OR WAIT null SECS
Rena Verma is a Senior Managing Director in FTI Technology’s Information Governance, Privacy and Security Practice. Rena has been providing advisory solutions to Fortune 500 legal departments and law firms in information governance, electronic discovery, legal technology and legal operations for nearly two decades. Rena's clients include some of the largest pharmaceuticals companies, banks, insurance, transportation and technology companies.
To maintain business continuity and employee safety during the pandemic, many companies have begun tracking and maintaining records of employee health information.
Pharma companies are in the spotlight and under more pressure to keep essential research and testing facilities operational amid pandemic lockdowns, as well as accelerating the production and distribution of an effective COVID-19 vaccine. These activities don’t lend themselves to remote work, and pharma companies in their capacity as employers have had to adapt to COVID-19 screening and testing measures, and now vaccination records, to provide a safe working environment. This is on top of provisioning and strengthening secure remote work environments for the exchange of highly-sensitive data between executives and authorities. But as the industry braces for another turbulent year ahead, pharma companies must address the unique operational and regulatory risks around data privacy that will soon come to bear.
To maintain business continuity and employee safety during the pandemic, many companies have begun tracking—taking temperatures, monitoring travel, and conducting COVID-19 testing and contact tracing—and maintaining records of employee health information. As more people receive vaccinations, these records will expand to include employee vaccination status. A recent report from the International Association of Privacy Professionals and FTI Consulting found that almost half of employers are now collecting health status information from employees (1).
While these practices and issues are not exclusive to the pharma industry, pharma is one of the primary essential industries that has needed to keep a large portion of its workforce working in person. In turn, pharma companies are now stewards over a significant and growing pool of employee health data. No explicit set of rules exist for these new data sets, but a number of privacy laws will certainly intersect with them.
Multinational pharma companies doing business in Europe must consider implications under the General Data Protection Regulation (GDPR), and those with a presence in California would be prudent to evaluate their handling of employee health data against the employee personal data related obligations under the California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA), which will be operative in January 2023.
Employment litigation—which may stem from a data breach, consent disputes, or employees who feel that their health data are not being adequately protected—is a key risk as well. Employee data lost in a breach or security incident can lead to costly litigations. For example, a suit against a media company over personal employee data leaked in a breach resulted in an $8 million settlement (2).
Robust governance is needed to mitigate the emerging legal and regulatory implications of this new universe of sensitive information. The safest approach is to proceed as if it was all subject to a strict, formalized data privacy regulation. Companies that have started collecting data in the interest of employee safety should thus take a conservative approach in their policies, ensuring they are providing notice and obtaining consent surrounding how the data will be used and stored. New policies must also build in measures for protecting this data and properly disposing of it once it is no longer needed.
Additional practical measures pharma companies should implement to establish governance over employee health information include:
A key driving force behind privacy regulations is that, historically, corporations have been cavalier about the information they gather and how they protect it. Reducing the risk of a data privacy breach, implementing robust data privacy measures, and reassuring audiences around the organization’s data privacy posture requires a more strategic approach, led by the C-suite. Given that pharma companies are in the public eye now more than ever, now is the time to examine what is being collected, where it is stored, who has access to it, how long it is being saved, whether employees have given consent, and what regional laws the data may be subject to. Taking a swift and proactive approach to getting this data under control will demonstrate goodwill to employees and help mitigate future litigation and regulatory nightmares.