Respecting employees’ health data: How agencies can safeguard COVID-19 vaccination and test information

While the omicron-fueled COVID-19 surge is easing up in many parts of the U.S., it is still setting records nationally and internationally. With the likelihood of new variants also on the horizon, it is vital for employers to communicate quickly and efficiently as new information arises. Employers are grappling with the challenge of keeping their workforce as safe as possible, while also safeguarding personal health data that’s sensitive in nature.

State and local government organizations are tasked with collecting and protecting a growing volume of COVID-19-related employee data. This expansion of protected health information (PHI) and personally identifiable information (PII) places a greater burden on both HR functions and executive decision-makers.

Meanwhile, cyber risks are only increasing. HIPAA Journal noted 642 data-breach incidents involving 500 or more records in 2020, a 25-percent year-over-year increase. It reported 655 such incidents from January through October 2021, a new record. Additionally, 75 percent of state and local governments experienced a breach or potential compromise in the past year, according to research from MeriTalk.

Clearly, agencies need an effective way to protect the employee COVID-19 data they capture, store and transmit. They can achieve this goal by following three steps:

1. Establish a secure process for collecting employee PII.
   Many agencies are capturing proof of employee vaccination or negative-test results. But employees can’t simply bring a vaccination card to work to show to a manager, nor can they just display an image of the card on their smartphone.

Instead, OSHA recommends that employers retain a record of employee immunization. This can include a physical copy of the vaccination record, a digital copy such as a scanned image, digital photograph or PDF version, or a medical record or other official documentation of the vaccination.

Regardless of the data format, HR teams will need to collect the results, aggregate them across their workforce, and communicate to managers which of their workers are unvaccinated. That information will need to be shared through email or other collaboration workflows. It’s imperative that such data transmissions remain secure from end to end.

2. Protect data end-to-end, not just in transit.
   Organizations typically rely on the encryption native to most email applications to secure sensitive data transmissions. The traditional approach is called transit-layer security (TLS). But TLS has a fatal flaw: It only protects messages while in transit, and it leaves PHI vulnerable to a data breach because it doesn’t encrypt it end-to-end.

To understand what it means to protect data end-to-end, it helps to first understand encryption. Encryption uses complex algorithms, but at a conceptual level it’s like surrounding a piece of data in an impenetrable wrapper. It obscures the contents of a data object so that it can be read only by the person or entity authorized to read it.

Yet when a piece of data is shared, it’s never a simple A-to-B journey. Let’s use an email attachment as an example. The message is written in an email client such as Gmail. The attachment is uploaded to Google’s servers. Once the email is sent, it travels over the internet from network to network. It eventually reaches the recipient’s network and email client. Although the email is delivered in an instant, it’s handed off across several technology ecosystems before it reaches its destination.

End-to-end encryption protects that data from the moment it’s created to the moment it’s accessed by the authorized recipient. It safeguards the data across formats, devices and ecosystems—emails, attachments, documents, videos, databases, internet of things (IoT) devices and so on.

In this way, state and local governments can ensure they are protecting and respecting employee data while also helping to maintain compliance with regulations such as HIPAA and FERPA.

3. Respect the data: Give employees control over their own personal information, while building in safeguards.
   Safeguarding workforce PII is about more than just cybersecurity protections. It also involves employee trust, so it’s important to give workers control of their data while you also demonstrate a commitment to protecting it.

This is especially important because citizen and employee trust has eroded. Trust in government in the United States, while inching up 3 percentage points last year, remains at a rather dismal 42 percent, according to the Edelman Trust Barometer 2021. Globally, only 53 percent of government workers trust their employer, according to the study. And 68 percent of people are concerned about hackers and cyberattacks.

As the government labor market has grown tighter in the wake of the pandemic, trust can become a competitive advantage. And as agencies gather and manage COVID-19-related employee data, demonstrating a commitment to employee privacy will be imperative.

End-to-end encryption places control over data in the hands of the data owner. No matter how or where it travels, the owner can modify controls, limit sharing or even revoke access.

These three crucial steps for end-to-end data protection are all enabled by an open standard called the trusted data format (TDF), which allows agencies to encrypt, control access to and audit the protection of data wherever it’s created or shared.

TDF was created at the National Security Agency and thousands of organizations already use it to achieve secure data sharing, with platform-agnostic encryption of any type of data across any device or cloud environment. This open-source technology can be particularly effective at the state and local levels, as those agencies are tasked with safeguarding increasing amounts of sensitive data—like employee vaccination records and test results.

While COVID-19-related employee data is the catalyst pushing organizations to take additional steps to ensure data privacy and security, it’s not the only sensitive data that agencies manage, and it won’t be the last new data type they’ll need to worry about. End-to-end encryption enabled by TDF can empower organizations with the versatile protections they need—across any application, device or cloud—whatever forms of data they need to gather, manage and share.

At the end of the day, agencies are tasked with serving the public and gaining their trust. A demonstrated commitment to respecting individuals’ personal data, whether those individuals are employees or constituents, can go a long way to foster trust during the volatility and unpredictability of the global pandemic—and when the pandemic is over, it will still be a vital way to serve our communities.

As CEO and co-founder of Virtru, John Ackerly is a long-time privacy advocate. Prior to co-founding Virtru, Ackerly worked in both the private and public sectors, including serving as a technology policy advisor at the White House and the policy and strategic planning director at the U.S. Department of Commerce.