In the wake of COVID-19, businesses have a host of health regulations and recommendations to consider before they resume in-person activity. Some employers plan to screen for symptoms, including regular thermal testing (or temperature taking) of employees and site visitors before those individuals enter a facility. In the U.S., there are states that are requiring employers to conduct thermal tests of their employees as part of their reopening plans,1 while others are recommending it as a best practice.2 Internationally, guidance regarding thermal testing also varies, but the process is nevertheless being used by businesses around the world in an attempt to foster a safer work environment and to absolve potential legal liability associated with the pandemic.
In addition to employment and health and safety law concerns, none of which we address in this Blog post but which our firm has covered here and here, employers should also be aware of privacy law considerations related to thermal testing, especially because thermal data may be categorized as “sensitive” or as a “special category” of information under certain privacy laws, such as under the EU’s General Data Protection Regulation (GDPR). This means that employers should consider whether they are checking the right boxes from a privacy law perspective regarding the collection, use, dissemination, and disposal of thermal data.
While specific obligations for thermal tests may vary by jurisdiction, below are a list of best practices that employers should consider from a privacy law perspective when conducting thermal tests of employees and others. The list below is not intended to be exhaustive; rather, it should be used as a starting point for employers that are looking to implement thermal testing in a way that complies with various privacy rules that may be applicable to them.
- Provide appropriate notice. Businesses should provide notice to employees and site visitors prior to collecting their thermal data. Ideally, this notice should also be given to employees periodically and be readily accessible as a resource. The notice should state what information will be collected and the purposes for its collection and the fact that the individual’s temperature will be deleted immediately after it is collected (see No. 5 below). To the extent that a business chooses to retain an individual’s thermal data (for instance, if a test indicates that a visitor might be sick), the notice should provide additional information, such as how the information is stored, the fact that the information will not be shared with any other third party (if this is the case), and that the collection and storage of this information is subject to protection under the jurisdiction’s data privacy laws, if applicable. Businesses should also note that additional content in these notices might be required under specific privacy laws, such as the GDPR or the California Consumer Privacy Act (both of which have broad definitions of “personal data” or “personal information” and likely apply to thermal data).
- Obtain consent, if possible. Some privacy laws may require you to obtain consent when it comes to processing sensitive personal information like thermal data (or may require consent for collecting personal information in general). It is possible that consent may be implied in some jurisdictions based on the fact that the employee or on-site visitor is actively taking the thermal test. Still, explicit and informed consent is likely the best approach, especially in situations where thermal data is considered a special category of information and the business is relying on explicit consent as its proper legal basis for processing (as may be the case under the GDPR). Even in jurisdictions where consent is not required, obtaining consent (especially for employees whose medical information may be subject to additional regulations) can offer businesses an extra layer of protection.
- Check all the boxes. Certain privacy laws require more than others in terms of the steps that a business must take in order to properly process information, especially sensitive information like thermal data. Under the GDPR, for example, a business generally needs a legitimate basis to process data in the first place. With regards to thermal data (which is likely considered a “special category of information” that receives further protection under the law), a business may need to take additional steps in order to ensure that its processing is legitimate. This could include conducting a data protection impact assessment that identifies the proposed activity and its associated data protection risks, whether processing the data is necessary and proportionate, mitigating actions that can be implemented, and a plan or confirmation that mitigation has been effective.
- Practice data minimization. Data protection authorities will likely be understanding of a business’s need to collect sensitive information to ensure the safety of their workplace during a global pandemic. They will be less forgiving, however, if a business collects a litany of information that is unrelated to this well-intentioned purpose. To the extent possible, businesses should only collect the information they need to conduct thermal testing.
- Dispose of the data immediately and only store the information when absolutely necessary (and with appropriate safeguards). Whereas our previous guidance noted that OSHA guidelines require employers to retain records when health tests are conducted by health care professionals, data resulting from thermal tests conducted by employers (or other workforce members) do not need to be stored, and should be immediately deleted. Even with regards to employees or visitors that have a high temperature (one that crosses a threshold for entry), there is still likely not a need to store the thermal data itself. Employers can deny entry, recommend quarantine for two weeks (or whatever the internal policy or regulatory requirement is), and then test again the next time the employee or site visitor attempts to enter the premises. This avoids legal obligations associated with storing sensitive information.
- Limit sharing. To the extent that a business stores the thermal data that it collects (on employees or otherwise), it should be careful not to share this information with any third party (except as required by law). Even internally, thermal data should only be shared on a need-to-know basis. To the extent that a business uses a third-party vendor to administer thermal tests, it should ensure contractually that the vendor cannot use the data for its own purposes or further share the information that it collects.
Again, there is no one size fits all approach to conducting thermal tests, especially since the rules in this area are rapidly changing. We will continue to monitor updates and can provide clients advice with regards to their business’s specific reopening plans and goals.
1 See Arizona, Georgia, Idaho (for select businesses), and Colorado (if feasible, otherwise employees self-screen), among others.
2 See Maryland, North Dakota, and Oregon, among others. We also provided guidance on Massachusetts’s reopening guidelines, which included testing recommendations/requirements.