Under US law, can an employer share with public health authorities the names of employees infected with a contagious disease?

Nothing within the CCPA inherently prohibits an employer from sharing with public health authorities the names and contact information of employees that have been infected with a contagious disease.  To the extent that a federal, state, or municipal law requires the disclosure, the CCPA itself would not apply.¹  If the disclosure is not required, but made at the request or recommendation of a public health authority, the CCPA arguably requires only that the business take the following steps:

• The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected.  While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with federal, state, or local government agencies for the purpose of protecting employees, protecting the public, or protecting other individuals.²
• In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”³ While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with a government agency and identifying the categories of information that were shared.⁴

It is important to note that other federal or state labor and employment laws likely preclude a business from sharing information about potentially contagious employees with public health authorities.  For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”⁵  Although this confidentiality requirement is subject to certain exceptions, the only government-related exception permits disclosure upon request to “government official investigating compliance with [the ADA].”⁶  Thus the ADA may prohibit a business from voluntarily disclosing information about an infected employee to state or local public health agencies.  As a practical matter, most infectious diseases are identified by medical providers who may have an independent obligation to report the infection to public health authorities (e.g., the Center for Disease Control).  As a result, public health authorities should not be reliant upon a company to provide information about infected individuals.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Section 1798.145(a)(1) of the CCPA states that the  Act shall not restrict a business’s ability to comply with a federal, state, or local law.

2. CCPA, § 1798.100(b) (requiring a business to provide information concerning the “purposes” for which information collected will be used).

3. CCPA, § 1798.130(a)(4)(C)

4. CCPA, § 1798.130(a)(4)(C) (requiring that in response to an access request a business disclose the categories of information shared for a business purpose in the preceding 12 months and the categories of third parties to whom it was shared).

5. 29 C.F.R. 1630.14(d)(4).

6. 42 USC § 12112(d)(4)(B), (C).