Thanks, Maria, for bringing attention to this matter. The bill Jessica refers to
prohibits covered entities from collecting, processing, or transferring an such information does not include data that is de-identified, related to employee health screening for on-site entry, or publicly available. If organizations de-identify this PII data then this is no longer a concern. This is a practice that could be implemented organization wide for all PII data to address security and privacy/
------------------------------
Lorelei Chernyshov, CIP, IGP
Merrick Bank
Assistant Vice President, Information Governance
------------------------------
Original Message:
Sent: 07-10-2020 10:21
From: Jessica Marlette
Subject: Privacy with Collection Apps
Here's one interesting article on the topic, including questions organizations should be asking regarding privacy: https://iapp.org/news/a/privacy-questions-for-covid-19-testing-and-health-monitoring/
There is also a proposed bill titled the COVID-19 Consumer Data Protection Act of 2020 (S.3663) that covers privacy for activities like contact tracing conducted by covered entities. It's still sitting in the Senate but definitely one to watch. Section 3(e) and Section 3(g) cover data deletion and data minimization. If enacted as is, the Federal Trade Commission would issue best practices for data minimization. You can access the full text of the bill and sign up for alerts here: https://www.congress.gov/bill/116th-congress/senate-bill/3663?q=%7B%22search%22%3A%5B%223663%22%5D%7D&s=1&r=6
------------------------------
Jessica Marlette, CIP
Information Governance Counsel
White & Case LLP
Original Message:
Sent: 07-07-2020 09:48
From: Maria Richardson
Subject: Privacy with Collection Apps
As we begin to return to work, many companies and firms are asking that a short health questionnaire be filled out and submitted to the HR Department along with the names of anyone you have come in contact with throughout the day (for contact tracing). Not to mention the hidden apps on your Apple and Android phones that are doing the same. Where is that information being kept, for how long and ultimately how is that information going to be disposed of? Will it categorized with a separate retention category?
------------------------------
Maria Richardson
Records Manager
Patterson Belknap Webb & Tyler
------------------------------