The hospitality industry has been collecting guests’ and employees’ personal information for years now, but as hoteliers consider collecting health information, they need to know how to do it properly.
REPORT FROM THE U.S.—As hotels and restaurants reopen across the U.S. after being closed for weeks or months, their owners and operators may be looking to collect more guest and employee data than before, and that data requires careful consideration.
During the “Data privacy in the age of COVID-19” webinar hosted by HTNG, Odia Kagan, partner and chair of GDPR compliance and international privacy at Fox Rothschild, said as hospitality companies collect more information, particularly health information, they need to know how to properly handle it.
Contact tracing is controversial now because of the data privacy implications associated with it, Kagan said. It potentially collects a person’s health condition as well as their location. The counterargument here is that contact tracing promotes safety, but the question is does it promote safety enough given the level of accuracy in contact-tracing apps, she said.
Contact-tracing apps use triangulation through Bluetooth, Wi-Fi or cell towers to determine the user’s location, Kagan said. Many of these apps are not the most accurate, however, as the Bluetooth sensitivity in a small building could put someone in proximity of someone else even if they are separated by a wall.
“There’s a lot of false positives added to the cost of the data privacy issues,” she said.
There are several bills in play around the U.S. regarding contact tracing in the workplace, Kagan said. Some say employers can require it while others say it needs to be voluntary. If the workplace contact tracing is voluntary, employers need to consider whether they have enough traction and whether they would collect enough data, she said.
A data protection impact assessment or a privacy impact assessment would come into play here, Kagan said. For a contact-tracing app, the assessment would help determine the information that would be collected, how accurate the app’s information would be and whether the employer could get better results by not using an app.
For a food manufacturing plant that is thousands of square feet in size with people moving around different locations, manual contact tracing would be more difficult, so an app would be justified, Kagan said. For a small bistro or a hotel’s reception area and a small staff, an app might not help much even if there is one positive case.
“Is that really going to make a difference?” she asked. “Are you not going to close down the floor? You’re not going to disinfect the entire suite?”
The analysis will help determine if the employer needs to collect the information and if the technology would put them in a better position than something else that’s less invasive, Kagan said.
Collecting health information
For anyone collecting information in connection with COVID-19, only collect the information that is necessary or legally required, Kagan said. For those who are checking people’s temperatures, they should consider the least invasive way to do that, and determine if they need to record this information as well.
For example, if a business has a temperature threshold in which an employee cannot come in, employers must decide if having that policy by itself enough or if it’s necessary to record in the employee’s personnel file, she said. The less unnecessary information recorded, the less that could be implicated in a breach.
When collecting any sort of health information about guests or employees, that does not fall under the scope of the Health Insurance Portability and Accountability Act, she said. HIPAA applies to covered entities, such as medical professionals, benefits plan providers and health clearing houses. Checking someone’s temperature does not inadvertently put them under the scope of HIPAA.
The California Consumer Privacy Act and bills in other states modeled after the CCPA require giving notice when collecting someone’s information, Kagan said. Those collecting information must state the purpose of collecting the information, what will be kept and with whom it will be shared.
The benefit here is being transparent with customers helps build trust, which ends up being useful for marketing goals, she said.
Businesses that decide to collect information and keep it must safeguard it, Kagan said.
“You want to keep it separate, you want to protect it,” she said. “You want to protect it from a data breach situation because it’s sensitive information, health information.”
If someone does test positive for COVID-19, employers need to let their other employees know, but they should disclose as little information as necessary, Kagan said. There have been situations in which a person’s identity and positive status was exposed and it damaged their well-being, safety and reputation, she said.