What You Need to Know About COVID-19 Record-Keeping

The pandemic has changed the rules around what documents manufacturing companies need to create, track and retain.

Man Office Mask I Stock 1220346773
iStock

It’s a scenario that no plant manager wants to encounter, yet it has unfortunately become one we’ve had to prepare for: an employee on the production line tests positive for COVID-19 or informs you that they’ve had a known exposure.

Manufacturers have been at the forefront of implementing employee testing and biometric tracking to help contain the spread of the virus, but in addition to the numerous health and safety precautions already implemented, new labor codes related to the exposure require that several new kinds of records be generated, tracked and kept for specific periods of time.

For example, effective on January 1, 2021 in California, Labor Code § 6409.6, creates a “requirement for employers who have been notified about a potential exposure to COVID-19 to maintain records for three years of written notifications to employees who were at the same worksite as the individual within the infectious period.” The regulation details the types of written and electronic notices that must be provided to employees and subcontractors related to the exposure. It goes on to outline how long those records must be kept and maintained.

The pandemic has shown us how manufacturers are more essential—and yet in some ways, more vulnerable—than ever. Is your operation in compliance and prepared to handle the new record types being created due to the pandemic? Here are some key recommended steps you can take now:

Define new pandemic-related record types

Take the time to define and classify the many news types of records being generated around COVID-19 related events in your operation. Start by identifying the area of the business they’re related to, such as human resources, facilities/operations or accounting.

Next, list the record types that will be generated for each area. For example, human resources will generate new records related to employee case and contact tracing, employee biometric information such as recorded temperature readings, and disclosure of pandemic-related test results to health officials. Facilities records may include customer and visitor biometric information including temperature readings and contact information for contact tracing. And accounting records would include salary protection records.

Once you have a handle on all the types of new records being created, you can research your local labor codes to ensure that you follow proper procedures for record generation, distribution channels and retention.

Establish a retention schedule for pandemic-related records.

The new California labor code clearly specifies, “An employer shall maintain records of the written [pandemic-related] notifications…for a period of at least three years.” This requirement now puts clear retention requirements around the types of records most organizations thought they could dispose of as soon as possible, primarily from fears of running afoul of U.S. and international privacy requirements. Although the bad news is that these types of records cannot simply be destroyed promptly, the good news is that legal requirements such as the California regulation justify the retention and in essence becomes the first line of defense to privacy claims, even if faced with a right to be forgotten request.

A clear and well-defined retention schedule is the first line of defense should legal issues or privacy compliance questions arise. While regulatory requirements are one key aspect governing your retention schedule, you should also consider a number of other factors to create a record retention model that serves your operation’s overall needs.

Some key questions to ask include: What are the privacy and data protection risks around these types of records? How will we track records for both our plant workforce as well as subcontractors, temporary workers, and other workforce additions we’ve had to make as a result of the pandemic? Is there a possible business value to the retention of records beyond legal retention requirements? What is the volume of records being generated? What are the legal liability risks associated with these records, and could retention beyond regulatory requirements provide additional protection for your company in the case of legal action? If the process is outsourced to a third party, what are the recordkeeping responsibilities of the organization versus those of the third party?

Examining these issues will naturally lead to the next step of having deeper conversations with your human resources, accounting and legal teams about risk exposure related to these types of records.

Evaluate and mitigate your risk related to pandemic-related records.

As with any issue related to health and safety or employee matters in a manufacturing operation, COVID-19 events, processes and procedures naturally carry with them an increased amount of risk exposure around legal and privacy issues.

At the same time, the United States is currently experiencing an emphasis on privacy legislation and enforcement that’s likely to continue if not increase as the pandemic progresses. In addition, many pandemic-related records contain private and confidential information with clearly prescribed privacy and retention requirements.

The pandemic has also placed a new focus on the potential risks that COVID-19 presents to consumers, the food chain, supply chains and more that are unique to manufacturing environments—all of which create additional risk exposures.

Before you’re blindsided by a legal challenge, take the time to first understand your privacy and data protection risks. Consider the types of information that require protection, including biometric screening data; health information; and personal financial information. 

In addition, specifically for the manufacturing industry, consider standards and control models, such as those that exist for the food industry. For instance, the food industry utilizes the Hazard Analysis Critical Control Points (HACCP) model to ensure risk control. The recordkeeping related to the HACCP model has four major components:

  1. Identifying a hazard and the best science and knowledge available to mitigate the associated risk (Hazard Analysis)
  2. Determining how to mitigate the risk for a particular organization (HACCP plans, Critical Control Points); e.g., establish temperature threshold. How high does their temp need to be before they are not allowed to enter the building?
  3. Providing evidence that you have executed mitigation plan (controls, verification); e.g., the logs that demonstrate that you were taking temperatures and adhering to the mitigation plan
  4. Overall scheduled evaluation (annual, monthly etc. evaluation periods)

While on the subject of identifying hazards, so far none of the regulators have identified COVID exposure as a hazardous exposure subject to the longest retention requirements (e.g., termination of employee plus 4 years for medical files, as opposed to termination of employee plus 40 years for hazardous exposure records). That said, keeping track of the classification of COVID-related records is critical to ensuring the proper retention is applied to these records.

Next, create a risk mitigation strategy that includes identification of key risk areas, plans and procedures to follow to mitigate these risks and respond to issues or investigations, a control record to document risk mitigation steps taken, and a feedback loop to ensure all steps are followed and continuously improved.

A solid records and information management plan has always been a cornerstone of a strong manufacturing operation. The far-reaching impacts of the global pandemic make it even more important, now and into the foreseeable future. Taking the time to define and create plans for your pandemic-related records will be time well invested in the viability of your business, employee base, client relationships and your reputation.

John Isaza, Esq., FAI is internationally recognized in the legal fields of privacy compliance, as well as records and information management (RIM). He is one of the country’s foremost experts on RIM issues, electronic discovery, privacy, and legal holds. He has developed information governance and records retention programs for some of the most highly regulated Global 1,000 companies, including related regulatory research opinions. John is also co-author of the Playbook for Responding to Pandemic-Related Records: A Methodology for Analysis & Ingestion of New Record Types

More