Privacy Law
Privacy Considerations for Employers Collecting Employee Vaccine Data
By Brett D. Cook and Oliver Kiefer
With the rise of the highly contagious Delta variant, employers across the United States are increasingly concerned with collecting and recording COVID-19 vaccination information from their employees. In the United States, vaccine information may be legally collected for several reasons, including where required pursuant to state law. For example, California currently requires employers to document the vaccination status of fully vaccinated employees if the employees do not wear face coverings indoors. Differing federal and state employment laws and regulations require a carefully tailored approach to vaccination data collection. Varying state laws have injected uncertainty into the collection of vaccination information as employers seek to reopen traditional workplaces and comply with applicable public health and privacy laws. Nonetheless, foundational privacy principles can be used to mitigate risk. In general, employers should (1) define the purpose of collection, (2) define how data will be used, (3) determine how long data will be retained in accordance with retention policies/laws, (4) determine who will have access to the data, and (5) implement appropriate security measures to safeguard information. In the United States, the Equal Employment Opportunity Commission has provided guidance regarding the collection of an employee’s COVID-19 vaccination status by their employer. Businesses that collect this information should consider whether it is required to be treated as confidential medical information under the Americans with Disabilities Act, which would require the data to be kept confidential and stored separately from the employee’s personnel files. Thus, broadly speaking, federal law does not prohibit employers from reasonably and responsibly collecting vaccination information from their employees. In California, employers should consult the California Department of Industrial Relations Division of Occupational Safety & Health’s (CAL OSHA’s) Model COVID-19 Prevention Program, which provides a framework for compliance with the most current Emergency Temporary Standards in place for COVID-19. The Model COVID-19 Prevention Program contains a template that can be used to track employee vaccination status. It also provides guidance regarding how employers should document employee vaccination status. However, not all states have adopted the same approach as California. In Florida, for example, Governor Ron DeSantis signed an executive order on April 2, 2021, that prohibited businesses in Florida from requiring so-called “vaccine passports.” These “passports” are shorthand for any piece of documentation that would allow businesses to determine whether a customer was fully vaccinated against COVID-19. Left unclear, however, was how the executive order regulates vaccine data that businesses collect from employees. Florida also has not addressed how employers should treat that data, once collected. Despite this lack of guidance, at least one Florida county has determined the executive order does not prohibit it from mandating that county employees show proof of vaccination. The executive order is also currently facing a challenge in the courts. As outlined above, this area of privacy law is rapidly changing, and regulations vary substantially across the states. Compliance is critical for all employers given the high stakes at issues. Risk can be limited by working with regional attorneys and privacy leaders to identify legitimate reasons for vaccine data collection before collecting employee vaccine data and collecting the minimum amount of data necessary.
Brett D. Cook is Privacy Counsel for ServiceNow, where he advises on regulatory requirements and cybersecurity best practices. Previously, he worked for Wells Fargo, Uber Technologies and the U.S. Navy. During his Navy career, Brett held roles as Associate General Counsel, General Counsel and Chief Privacy Counsel. In addition, he deployed as Chief Counsel for a carrier strike group where he counseled senior leaders regarding international law, data privacy and regulatory compliance. Brett holds a Juris Doctorate from the University of California in Los Angeles and an LL.M. in National Security/International Law from Georgetown University Law Center.
Oliver Kiefer is a litigation and regulatory associate at DLA Piper LLP (US) in San Diego. He holds a CIPP/US certification from the International Association of Privacy Professionals.
This article reflects the thoughts and opinions of the authors and not their law firms and/or employers.