and prevent them from spreading the virus.
And while the method had a score of benefits, it brought along a number of implications that are more relevant today than ever, though in a slightly different fashion. What I have in mind here is that as a method, contact tracing first caused mistrust among the population of countries who were stricken by Ebola.
Some research claims that contact tracing was depicted as ‘putting other people on a death list’. And it’s easy to understand why. Contact tracing, at least in the case of Ebola and novel coronavirus, entails isolation, which in turn can easily slip into stigma, which then, in turn, causes people to mistrust medical teams who carry out contact tracing.
For fear of being labeled and put on a list and in isolation, people were not honestly reporting their contacts, which beats the purpose of contact tracing.
Fast forward to today. Unemployment has skyrocketed. People are afraid of losing their jobs. And if there’s suspicion of them being infected and that information getting out, there’s a chance they will try to avoid letting anyone know about it. There are numerous jobs that don’t cover for your skipping work to quarantine. If you can’t make it to work today, you’re out. That’s the fallibility of manual contact tracing.
And that’s where contact tracing apps aspire to help. There’s no mistake there, at least in theory. The proximity functionality will show whether or not you’ve been critically near someone who has the virus. The apps will serve and warn you on time to either isolate yourself or report for a medical checkup.
When applied to the workplace ecosystem, contact tracing aims to help employers protect their employees, by monitoring contact between staff and signaling for potential infections, while ensuring privacy.
At least, that’s how supposed to be. Some apps will not be using anonymized data; instead, they will store data on your movements and contacts and either store locally or in a centralised database. But the remit of one’s responsibility and ownership over that data is what should give us pause. Who’s to say there will be no discrimination against the infected?
“My Data!” Consumer vs Healthcare Information
The issue with using contact tracing apps for workplace monitoring is a lack of clear-cut distinction, at least on a global scale, between healthcare information and consumer information.
In Europe for instance, healthcare data will be considered such regardless of whether they’re used in a medical setting or not. On the other hand, protecting employee privacy works differently in the US. There, contact tracing apps can treat the data that have been collected as consumer data, which can then be used for other purposes, and distributed to other companies.
And the lack of this distinction is further complicated by the fact that in global scale emergencies, such as the current pandemic, the public sector remit expands significantly. Public agencies get authorities they otherwise don’t have, which in a way leads to less privacy protection of individuals.
Now, in a workplace setting, employers can use contract tracing apps to collect data but that data could be used, regardless of whether intentionally or unintentionally, for purposes other than just health protection.
So what can companies do here to ensure they’re working in compliance with a comprehensive body of state and federal laws including CCPA, OSHA, or HIPAA? Here are three pillars that you should based on your strategy on:
- Understand which laws regulate your industry, employee and employer rights, and workplace privacy. This is a comprehensive task, but, as an employer, you should try to be as compliant as possible, and go the extra mile if necessary. It’s likely that all these laws will evolve as we enter the post-pandemic world, and so you should do all in your power to be ready for new amendments.
- Ask for permission. Depending on your local laws, there might be a difference in terms of what you need to ask for, but it’s best you clearly explain to your employees what data you’d like to collect. Give them a chance to opt-in and understand it’s not mandatory.
- Document everything. As these laws change, records will become essential to prove compliance. So make sure you know how you track employees, where that data is stored, who has access to it, how long they will be retained, how it will be used, and so on.