June 05, 2020
A bipartisan group of Senators introduced a bill that would create data privacy requirements for employers around COVID-19 tracking and tracing efforts.
"The Exposure Notification Privacy Act's (ENPA) lack of an explicit exemption for employee data means that employers could be considered to be covered 'operators' if they avail themselves of certain technologies in their efforts to provide a safe workplace," notes Harriet Pearson, Privacy Counsel for HR Policy Association.
Notably, the bill is narrower in scope than either the Republican COVID-19 Consumer Data Protection Act or the Democrat Public Health Emergency Privacy Act in that it focuses on providing privacy and security protections for the use of an "automated exposure notification service" (e.g., a website, mobile OS, or website app or mobile app for digitally notifying individuals who may have been exposed to an infectious disease). The previous bills covered a much broader range of data collection.
Several other items worth noting:
Employers are exploring and implementing privacy-sensitive analytic applications and support services to ensure safe workplaces. This week, HR Policy members convened to discuss such solutions in detail. Legislation that imposes new requirements could delay their deployment—or decrease their effectiveness—just as employers are looking to both protect their workers and reopen workplaces.
Legislative outlook: Senate Commerce Ranking Member Maria Cantwell (D-WA) and Sens. Bill Cassidy (R-LA) and Amy Klobuchar’s (D-MN) bill is the third introduced to apply data privacy requirements around COVID-19 tracking and tracing efforts. The Republican’s effort under Senate Commerce Chair Roger Wicker (R-MS), in contrast to the ENPA, would not cover employee screening data. A third democratic bill would also cover employment screening data. HR Policy has been active in advocating for a solution that allows employers to ensure the safety of their workers and workplaces.