It's important to maintain data privacy around health and personal information while building employee trust to reopen safely. Here's how to do it.
Editor’s note: Paula Goldman co-authored this article.
Overnight, our expectations for our relationships with our employers and companies we work with have evolved. Today, we ask new questions of organizations like, “can I trust this company?” as an employee, customer, and citizen to protect my safety and the safety of others? In normal circumstances, most people are unaccustomed to proactively sharing health information, especially with our workplaces, local communities, or with businesses we engage with. Yet, with a global pandemic in focus, the calculus can change. In fact, a recent survey indicated 89% of Americans would be willing to share some level of personal health information if it would help organizations keep them and their coworkers safe in the reopening process.
However, this willingness comes with very important concerns around personal privacy. For example, another recent study revealed that about 79% of Americans surveyed were concerned over how businesses and government agencies used their health information. As a result, today’s businesses and organizations must build and promote trust throughout the reopening process, or run the risk of discouraging people from sharing the information needed to identify health risks and prevent communities from exposure to infectious disease.
For this reason, companies must be vigilant in implementing health and safety processes, with privacy and ethical use in mind. Employees, customers, and constituents need to trust the tool being used to collect their information and know how the information is being used. We feel this is a critical piece in responding to today’s pandemic. But how, exactly, do you establish trust with your employees or constituents as you implement these solutions? We are guided by the following ethical use and privacy principles as we build, develop, and implement our own Salesforce products, including the Work.com suite of workplace and emergency response management applications, which includes a contact tracing application.
1. Protect human rights and equality
Ensure your solution does not exclude users — especially those who are already vulnerable — or deny essential services. For example, is your solution supported in multiple languages? Does the product meet or exceed internationally recognized best practices for accessibility? Finally, solicit feedback from a diverse range of perspectives and populations, including expert guidance, in order to ensure the implementation supports all needs. Share the feedback you receive with the impacted community so they understand other member’s concerns.
2. Honor transparency
Provide guidance to your employees or community members on how their data is being collected, stored, and used. Share how their data is protected, and what their rights are to control the use of that personal data. Your employees deserve visibility into what you are asking of them and why sharing personal health information is important to the health and safety of others, considering our new normal. Give them adequate time to consider this information and detail the importance of participation for efficacy.
3. Minimize data collection
Collect and retain only the data essential for a solution to be effective. Ask yourself: do we really need this information to help protect employee and customer safety? Anonymize data wherever possible to protect individual privacy. In many cases, the data points, without identifying information, may be sufficient to understand the health risks and considerations.
4. Take a long-term approach
Many of the health and safety precautions being implemented today to protect the employee and community’s health and safety, may be here awhile, or they may become tomorrow’s standards to reopen. Consider the information you are collecting, and think through the long-term implications and risks of keeping and storing that data. Retain data only as long as is necessary for the purposes it is meant for and delete it once that period is over. This practice limits data privacy risks, while giving you access to the personal data you need, only when you need it.
5. Add security protections
Limit access to any datasets stored within the solution to a clearly defined set of individuals with appropriate access permissions on a “need to know” basis. Implement safeguards to protect data against misuse, consistent with industry standards like International Organization for Standardization (ISO), Health Insurance Portability and Accountability Act (HIPAA), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Technology plays an important role in slowing the spread of disease. And when we design and implement this technology with the intention of protecting individuals’ privacy and promoting public health, we can contribute to uplifting our entire society.
To learn more about these guiding principles, refer to our Privacy and Ethical Use Principles Guiding our COVID-19 Response. For a guide to planning your own reopening process with ethical use and privacy in mind, refer to our Ethical Use and Privacy Considerations for COVID-19 Response Guide. For actions you can take to improve data privacy protections, refer to our Key Privacy Considerations Checklist.