Better Business Bureau advises employers on contact tracing privacy, cybersecurity
PORTLAND, Ore. (KTVZ) -- Better Business Bureau Northwest + Pacific is alerting employers to cybersecurity issues associated with COVID-19 contact-tracing solutions.
Interest in COVID-19 monitoring is growing as employers grapple with appropriate measures to keep their employees and customers safe and avoid workplace outbreaks.
“Safeguarding privacy is important for business,” said BBB NW+P CEO Tyler Andrew. “Protecting personal information applies to both customers and employees and can be done in a way that also creates a safer place to work in the era of COVID-19.”
Tracking and contact-tracing solutions are being considered and implemented throughout the country to help contain the spread of the coronavirus. High-tech solutions include smartphone applications that employees can download, which will track and store proximity data or use other means to determine location.
If a user is diagnosed with COVID-19, data collected by the smartphone app can be used to trigger notifications to other employees (and outsiders) who have crossed paths (within six feet) with the infected person.
While tracing apps are sophisticated and not all employers want or need such technology, businesses are being encouraged to find simple ways to monitor and track employee health and workplace exposure.
For instance, some employers are mandating employees use a no-touch digital thermometer and fill out a symptom questionnaire every day before entering the office.
The resulting employee data may go to a central repository, typically accessed by an HR rep. Small businesses or professional offices that are able to log information about individual customers may be expanding symptom monitoring to include customers as well.
As procedures and technology to track COVID-19 and trace contacts advance, privacy and security issues loom. It is the employer’s responsibility to understand how all employee data that is collected by any means will be protected, stored, used, and disposed of.
BBB encourages employers to think about privacy and cybersecurity questions their employees may have, including:
· What information do employees receive upfront about tracking or contract-tracing?
· What information do employees receive in connection with a suspected exposure?
· How is the data stored securely and for how long?
· If using a mobile phone tracer app, what permissions does it need and why?
· Who has access to the collected data?
· How is the data used to inform community-wide health decisions?
While it is legal for employers to mandate their employees get tested for COVID-19 before returning to work, take daily temperatures, and participate in contact-tracing solutions, companies need to tread carefully when documenting and storing personal health information.
Legal experts warn that asking employees to disclose health information, especially if they are asymptomatic, could be challenged and open the company up to legal liability.
Other considerations agreed upon by BBB and consumer protection agencies include:
· Using anonymous, aggregate location data for public health purposes to sidestep many of the privacy concerns related to tracking individuals’ location. For example, if a consumer has granted you permission to use their location data, nothing would prohibit you from disclosing a heat map of average distances travelled for public health purposes.
· If you tell consumers you’re collecting, analyzing, using, or sharing information for emergency public health purposes, only use it for those purposes, and delete the data when the need is over. This idea of “purpose limitation” or “use limitation” has been a standard tenet of privacy norms over the years
· There are many engineering tools that can preserve consumer privacy while getting the data you need to combat the coronavirus. For instance, researchers have developed decentralized protocols that allow users to voluntarily share encrypted data directly with epidemiologists.
To be successful, employers should educate their employees about any tracking and contact-tracing solutions they put in place, including how notifications look, what questions they will be asked, and how the information will be used.
This is critical to not only assess data-privacy issues and concerns, but to prevent employees from being conned by fake contact tracer scams that have recently been reported to BBB.
ABOUT BBB: For more than 100 years, the Better Business Bureau has been helping people find businesses, brands, and charities they can trust. In 2017, people turned to BBB more than 160 million times for BBB Business Profiles on more than 5.2 million businesses and Charity Reports on 11,000 charities, all available for free at bbb.org. There are local, independent BBBs across the United States, Canada, and Mexico, including BBB Northwest & Pacific, which serves more than 15 million consumers in Alaska, Washington, Idaho, Oregon, Montana, Hawaii and Western Wyoming.