The New Face of Employee Workplace Surveillance and Monitoring in the Age of COVID-19

Employers and employees are bracing themselves for a new heightened level of surveillance in the workplace not seen since the aftermath of 9/11. These new measures will leverage advanced technologies such as artificial intelligence and deep learning, and they will have privacy and security implications for employers and employees alike. 

Employers are purchasing new technology solutions, as well as repurposing existing technology, such as surveillance cameras already in place. Many new surveillance measures and tools include several advanced techniques, such as:

  • Thermal cameras that measure body temperatures.
  • AI cameras that monitor and alert in real-time employee proximity and social distancing.
  • Smart phone apps that trace employee contacts and proximity to other employees in the office, and alert managers to problematic circumstances.
  • Categorizing employees into separate groups based on health risks.
  • Detailed mandatory disclosure of personal health information, including about family members.
  • Questionnaires, temperature checks and other health screening upon entering a building.
  • Markers on the ground to designate appropriate distancing for waiting and foot traffic.
  • Smart phone apps that "pre-check" an employee's health before coming to work.
  • Creating a "floor-safety coordinator" for a "boots on the ground" presence.

As states begin to lift stay and work at home orders and employees prepare to return to work, more than 80% of landlords and office managers are already planning design changes to address surveillance and social distancing according to a study of 400 participants by VergeSense, a San Francisco-based property-technology (proptech) company.

945280a.jpg

Source: VergeSense and Wall Street Journal

If you were in the work force after 9/11, you likely remember when building security was ratcheted up in response to the emergency, such as turnstiles in lobbies, front desk for ID cards and photographs, visitor ID badges, and screening for bombs. What was once unsettling and sometimes an annoyance shortly became commonplace. The same is occurring in response to COVID-19, but with heightened surveillance, use of technology, and previously unheard of intrusions into personal privacy. While most workers likely will get used to these new measures, the transition is guaranteed to be a bit rocky - more for some employers than others. 

The question then becomes, how to best ensure safety and comply with the law without venturing too far over the line to severally impact employee morale. Generally speaking, Federal and state laws are not particularly specific or detailed with respect to the legal parameters for employee and workplace monitoring. In the U.S., the overriding factor is an employee's "expectation of privacy."

For example, several of the proptech solutions have functions or purposes to map and trace an employee or visitors exposure to coronavirus (commonly referred to as, "contact tracing"), which is widely accepted as not only advisable, but a requirement under some federal and state reopening guidelines. Contact tracing is the process of identifying who an infected individual has been in contact with recently so that those individuals can be notified and take appropriate isolation and quarantine actions. On May 14, the CDC issued new guidance on reopening of business in the form of decision treaties for different industry such as restaurants, schools and office-based workplaces. See Foley's guidance found here. The workplace guidance stresses ongoing monitoring.

945280b.jpg

Source: CDC 

Contact tracing is a critical aspect of the pandemic recovery and reopening, and is part of the CDC's multipronged approach to fighting COVID-19. CDC guidelines state that contact tracers should identify people who were within six feet of an infected person for at least 15 minutes starting from 48 hours before illness onset until the time the patient is isolated. These "contacts" should be warned "of their exposure, assess their syndromes and risk, and provide instructions for next steps." 

The tension then becomes how does an employer effectively contact trace without violating an employees expectation of privacy. For example, employees may be uncomfortable or embarrassed to disclose all persons they have had contact with to their employers (i.e., affairs, visits to taboo stores or shops, etc.). Without a realistic and detailed plan to handle confidentiality and disclosure of the information in accordance with the law, in addition to legal challenges from employees for invasions of privacy, employees may also be strongly tempted to lie or withhold information.

As we know from years and years of litigation involving the "invasion of privacy" concept, the standard to when an employee crosses the line is not clear and can vary widely depending on the facts and circumstances of the situation, applicable state laws, and the decision makers in the particular incident. Complicating the compliance and risk analysis are federal and state privacy and security laws, such as HIPAA, the ADA with respect to individuals with disabilities, the Family Medical Leave Act and state biometrics laws (with Illinois' law being the most stringent, permitting employees to sue for violations). 

