Back to all blog posts

Exposing Employee Personal Information (Unintentionally)

Before COVID, my wife and I tried to get out for lunch together at least once a week (when I was not on the road). Today we went to one of our favorite lunch restaurants and found a surprising sign when we approached the hostess to be seated.

What personal information was revealed?

The sign said “We invite our fully vaccinated team members to be maskless.” Given that COVID infections seem to be back on the upswing, it is, on the surface, reasonable for a business to explain why some customer facing employees are working without a mask. It does, however, disclose some of the staff members’ personal information.

Clearly, the servers without a mask have been vaccinated. Conversely, the servers that were masked may not have been vaccinated. Our server was masked.

I decided to ask her how she felt about her personal information being exposed. Before I could get my full question out, the server began to explain she could not get vaccinated because of a health condition. In explaining her position on vaccines, the server felt she had to reveal more personal information. Her body language indicated that this made her uncomfortable.

As I continued on, the server was surprised that there was a sign. Management never informed the staff the sign was going up when they communicated the policy.

This discussion seemed to upset the server. Her concern was that the restaurant violated her privacy maybe even violating HIPAA (a common misunderstanding of the law which is a whole other topic).

What could have been done better?

It seems apparent that the restaurant did not think through the implications of putting up the sign. If they have a privacy officer (their privacy notice does not indicate there is one), the sign should have been discussed with the officer so the implications could be understood and addressed. (Can you say Privacy by Design?)

If the restaurant felt compelled to put up the sign, management should have discussed it with the staff beforehand probably at the same time they discussed the new policy.

Giving control to the employee and customers

A different approach is taken by another restaurant I recently visited. At this establishment the server always approaches customers wearing mask. The server, at their option, can explain to the customers that they are vaccinated and would like to work with the mask off if the customer is OK with it.

This approach puts the decision to reveal personal information in the hands of the serve, the owner of the information. It also allows customers to ask the server to keep the mask on if the customer is uncomfortable with the mask being removed.

A new world

We are all getting used to the new normal. Little things that we do may expose employee, customer, or other stakeholder personal information as we all try to do the right thing. These actions may also unwittingly violate our organization’s privacy policies and notices.

I suggest that organizations should institute an awareness program sharing with line managers what to think about when considering implementing a new policy or practice.