24x7x365 Entisys360 Client Technical Support: Call (877) 368-4797 opt 9, or

The world is no longer as it once was and as we continue the process of immunization, self-isolation, social distancing, satisfying our travel itch, and yes…return to work there is a bit of consternation about what can and cannot be asked of employees as they transition back to the office.

I acknowledge that many employees will not be returning to the “old normal” and rather will have a “new normal” of a hybrid environment combining some semblance of remote work and in office meetings.  Today for folks such as myself who are consultants, we must not only follow our own company’s requirements but must acknowledge and be aware of the requirements and cultures of the organizations we serve.

So, with all that said below are some privacy considerations as organizations look to bring employees back into the office.

One of the most serious challenges we will face as employees return to work is tied directly to workplace privacy and the security of personal data. These primarily revolve around the “lawful” processes to screen employees for possible COVID-19 testing (whether overtly or covertly) and then what to do with both negative and positive results. Examples specifically identified include but are not limited to diagnostic tests, test for antibodies, workplace monitoring applications, requirements (or lack thereof) for immunization, employee consent, temperature scans, thermal scanners, substantive questions, etc.

In the United States, the Equal Employment Opportunity Commission (EEOC) updated it’s COVID-19 guidance on December 16, 2020.  This updated guidance, amongst other items, includes a new section providing information to employers and employees about how a COVID-19 vaccination interacts with the legal requirements of the Americans with Disabilities Act (ADA), Title VII of the Civil Rights Act of 1964, and the Genetic Information Nondiscrimination Act (GINA).  Review the new COVID-19 guidance in the EEOC here.

Two of several questions contained within the guidance include:

  • How much information may an employer request from an employee who calls in sick in order to protect the rest of its workforce during the COVID-19 pandemic?
  • When screening employees entering the workplace during this time, may an employer only ask employees about COVID-19 symptoms that the EEOC has identified as examples, or may it ask about symptoms identified by public health authorities associated with COVID-19?

This is just one tidbit of a plethora of guidance we have seen around the globe. In the U.S., state and local governments are also weighing in. In Europe we have individual countries, provinces, and even the EU as a whole weighing in. AsiaPac is the same.

So, what should a company do?

First, the company should form and empower an overarching cross functional “Return to Work Governance / Steering Committee” to oversee the policies, procedures, execution, and audit of the program. This committee at a minimum should include Human Resources, Corporate Compliance, Legal, Employment Law, Risk Management, Corporate Communication, Information Management, Information Security, Employee Health Services, Occupational Health and Safety, Physical Security and yes…Privacy. In order to be successful, a single individual should be appointed to hold ultimate responsibility of the committee’s activities. Moreover, I would extrapolate that this group and those individuals’ incentive compensations should be based on such performance and the reporting structure should be to the Board via Senior Corporate Leadership.

Remember further that Europe defines sensitive personal data as Race, Ethnicity, Political Affiliation, Trade Union Membership, Sexual Orientation, Health Status, Criminal History, Genetic Information and Biometrics. Add to that the focus that we in the U.S. have on regulated data such as government issued identifiers, health insurance numbers, health information in general, bank account information, credit card numbers and pin codes.  These are the most sensitive forms of information requiring the highest levels of protection.

But now add to that jurisdictions such as California reference personal data as data that can directly or indirectly identify a person, something about them or their family and all of a sudden the world opens up a whole new complexity specific to what is or is not personal data, the combination of data elements that could construe personal data and the protections that the data must have.

Now combine the above two paragraphs with whatever processes and procedures that your Office of General Counsel and Human Resources say are permissible, and meld the two together.

The law firm of Bird & Bird has published a COVID-19 Data Protection Guidance which is spectacular in my estimation. Not only does it break Europe down country by country in an easily absorbable format, but it also includes a Q&A section that I believe can serve as a foundation for any company’s return to work policies, procedures, and communication.

The conclusion here is that while the pandemic may be slowing in some places, and companies are earnestly in discussions about returning to work in the new normal, whatever that is, it is ultimately going to be execution of the new norm within your own organizational structure that matters.

I once had an attorney counsel me to always take the high road. I would urge every company to take the high road and the high road can only be executed by deeply examining one’s own organizational structure and culture, identifying the relevant laws rules and regulations, having the most senior leadership intimately involved at the execution level (not just oversight), auditing your processes and procedures, and providing full transparency to the process you used to allow your employees, contractors, consumers, and customers to identify issues.

The future is upon us and it is time to ensure that we address that future in the most comprehensive manner possible while also following leading practices and the law.

To learn more or speak to an Advyz Cyber Risk Services data privacy expert, email us at advyz@entisys360.com or call (877) ENTISYS.

Our Expertise

Security and Cyber Risk Services

Creating a strategy for managing risk and compliance, while helping to filter the noise of myriad cybersecurity technologies.

Automation and Cloud

Accelerating IT service delivery for our clients through the adoption of agile methodologies that are all part of a systems-oriented approach.

End User Computing

Helping businesses keep infrastructure uptodate, minimizing security risks, and maintaining compliance

Software Defined Data Center

Empowering your enterprise to achieve its full potentialand greatest efficiencyby keeping IT infrastructure operational, available and secure.

Core Infrastructure Services

Offering design, implementation, licensing optimization, and environmental services to ensure the use of Microsoft’s best practices and configurations.

Microsoft Expertise

Helping set goals and establishing benchmarks for the journey toward the successful deployment of Microsoft solutions.

Our Services


Enjoy a stressfree implementation that comes through the knowledge and experience of our professional services team.

Managed Services

Align your business initiatives with evolving industry trends to obtain a clear understanding of the impact of future technologies.

Cloud Strategy
and Services

Meeting a diverse range of business requirements through deployments that are flexible, scalable, and have the right mix of elements.


Never miss another maintenance or warranty contract renewal date or pay for unused maintenance contracts or warranties.


Through this service, our project management team takes the lead role in planning, executing, monitoring and closing projects.

Our Markets and Market Support Vehicles


Professional services and nationallyrecognized expertise that align perfectly with the trends and challenges facing a variety of industries.


Recognizing the unique challenges faced by healthcare IT organizations, and offering understanding, capabilities, and trusted relationships.

Public Sector

Helping organizations contain costs maintain high availability while finding new ways to increase security, compliance and more.

Group Purchasing

Industryleading IT consulting services and technology solutionsaccessed through a streamlined contracting process.



Learn about our upcoming events and webinars.

Solutions Literature

Accesstodownloadable assets with information on solutions and services offerings.


Gain expert technical insights around today’s leading enterprise technologies and solutions.

Press Releases

Read news and updates from the Entisys360 team.

News Stories

Learn about new developments with Entisys360 and our team.

About Entisys360

About Entisys360

Our mission, vision, leadership and team


Notable industry awards and recognition


Entisys360’s and its commitment to privacy


Our commitment to the community


Entisys360 Career opportunities

Contact Us

Entisys360 locations and contact resources