Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity & Business Resilience

Data privacy risks of employee vaccine status collection

By Dan Clarke
covid-19 vaccine
February 16, 2022

Though the vaccination mandate by the Occupational Safety and Health Administration (OSHA) that would’ve required some 80 million workers across the U.S. to be vaccinated or tested weekly was blocked by the Supreme Court, it left the door open for states to pass their own policies. This means states could potentially fall into one of three categories: no restrictions, mandates blocked or mandates enforced.

For companies with employees in multiple states, this will create a new set of challenges to navigate, not to mention privacy risks that most may not be aware of or prepared for. On top of state-imposed policies, a number of companies have already opted to enforce their own vaccine or testing mandates, which means they could be in violation if they operate in a state that has blocked mandates.

Aside from navigating various state regulations, collection of vaccination status and testing results are considered highly sensitive and confidential medical information. This is held to a different privacy standard than other types of employee-related information. Collecting exemption-related personal information could be just as troublesome, as it could disclose things like religious beliefs, disabilities, etc. Companies need to be prepared to securely handle this employee data.

Safeguarding against privacy risk

“OSHA allows states to develop their own workplace health and safety plans, as long as those plans are ‘at least as effective’ as the federal program,” said Michael Hellbusch, Partner at Rutan & Tucker, LLP. “Since the federal rule is stayed, states are free to regulate in this area.”

This has the potential to create a lot of ambiguity for companies with multi-state operations. For instance, the Friday before the oral arguments, the Illinois State Department of Labor issued an emergency rule that would have enforced vaccine mandates for the state’s larger public sector employers. Less than a week later, it was determined Illinois OSHA would stay enforcement of the rule as it monitors federal action. Many predict a number of states will follow a similar “wait-and-see” approach, but it is very difficult to ascertain.

Regardless of what may come at the state level, legal consultants are urging organizations to start preparing now. This will be especially important for those that haven’t previously had to collect this type of information about their employees or that have employees in multiple states.

“As soon as systems move from voluntary to mandatory, it means mandatory use of some kind of vaccine credentialing system will be required, and that is something most organizations don’t have in place and maybe haven’t even thought about yet,” Hellbusch said.

Employers, whether they’re required or choosing to implement a vaccination credential system, must understand the privacy implications and risks of verifying and storing that information, as well as the policies and requirements of each state. Though there has yet to be a recognized standard for verifying status, collecting as little information as possible is always a good practice. But this can still leave organizations vulnerable to break notification risks.

Since this is new territory for most companies, many are simply treating the data as they do other employee information — collecting and storing this information internally or outsourcing to a third-party digital platform. But this data has to be managed differently.

Having employees email their credentials and other information to HR could significantly expose organizations. From a privacy perspective, there are other considerations that must be made:

  • Is all of the information collected necessary?
  • Does your organization have a data collection alternative to email? 
  • If files are retained, who has access to those files?
  • If files are stored electronically, where are those servers located?
  • Is this documentation maintained separately from other personnel files?
  • Is your organization collecting information from an employee in a state that has blocked mandates?

Even for companies using third-party digital platforms and apps, there are some precautions to consider. For example: 

  • Who is reviewing this employee information? 
  • Who within the company has access to the system?
  • How does that platform or app maintain privacy and security? With many of the vaccine credential systems out there, it’s not always clear how privacy is achieved.
  • Can the system automatically be activated or deactivated based on the employee’s locale?

Understanding the lifecycle of this data

Companies must have insight into who is on the other end viewing and handling their employees’ personal information. Currently, in most states, there is no formal protection against using vaccination data provided to credentialing systems for the use of commercial marketing or other unauthorized purposes. In August 2021, the World Privacy Forum raised a red flag urging the Centers for Disease Control and Prevention (CDC) to extend the protections that apply to healthcare providers to these systems.

This has yet to be enforced. Thus, it’s mission critical that employers do their due diligence. Understand how this information is being collected, what type of information is being collected, who has access to it and if access can be restricted. Finally, where will this data be stored and for how long? Consider the entire journey of that sensitive information — from the point of collection to where it lives and how it will be removed when it’s no longer needed.

“This is extremely sensitive information, and storing it is going to become a major challenge for most companies, especially since most are not equipped to collect and maintain the data,” said Jeff Sizemore, Chief Governance Officer at Egnyte. “Most haven’t had to deal with this type of medically sensitive information in the history of their operations. There’s a lot more to consider beyond simply collecting this information from a submission form or email.”

The right credentialing system will allow organizations to not only collect and store sensitive personal information in a secure environment, but also set up protocols to automate the removal of data and collection based on state. Don’t wait until it becomes an issue — start making plans now for how your organization will respond no matter how the pandemic and vaccination efforts evolve.
KEYWORDS: COVID-19 employee records healthcare cybersecurity personal information protection vaccine security worker safety

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Dan clarke headshot

Dan Clarke is the President of Truyo, an automated consent and data privacy rights management solution. He has 30 years of experience combining technology with media, retail and business leadership, has held executive leadership roles at Intel, is an experienced data privacy advisor, and is a 9-time CEO. Clarke has deep expertise in the privacy landscape and speaks frequently at public venues on the topic. He is also actively involved in Arizona, Texas and federal privacy legislation.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Top Cybersecurity Leaders
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Leadership and Management
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Broken wet floor sign

Why Response Time Is Becoming the Missing Metric in Workplace Safety and Security

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Cyber Tactics

AIBOMs: Bringing AI Security Out of the Shadows, A Practical Guide for Security Professionals

Medical professional

Nearly 85% of Nurses Experienced Workplace Violence in the Last Year

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • Online shopping

    100 top e-commerce sites create data privacy risks for consumers

    See More
  • remote work

    How to address data privacy risks created by remote and hybrid work

    See More
  • jupiterone_reinventing-cybersecurity-book-teaser_hero.jpg

    Female & non-binary security practitioners challenge status quo with collection of stories

    See More

Related Products

See More Products
  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

  • s and the law.jpg

    Surveillance and the Law: Language, Power and Privacy

  • surveillance.jpg

    Surveillance, Privacy and Public Space

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing