Tracking, Storing Private Health Data – Even During a Pandemic – Is Risky

As hotels reopen for business amid the COVID-19 pandemic, many travelers are eager to get “back to normal.” However, hospitality’s new normal is requiring many establishments to gather personal health data on consumers – something that was never needed or even considered prior to the pandemic. However, without the proper privacy procedures in place, guests and hotels may be unwittingly making private health information available to unknown entities and violating serious laws in the process. To learn more about this topic, HT spoke with Dan Clarke, president at IntraEdge.

When it comes to health data, why do hotels need to be careful with storing/sharing staff and guest data?
While the current pandemic permits taking temperatures and asking sensitive health questions, and it is a good idea as part of your measures, this permission does not exempt a hotel from compliance laws regarding the sensitive nature of health data, and this tends to be new ground for companies thus mandating careful measures. Hotels could unintentionally create additional privacy and compliance issues for themselves by storing sensitive data or broadcasting information that is protected by privacy and HIPAA compliance. This goes beyond storing results, even the actual temperature itself being inadvertently broadcast in a hotel lobby could be problematic.

Why might this data be a target for cybercriminals?
Sensitive data that can be traced back to an individual will always remain a primary target for cybercriminals because of the monetary gain associated with personal data.  Private right of actual for breach would be available to plaintiffs under CCPA as well for both consumers and employees, thus increasing the need to carefully protect such data.

What should hotels look for in tech partners if they choose to store this data?
Hotels really don’t want direct access to temperature readings and health questionnaires due to the sensitive nature of the data. Hotels should use technology to optimize health checks to ensure the health and wellness of their staff and guest while utilizing a privacy platform or resource with the expertise and experience in handling this type of sensitive data. Any data collected on the device should never be stored long-term (unless required by OSHA), but rather should have a carefully planned data retention period, and it should be sent to a centralized database where the data is always encrypted while it is in transit and at rest.  

How can hotels vet tech partners that offer health data-related tech?
If using a temperature kiosk to optimize health checks, the solution should be a privacy-first solution that protects user data, ensure users have access to their data and have privacy software that complies with global privacy compliance to ensure transparency and peace of mind among the employees and guests of the hotel. Employees and consumers are extremely sensitive now due to the pandemic as to how this data is utilized.

How might taking and storing this data becomes a problem when considered alongside CCPA, GDPR, etc.?
CCPA and GDPR do apply; although there are allowances for the pandemic, this is not a general exemption.  The entire hotel staff must adopt a privacy-first mentality as guests return during the pandemic. The COVID-19 pandemic does not exempt the storing and handling of sensitive health data from privacy laws, and often the best solution is to insulate the business from the specific and exact temperature readings to reduce the risk associated with this data.
If hotels are sharing consumer/employee health data with other companies/organizations - why would they do that? why might that be problematic to consumers?
Transparency and safeguarding employee and consumer data must always remain top of mind when collecting Coronavirus related data for health checks. In the event a staff member or guest is infected with COVID-19, their data must only be shared with the required parties to prevent a further outbreak. Sharing this data with any other company or organization for non-health-related reasons could pose much more significant issues such as fines associated with privacy compliance, HIPAA violations, or other regulations.  

What kind of effect on a hotel's reputation could a lack of privacy around health data create?
Hotels that don't put privacy first could lose the trust of their staff and guests if unauthorized access to their sensitive data were shared without their knowledge, or could even face regulator or legal action. This is quite serious for your reputation. It's essential not only for the reputation of the hotel but for privacy compliance to notify employees and consumers what, how, and why you, as an establishment, are using their data.

Other comments?
Taking temperatures and asking sensitive health questions is part of many guidelines and is most likely an effective measure as part of your overall plan, but you have to be careful with the data and cautious about the accuracy. Most hotels don’t want or need to actually keep this data. If you can, an alternative is to rely on a 3rd party that only shares results and keeps privacy top of mind. 

This ad will auto-close in 10 seconds