Collecting Vaccination Status Exposes Organizations to Significant Privacy Risk

by Dan Clarke

While the status of an enforced vaccine mandate hangs in the balance, the number of employers now requiring employees to disclose their vaccination status or test on a regular basis has become widely prevalent — and this has created a number of privacy-related risks that most organizations may not be aware of or prepared for.

Collection of vaccination status and testing results are considered highly sensitive and confidential medical information, which is held to a privacy standard different from other types of employee-related information. Additionally, this also has the potential to step well beyond vaccination status, particularly where it comes to collecting exemption-related personal information that could disclose things like religious beliefs, disabilities, sexual orientation, etc. And this information can significantly increase exposure to breach notification risks. 

Getting Prepared

Regardless of whether a mandate is enforced, legal consultants are urging organizations to start preparing now, particularly those that haven’t previously had to collect this type of information about their employees.

“With the potential of some form of a mandate being enacted, whether it’s at the state or federal level, companies must start to prepare,” says Michael Hellbusch, partner at Rutan & Tucker, LLP. “As soon as systems move from voluntary to mandatory, it means mandatory use of some kind of vaccine credentialing system will be required, and that is something most organizations don’t have in place and maybe haven’t even thought about yet.” 

Employers, whether they’re required or choosing to implement a vaccination credential system, must understand the privacy implications and risks of verifying and storing that information. While collecting as little information as possible is always a good practice, there has yet to be a recognized standard put in place for verifying status; a photo of the vaccination record is the most common. 

As a result, many are either collecting and storing this information internally or outsourcing to a third-party digital platform or app. Internal collection has typically involved employees emailing credentials and other information to HR. There is a lot to consider from a privacy perspective with this approach:

  • Is all of the information collected necessary?
  • Do businesses have a data collection alternative to unsecured email? 
  • If files are retained, who has access to those files?
  • If files are stored electronically, where are those servers located?
  • Is this documentation maintained separately from other personnel files?

Emailing and other manual forms of collection are not optimal approaches, but are what many companies have resorted to. But even for companies using third-party digital platforms and apps, there are some precautions to consider: 

  • Who is reviewing this information? 
  • Who within the company has access to the system?
  • How does that platform or app maintain privacy and security? With many of the vaccine credential systems out there, it’s not always clear how privacy is achieved.

Understanding the Lifecycle of This Data

Understanding who is on the other end viewing and handling that personal information is incredibly important. Currently, in most states, there is no formal protection against using vaccination data provided to credentialing systems for the use of commercial marketing or other unauthorized purposes. This raised a red flag for the World Privacy Forum, which, back in August, urged the CDC to extend the protections that apply to healthcare providers to these systems. 

In the meantime, however, it’s important for employers to do their due diligence: Understand how this information is being collected, what type of information is being collected, who has access to it and whether access can be restricted, and where will it be stored and for how long. Organizations must consider the entire journey of that sensitive information. 

“This is extremely sensitive information and storing it is going to become a major challenge for most companies, especially since most are not equipped to collect and maintain the data,” says Jeff Sizemore, chief governance officer at Egnyte. “Most haven’t had to deal with this type of medically sensitive information in the history of their operations. There’s a lot more to consider beyond simply collecting this information from a submission form or email.”

Dan Clarke is president of Truyo, an automated consent and data privacy rights management solution.

In Business Dailies

Sign up for a complimentary year of In Business Dailies with a bonus Digital Subscription of In Business Magazine delivered to your inbox each month!

  • Get the day’s Top Stories
  • Relevant In-depth Articles
  • Daily Offers
  • Coming Events