SHOULD YOUR COMPANY IMPLEMENT A CONTACT TRACING TOOL IN THE WORKPLACE?
Stopping the spread of the coronavirus is critical to overcoming the COVID-19 pandemic. As companies prepare for a return to the workplace, many are considering contact tracing measures. Contact tracing entails the identification of individuals who have been in close contact with someone who has tested positive for COVID-19, during the time in which that individual was likely infectious. In the news of late, there is much discussion on the use of contact tracing technology by governmental organisations (e.g. Singapore, Australia and Israel) to help prevent the spread of COVID-19, but this technology is also developed for use by employers in the private sector.
A contact tracing tool generally comes in the form of an “app”, relying either on GPS/location data and/or Bluetooth to alert the user if he or she has been in contact with an individual who reported a positive test result for COVID-19. These apps are usually connected to an employee’s smartphone, or a “wearable” such as a bracelet or badge.
While the appeal of this technology is clear, employers must carefully think through a range of issues before the implementation of a contact tracing tool in the workplace. Here are a few key issues to consider:
- Whether use of the tool will be mandatory or voluntary;
- Whether there will be any limitations on the hours the tool will track employees;
- What data will the tool collect;
- Who within the organisation and/or third party will have access to data;
- How and where data is stored (e.g. on an external server/cloud or on an employee’s device);
- What policies are in place to ensure data privacy and security;
- How long data will be retained for;
- Review of data privacy and security, health and employment laws in countries where your business operates.
Here is a roundup of mandates, guidance and other resources from across the globe to help navigate contact tracing technology:
- The European Commission issued its Guidance on Apps supporting the fight Against COVID-19 pandemic in relation to Data Protection, “to ensure a coherent approach across the EU [European Union] and provide guidance to Member States and app developers” relating to “features and requirements which [contact tracing] apps should meet to ensure compliance with EU privacy and personal data protection legislation, in particular the General Data Protection Regulation (GDPR) and the ePrivacy Directive.”
- In the United States, a key feature of the White House’s Opening Up America Again Guidelines are several “core state preparedness responsibilities” that each state should be able to adhere to before removing COVID-19 restrictions. The White House plan suggests that employers should “[d]evelop and implement policies and procedures for workforce contact tracing following employee COVID+ test [results].” In addition, the U.S. Centers for Disease Control and Prevention (CDC) published a COVID-19 Contact Tracing Training Guidance and Resources Plan (strategies for implementing contact tracing standards and practices in the workplace, suggestions for policy improvements, and resources to consider when designing a company-specific training plan for COVID-19 contact tracers), a booklet on the basic principles of contact tracing tools, as well as a fact sheet discussing different types of digital contact-tracing tools.
- In Australia, the Attorney General is considering a draft bill to include significant penalties (breaching these requirements will be a criminal offence, among others) for misuse of data collected through the country’s COVID-19 contact tracing app, which has been downloaded more than 5 million times since its release on 26 April. Serious infractions related to misuse of the COVIDSafe app include collection, disclosure or use of data outside public health authorities’ contact tracing purposes, and uploading the information without an app user’s consent.
The advantages of these technologies can be substantial, quickening an organisation’s path to compliance and opening its doors for business. However, organisations should proceed with care and examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk.