Privacy and COVID-19 Clash, Creating Unprecedented Risks for Pharma

Pharma companies are in the spotlight and under more pressure to keep essential research and testing facilities operational amid pandemic lockdowns, as well as accelerating the production and distribution of an effective COVID-19 vaccine. These activities don’t lend themselves to remote work, and pharma companies in their capacity as employers have had to adapt to COVID-19 screening and testing measures, and now vaccination records, to provide a safe working environment. This is on top of provisioning and strengthening secure remote work environments for the exchange of highly-sensitive data between executives and authorities. But as the industry braces for another turbulent year ahead, pharma companies must address the unique operational and regulatory risks around data privacy that will soon come to bear.

To maintain business continuity and employee safety during the pandemic, many companies have begun tracking—taking temperatures, monitoring travel, and conducting COVID-19 testing and contact tracing—and maintaining records of employee health information. As more people receive vaccinations, these records will expand to include employee vaccination status. A recent report from the International Association of Privacy Professionals and FTI Consulting found that almost half of employers are now collecting health status information from employees (1).

Data protection

While these practices and issues are not exclusive to the pharma industry, pharma is one of the primary essential industries that has needed to keep a large portion of its workforce working in person. In turn, pharma companies are now stewards over a significant and growing pool of employee health data. No explicit set of rules exist for these new data sets, but a number of privacy laws will certainly intersect with them.

Multinational pharma companies doing business in Europe must consider implications under the General Data Protection Regulation (GDPR), and those with a presence in California would be prudent to evaluate their handling of employee health data against the employee personal data related obligations under the California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA), which will be operative in January 2023.

Employment litigation—which may stem from a data breach, consent disputes, or employees who feel that their health data are not being adequately protected—is a key risk as well. Employee data lost in a breach or security incident can lead to costly litigations. For example, a suit against a media company over personal employee data leaked in a breach resulted in an $8 million settlement (2).

Robust governance is needed to mitigate the emerging legal and regulatory implications of this new universe of sensitive information. The safest approach is to proceed as if it was all subject to a strict, formalized data privacy regulation. Companies that have started collecting data in the interest of employee safety should thus take a conservative approach in their policies, ensuring they are providing notice and obtaining consent surrounding how the data will be used and stored. New policies must also build in measures for protecting this data and properly disposing of it once it is no longer needed.

Additional practical measures pharma companies should implement to establish governance over employee health information include:

• Limit data sharing across borders and with third parties. If data are stored using an external cloud or other storage provider, evaluate the security controls the provider has in place and the location of its facilities to determine whether those variables are in compliance with local regulations.
• Establish controls so only approved, necessary parties can access the systems in which sensitive employee health information is stored.
• Conduct training and awareness campaigns that educate employees about the sensitivity of personal and health information and the risks associated with its use in the workplace.
• Work with internal IT and security stakeholders to assess the security provisions around the data and ensure employees who have access to it are adequately trained on complying with security controls.
• Review HR policies so they are aligned with privacy regulations, account for the new types of data being collected from employees and properly address employee consent for COVID-19-related screening and monitoring.

A key driving force behind privacy regulations is that, historically, corporations have been cavalier about the information they gather and how they protect it. Reducing the risk of a data privacy breach, implementing robust data privacy measures, and reassuring audiences around the organization’s data privacy posture requires a more strategic approach, led by the C-suite. Given that pharma companies are in the public eye now more than ever, now is the time to examine what is being collected, where it is stored, who has access to it, how long it is being saved, whether employees have given consent, and what regional laws the data may be subject to. Taking a swift and proactive approach to getting this data under control will demonstrate goodwill to employees and help mitigate future litigation and regulatory nightmares.

References

1. IAPP-FTI Consulting Privacy Governance Report 2020, https://www.ftitechnology.com/resources/white-papers/the-iapp-fti-consulting-annual-privacy-governance-report-2020
2. Gibson Dunn, Cybersecurity & Data Privacy: An Overview for Health Care, Pharmaceutical and Biotech Companies, https://www.gibsondunn.com/cybersecurity-data-privacy-an-overview-for-health-care-pharmaceutical-and-biotech-companies-2/#_ftn85