Insights
Under US law, can an employer share the name of an employee infected with a contagious disease with other employees?
Mar 30, 2020Nothing within the CCPA inherently prohibits an employer from sharing the names of employees that have been infected with a contagious disease with other employees who may have come into contact with the infected employee and, as a result, might take preventative measures (e.g., self-isolation). The CCPA arguably requires only that the business take the following steps:
- The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected. While it is not certain whether disclosure of the identity of an infectious employee would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with third parties (which, of course, would include fellow employees) for the purpose of protecting employees, protecting the public, or protecting other individuals.1
- In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”2While it is not certain whether disclosing to an employee the name of an infectious person would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with employees to promote health and safety.3
It is important to note that other federal or state labor and employment laws may preclude a business from sharing the identity of a potentially contagious employee with other employees without the infected employee’s consent. For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”4 Although this confidentiality requirement is subject to certain exceptions, there is currently no exception for providing an employee’s confidential medical information to other employees for purposes of promoting their health and safety. As a result, if an infectious employee was recently around other employees many employers try to inform the employees that are at heightened risk that they have been exposed without specifically identifying the individual that exposed them.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide.
1. CCPA, § 1798.100(b) (requiring a business to provide information concerning the “purposes” for which information collected will be used).
2. CCPA, § 1798.130(a)(4)(C)
3. CCPA, § 1798.130(a)(4)(C) (requiring that in response to an access request a business disclose the categories of information shared for a business purpose in the preceding 12 months and the categories of third parties to whom it was shared).
4. 29 C.F.R. 1630.14(d)(4).
Related Practice Areas
-
Data Privacy & Security
-
California Consumer Privacy Act
-
Retail & Consumer Products