As businesses welcome workers back into the workplace, employers must tread a narrow path between gathering information to protect their workers’ health and protecting their privacy, experts say.

Businesses must comply with federal laws, including the Americans with Disabilities Act, as well as state and even local laws that may be broader, they say.

The Illinois Biometrics Information Privacy Act and other comparable state laws may become a factor in plaintiff litigation, they warn. And depending on who is conducting employee testing, HIPAA, or the Health Insurance Portability and Accountability Act of 1996, may also apply.

Meanwhile, there is growing interest in the use of contact apps that track employees’ locations, with one of the critical issues involving whether workers use their own or employee-owned devices.

Experts say businesses with cyber and privacy policies are likely to find coverage under their policies.

The situation is a matter of “really walking a tightrope between how do I protect people and making sure I don’t go over the edge into violating their privacy rights,” said Jena Valdetero, a partner with Bryan Cave Leighton Paisner LLP in Chicago, who co-leads the firm’s data privacy and security team and heads up the firm’s data breach response team.

“I always tell people that it’s an unprecedented time right now,” said Karla Grossenbacher, a partner with Seyfarth Shaw LLP in Chicago, who focuses on compliance issues and defending claims.

Employers “are able to make inquiries and conduct medical exams in a way that most people have never seen before,” but “everyone needs to keep in mind it doesn’t mean employees’ privacy rights are diminished,” she said. “It just means the balance has swung in favor of this type of activity” for now, and there is the risk that once the pandemic is over people will file claims if their privacy was not respected.

A complicating factor is the variety of privacy laws. They differ “state by state, county by county, and sometimes city by city,” so the liability risks will vary, said Michelle A. Reed, a partner with Akin Gump Strauss Hauer & Feld LLP in Dallas, who is co-head of the firm’s cybersecurity, privacy and data protection practice.

The ADA “already requires that you keep medical information separate from the public information, so it shouldn’t be stored in personnel files and co-mingled with other data,” Ms. Valdetero said.

Another concern is violating the federal Genetic Information Nondiscrimination Act if questions are asked about workers’ family members with whom they have been in contact, said Tom Hams, Chicago-based managing director and national employment practices liability insurance practice leader at Aon PLC.

Employers should also keep in mind BIPA and similar state laws, Mr. Hams said. In light of the legislation, it is likely employers will want to obtain employee’s consent to retaining information.

“Employers should always be transparent, communicating what they’re collecting and why, and what will be done with it,” said Talene Carter, New York-based national employment practices liability product leader for FINEX North America at Willis Towers Watson PLC.

Ms. Grossenbacher said employers should ensure there is some privacy included in processes to collect temperatures and other information that determines whether employees have symptoms of the virus.  Symptomatic workers must be allowed a path out “that doesn’t march them past their colleagues, and the same confidentiality restrictions apply,” she said.

Another challenging issue for employers is if they learn a worker has become sick with COVID-19,  they cannot reveal the ill person’s identity when they reach out to other workers with whom the employee may have come into contact.

Firms must also decide on whether they use contact apps to track and identify people who might have been exposed when someone tests positive. According to news reports, countries including Australia, China, Norway and Singapore have introduced the apps and others are considering them.

“A number of our clients are asking about it,” said Kelly Geary, New York-based national practice leader for executive risk and cyber with EPIC Insurance Brokers & Consultants.  

“The apps are really powerful public health devices and also have very significant countervailing privacy concerns,” although many of the latter may be addressed by obtaining workers’ consent, Ms. Reed said.

Ms. Geary questions how effective such apps will be. There is a tendency in some instances “to just jump into technology, and sometimes it makes sense and sometimes it doesn’t” as a way to solve problems.

Ms. Carter said the No. 1 concern with the use of apps that track employee’s location is compliance with the ADA and state or local laws. 

“It seems quite intrusive,” so consideration must be given to how it is introduced and perceived by employees, how it will impact morale and “is it really necessary?” Ms. Carter said. “Is it more intrusive rather than really addressing a legitimate business concern?”

“How do you allay (employees’) privacy concerns?” asked Petula Workman, Rolling Meadows, Illinois-based, division senior vice president, compliance counsel, of the legislative compliance consulting practice within Arthur J. Gallagher & Co.’s benefits and human resources consulting division. “How do you put it in the context of helping them?” she asked.

Experts say requiring employees to download the apps on their own phones is more problematic than if workers use employer-owed devices.

This “becomes a lot trickier, and that definitely needs to be evaluated closely to make sure you’re not violating any privacy laws,” Ms. Carter said.

In addition, some states have restrictions on the ability to track other individual’s locations, Ms. Grossenbacher said.

Employers should create a policy and train their employees on it, Ms. Reed said. “It’s really critical that they consider what information they take and how they maintain it,” she said. 

“Minimizing the amount of data you collect makes sense,” Ms. Reed said, by, for instance, not collecting any data on those who do not have a high temperature.

Collected information should also be kept secure. Ms. Reed said some of her clients have chosen to keep the data on paper, and others on a secure, encrypted laptop. “Obviously, if it’s going to be digital” the information should be encrypted, and if on paper, maintained in a lock box, she said.

Companies that collect the information must have strategy on when they will destroy it, “so that it doesn’t exist in perpetuity,” Ms. Valdetero said. “There’s no reason to keep it once the pandemic is over.”

Experts say cyber and data privacy policies are likely to provide coverage in the event of claims.

Ms. Geary noted that before the pandemic, insurers were beginning to add biometric exclusions to their employment practices liability policies.  “I can see how biometrics would get a little boost” in light of the pandemic, she said. “It’ll be interesting to see how the insurance markets respond to that.”