While often, the temptation on the part of the employer and the employee will be to identify the affected individual, whether or not the organization is covered under HIPAA, generally speaking the identity of the individual should not be disclosed to potentially infected employees without consent from the infected employee. Often the identity will become apparent or otherwise apparent, however, unless the employer obtains the infected employee's consent, the employer should not be the one providing that information. Under certain circumstances involving potentially significant threats to public health and safety, it is generally permissible (and often advisable) to disclose the identity of an infected individual to public health authorities, such as federal, state or local agencies or authorities charged with public health and safety responsibilities, or if required by applicable law. For example, OSHA's position is that employers must report to OSHA any confirmed COVID-19 illness diagnosis that is both (i) work-related, and (ii) involves OSHA general recording criteria, such as medical treatment beyond first aid or days away from work.

While surveillance and monitoring at the workplace has been in place for many years and is generally legal in many circumstances, the boundaries of surveillance and monitoring of an employee while away from the workplace have not been significantly tested, particularly in the context of a pandemic and widespread at-home and other remote working. For example, what about an app an employer uses to track the employees movements while away from the workplace to assess potential risks (e.g., an employee that frequently goes out to restaurants and bars at night will be more likely to contract the virus than a "homebody" employee)? Or a questionnaire that asks where the employee has been when not at the workplace? Finally, how long should enhanced surveillance and monitoring measures stay in place after the virus has dissipated?

To deal with these issues office-based businesses should consider some or all of the following steps, keeping in mind that due to the vast differences among infection rates geographically, business sizes, employee density, customer interaction, etc. do not allow for a one-size-fits-all solution.

  • Screen employees for signs and symptoms of the virus daily before entering the company's facility making sure to update those screening questions/efforts based on most up to date guidance.
  • Strongly encourage employee showing signs or symptoms to stay at home and consider being tested, based on current testing guidelines.
  • Have contingency plans in place for increased absenteeism and/or continuation of remote work where feasible.
  • Notify public health authorities of significant outbreaks or troubling developments.
  • Communicate constantly and consistently with employees regarding actions being taken by the company to deal with the virus, and in particular, any significant changes in infection rates or absenteeism (without identifying infected employees).
  • Strongly encourage and enforce social distancing, including layout and design to workspaces, such as increased spacing between work areas and during meetings, limiting close clustering of individuals, staggering shifts, limiting large events, etc.
  • Consider whether to close employee break rooms and/or coffee bars.  If coffee bars remain open, use only disposable cups, plates, plastic ware, etc.
  • Use flexible leave policy for those experiencing signs or symptoms, or testing positive.
  • Train and educate all employees on appropriate hygiene, handwashing and masks where appropriate, including providing hand washing stations and/or hand sanitizer.
  • Increase cleaning and disinfection both before and after reopening.
  • Consult your legal counsel regarding the legalities of your workplace surveillance, monitoring, contact tracing, and reporting activities.
  • For use of third-party technology solutions and particularly if health or other sensitive data will be accessed or stored by the service provider (e.g. cloud-based solutions), ensure appropriate data security and privacy compliance due diligence of the service provider and include protective contractual provision such as explicit confidentiality, privacy, and data security requirements, warranties, indemnification, and exclusions from contractual limitations of liability.

A proactive approach that incorporates privacy and security by design (on the front end) will significantly enhance company's legal compliance and mitigate the risk of legal actions, claims, regulatory enforcement, damage to reputation and other risks and hazards of legal non-compliance. Such an approach should also take into account not only legality, but also the company's philosophy and "personality" when it comes to employee monitoring and surveillance - particularly if measures will or could be tracking or soliciting information about employees' activities outside of work. The company should proactively address this issue with employees, or at a minimum, be prepared to provide a transparent response to employees when these questions arise.

Originally published 15 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.