TOP TIP: Privacy Implications of Workplace Temperature Screening
Federal government agencies, including the Centers for Disease Control and Prevention and the Equal Employment Opportunity Commission, and many state and local governments have approved of the use of temperature screening as part of a business’s return-to-work strategy during the COVID-19 pandemic. Businesses deciding to implement temperature screening are presented with a variety of contact and non-contact temperature-taking device options, but the use of these may implicate privacy issues.
Non-contact thermometers include non-contact infrared scanners, thermal imaging devices, and wearable devices. The Food and Drug Administration states that one of the benefits of thermal imaging devices is that the person operating the device is not required to be physically close to the person being evaluated. However, it is important for businesses to be aware of the privacy issues that may arise from non-contact thermal imaging systems that use facial recognition.
Biometric data concerns. Thermal imaging systems that use facial recognition may collect personal information that is regulated by privacy laws in various states. Many of these state laws, like Maryland’s Personal Information Protection Act, define “personal information” to include biometric data. These state laws generally require businesses collecting and storing personal information to notify all affected individuals in the event of a data breach. Some, like Illinois, may also require employers to provide notice and obtain consent to collect biometric data.
As a general rule, an employer should not collect any personal information beyond what is needed by the business. Employers deciding whether to select a thermal imaging system that uses facial recognition should consider the following questions:
- Will the use of the device implicate any privacy laws in the states where the employer operates?
- Is biometric data collected by the device?
- Does the employer need all of the information, including biometric data, that is collected by the device?
- Does the employer need to provide notice and obtain consent to collect biometric data?
- How the information is stored?
- Is the information shared with third parties?
- Does the company selling the device have a history of information security issues?
- Is the business prepared to respond in the event of a data breach? (Many states have laws setting forth required actions in the event of a breach).
Medical information privacy concerns. It is also important to note that taking the temperature of an employee is a medical examination under the ADA and the temperature must be kept confidential. Thus, an employer must consider the following:
- Can the employer ensure that the taking of an employee’s temperature is not observable by others waiting to be screened?
- Will the employer use an employee or outside vendor to take and record employee temperatures?
- If an employee is assigned to take co-worker temperatures, has the employer trained the employee on the need to maintain confidentiality of the results, including any written log?
If an employer chooses to keep records of its employees’ temperatures, has it arranged for the information to be maintained confidentially and securely, apart from regular employee files?