How franchises should handle COVID-era data privacy

A front desk associate stands behind a glass barrier and greets customers with a masked smile at The Lash Lounge of Frisco, Texas.

As businesses are starting to reopen, most brands are implementing new technologies and procedures to keep employees and customers safe, such as taking temperatures and using social distancing apps. Dave’s Hot Chicken is even using a hand-scanner technology called PathSpot to determine if employees are properly washing their hands. But how should brands navigate the potential data privacy issues that can arise from collecting employee health information?

Meg Roberts became CEO and president of semi-permanent eyelash extension franchise The Lash Lounge in 2018. In addition to providing personal protective equipment such as masks and gloves for employees, The Lash Lounge started strategically staggering appointments and using an ultraviolet light to sterilize the salons at night.

Contactless thermometers are also used to take temperatures before employees walk in the building. Temperature information is only recorded if the employee has a fever, in which case they’re also sent home. Most Lash Lounge salons, however, are about 900 square feet, and if there are five employees working and one isn’t there, the reason that the person was sent home after a temperature check at the door becomes obvious.

"It goes back to the idea of being well-intentioned, trying to make intentional plans that serve and provide the greatest safety protection and privacy, but they’re not necessarily mutually exclusive," Roberts said. "I hope our boards, advisers and legislators realize, as business owners we want to do the right thing and uphold certain statutes, but the fluidity of what is right and what is possible needs to be considered with a more open mind and not just a broad brush, because not every business is the same physical size or has so many employees that you wouldn’t go unnoticed."

Though states differ on rules about taking employee and customer temperatures, Roberts is requiring all Lash Lounge franchisees to ask for and get temperatures of employees and refer to state guidelines on keeping records. She is also giving ‘zees permission to refuse service to customers who won’t allow their temperature to be taken.

"We’ll have some bristling around that for sure, but we’re OK with that," Roberts said. "Balancing safety and privacy is a new aspect of what so many of us are facing, and we cannot sacrifice safety nor should we suggest that all privacy is no longer relevant."

Advice from HR

Sarah Diehl, a human resources executive and founder of Empowered Hospitality in New York, recommended that companies administer COVID-19 screenings outside of the facility if possible.

"In doing so, you can potentially avoid an awkward situation where an employee is visibly sent home," Diehl said. "Furthermore, if companies can encourage employees to self-test and monitor their own symptoms before reporting to work, that can help as well."

Employee files should be kept separate from any health information, Diehl said. Limiting the circle of leaders who have access to that data is also crucial, in addition to designating and training a person or a few people to be the sole personnel administering the screenings.

"If it’s a small business, the manager or owner can be trained by an outside expert on the area and be responsible for all screenings," Diehl said. "It would be ideal to select a smaller number of people to take the lead on this effort to ensure accuracy and privacy."

Recording a simple pass/fail on employee temperatures can also help limit the amount of health data recorded. Non-critical data should not be recorded, and critical data collected should be carefully stored and protected, Diehl added.

Empowered Hospitality works with multiple attorneys who help it and its clients navigate potential data privacy issues, and Diehl strongly recommended franchisees consult with an attorney and their HR department if they aren’t doing so already.

Businesses should also establish a policy specifically to deal with the handling of private health information, an action that any size company can take, Diehl said. Companies should proactively review their insurance liability coverage and policies and partner with an insurance broker if they need assistance.

While Diehl and her team research technology solutions for their clients to help manage COVID-19 and related screenings, she advised maintaining a healthy sense of skepticism with new tech.

"We have to remember when it comes to employee info," business owners "are ultimately responsible, not the technology partner," Diehl said.

Working with a combination of resources such as multiple attorneys is the best approach, Diehl said, as there is a feedback loop where case law and the day-to-day implementation of those laws feed back into best practices for businesses.

"As we learn more, we immediately inform our clients, but the pace of info sharing has to increase given how quickly medical knowledge changes and the global environment is changing," Diehl said. "The reality is, this is a challenge for all of us to keep up with this, including attorneys. This has to be more of a collective effort than anything."

What if an employee tests positive?

An employer learns someone in their workplace tested positive for COVID-19. What do they do? What are their duties and rights, as well as limitations on those duties?

Mark Mathison, a labor and employment lawyer and partner at Lathrop GPM, said the consensus best practice is to let other workers know if they may have been in contact with an infected worker, but don’t reveal to coworkers the identity of the infected worker. However, nuance also needs to be considered.

"There is some balancing to be done here, and that balance might be different in this situation than before the pandemic—in particular, in terms of an employer’s general duty to provide a safe workplace," Mathison. "One might question, and I personally might question, if you tell me or if I learn that there has been an infected person in the workplace, but you didn’t come and tell me that I may have had contact with the person. You might have failed in your duty to provide a safe workplace, because you’re requiring me to rely on your knowledge of our interaction."

If an employee presses the point and asks who the infected person is to determine for themselves if they’ve had contact or not, it puts the employer in a tricky situation. Most legal advisers would say that employers shouldn’t reveal the identity, and that their duty is to the infected person, Mathison said, but employers also have a duty to other people in the workplace. He expects this issue will start to come up more often as companies are navigating potential outbreaks.

"The common laws of privacy are going to vary from state to state. If I reveal your private information under certain circumstances, I may have violated or committed invasion of privacy," Mathison said.

New technology is attempting to address some of these concerns. A social distancing app developed by New York-based consulting firm From, The Digital Transformation Agency, alerts employees if they’re within 6 feet of each other, with an alarm sounding until the workers return to a safe working distance. It also keeps a secure, private record of any accidental close contact between people using the app. In the case of infection, employers can then go back and access those incidents, then warn employees of their potential exposure so they can self-quarantine.

"Thinking about myself being the coworker who maybe is not told I had contact but others have, I would think" tracing technology "would increase my comfort level," Mathison said. "But it depends on the reliability, it doesn’t solve it."

The Human Element covers HR management, recruitment and training topics in each issue with a focus on solutions. Send story ideas to Laura Michaels,

comments powered by Disqus