Submission Date:
Question:
The public libraries in our region have been requiring staff to complete a health self-assessment every day that they report to the building to work. Some of these libraries now have a collection of paper or electronic responses that date back to June.
How long should these records be kept? Two weeks? Two months? Forever?
And, not to complicate matters, but for municipal or school district public libraries, are these records, or portions thereof, subject to FOIL?
Answer:
Records management is an art formed by the crossroads of life, law, and data.[1]
As soon as we saw that the state's "Template Safety Plan" required completion of employee health screening, the records management implications were clear. In fact, "Ask the Lawyer" has alluded to this very concern before.[2] But the member's questions give us a really good focal point.
Here is some background, and then we'll tackle the member's questions:
As librarians know better than most people, information often falls into a variety of "buckets."
One of the biggest "buckets" of records that may sound familiar is the bucket labelled "evidence." Most people know that when you leave a paper trail, it can (with many exceptions) be used for—or against—you in court. In the employee data arena, common uses of such evidence are labor law and civil rights claims.
Another big bucket is "health care records" pertaining to individual people. This type of information is protected by a complex array of state and federal law, rules, and regulations, and the obligations related to it change based on who is retaining them. In the case of employers, the restrictions are generally rigid.
And of course, there are "municipal records" and "business records" both of which have a vast array of sub-classes and categories, depending on the municipality or the business (I don't know who has it worse, the records management office for a large city, or the records management office for an insurance company[3]). Municipal employers are always having to balance transparency with accountability, sorting disclosable[4] data from data restricted due to employee privacy.
Very often, the records in one "bucket" also belong in another, which swaps the bucket analogy for your classic Venn Diagram.
The member's question puts us squarely in a Venn Diagram comprised of sets (buckets) of:
- Employee personnel file records;
- Employee health-related records;
- Compliance records;
- [Possible] municipal records
- [Possible] evidence.
Because of the different definitions and regulations defining and restricting the information in the buckets, it is critical to know what data you're keeping. For instance, while employers are allowed to keep CONFIDENTIAL records related to employee health, COVID screening records are not supposed to contain such information—only the fact that a person was screened, and either made it through, or was denied access to the work site due to a screening factor.[5]
And with that....
How long should these records be kept? Two weeks? Two months? Forever?
Records showing that COVID screening and follow-up action[6] is being done as required, with no employee-specific information (like an employee's name coupled with their temperature, symptoms, or a positive diagnosis) included[7], is at the very least a compliance-related record, could be evidence in a lawsuit, and is (debatably) a municipal record. This means it could be used to show compliance (or lack thereof), to prove liability (or lack thereof), and/or may be subject to FOIL (more on that in a moment).
But despite all that overlap, I can find no clear legal requirement to retain screening data. The state's Executive Orders and guidance are silent on this, except for some areas where we can extrapolate retention (for instance, records kept for contact tracing must obviously be kept at least three weeks, since the whole point is timely notification within the window of exposure and possible illness).
Because I despise lawyering from a vacuum (I'd almost rather have bad guidance than no guidance) to see if any input could be gleaned from it, I took a long, hard look at the LGS-1[8], the "Local Government Schedule" of the New York Archives, which is the go-to text for questions related to municipal records retention.
Clocking in at over 400 pages, this document, which went into effect in August, 2020, lists just about every type of municipal record imaginable...except it doesn't list "Executive Order Compliance," or any other category I felt safe basing a reply to this question on.
With no clear bucket and no clear requirements, at this point, I have to answer that retention of proof of screening should be permanent.
And, not to complicate matters, but for municipal or school district public libraries, are these records, or portions thereof, subject to FOIL?
While I imagine most of the readers who have hung on this deep into this answer already know it, I will mention: "FOIL" is New York's "Freedom of Information Law," which requires government agencies to disclose most records[9] related to their operations.
It is well-known that an association library is not subject to FOIL; on the flip side, it is generally held that a public library, which is established by government and "belong[s] to the public" [Education Law, §253(2)] is subject to the Freedom of Information Law.
So, is the trove of information listed by the member subject to FOIL? It's highly likely.
Why?
This question by the member brings us full circle on our buckets. While employee health records are most certainly exempt from disclosure under FOIL[10], the impersonal operational records of a FOIL-able library that is simply ensuring screening is happening might not be.
Therefore, a library that knows it is subject to FOIL should be ready to asses if it has to disclose its safety plan compliance records upon request. However, in no event should such disclosure include employee names and related health information (disclosing a record with the name of the person or team in charge of monitoring compliance would be fine).
And there (complexities and all) you have it.
Thanks for a good records management-gymnastics-inducing question.
APPENDIX
From New York's "Interim COVID-19 Guidance for Curbside and In-Store Pickup Retail Business Activities"; record-generation triggers are highlighted in bold italics.
A. Screening and Testing
• Responsible Parties must implement mandatory daily health screening practices.
o Screening practices may be performed remotely (e.g. by telephone or electronic survey), before the employee reports to the retail location, to the extent possible; or may be performed on site.
o Screening should be coordinated to prevent employees from intermingling in close contact with each other prior to completion of the screening.
o At a minimum, screening should be required of all workers and essential visitors (but not customers) and completed using a questionnaire that determines whether the worker or visitor has:
(a) knowingly been in close or proximate contact in the past 14 days with anyone who has tested positive for COVID-19 or who has or had symptoms of COVID-19,
(b) tested positive for COVID-19 in the past 14 days, or
(c) has experienced any symptoms of COVID-19 in the past 14 days.
• According to CDC guidance on “Symptoms of Coronavirus,” the term “symptomatic” includes employees who have the following symptoms or combinations of symptoms: fever, cough, shortness of breath, or at least two of the following symptoms: fever, chills, repeated shaking with chills, muscle pain, headache, sore throat, or new loss of taste or smell. Responsible Parties should require employees to immediately disclose if and when their responses to any of the aforementioned questions changes, such as if they begin to experience symptoms, including during or outside of work hours.
- Daily temperature checks may also be conducted per Equal Employment Opportunity Commission or DOH guidelines. Responsible Parties are prohibited from keeping records of employee health data (e.g. temperature data).
- Responsible Parties must ensure that any personnel performing screening activities, including temperature checks, are appropriately protected from exposure to potentially infectious employees or visitors entering the retail location. Personnel performing screening activities should be trained by employer-identified individuals who are familiar with CDC, DOH, and OSHA protocols.
- Screeners should be provided and use PPE, including at a minimum, a face mask, and may include gloves, a gown, and/or a face shield.
- An employee who screens positive for COVID-19 symptoms should not be allowed to enter the worksite and should be sent home with instructions to contact their healthcare provider for assessment and testing. Responsible parties must immediately notify the local health department and DOH about the suspected case. Responsible parties should provide the employee with information on healthcare and testing resources.
- An employee who has responded that they have had close contact with a person who is confirmed or suspected for COVID-19 may not be allowed to enter the retail location without abiding by the precautions outlined below and the Responsible Parties has documented the employee’s adherence to those precautions.
- Responsible Parties must review all employee and visitor responses collected by the screening process on a daily basis and maintain a record of such review. Responsible Parties must also identify a contact as the party for employees to inform if they later are experiencing COVID-19-related symptoms, as noted in the questionnaire.
- Responsible parties must designate a site safety monitor whose responsibilities include continuous compliance with all aspects of the site safety plan.
- To the extent possible, Responsible Parties should maintain a log of every person, including workers and visitors, who may have close contact with other individuals at the work site or area; excluding deliveries that are performed with appropriate PPE or through contactless means. Log should contain contact information, such that all contacts may be identified, traced and notified in the event an employee is diagnosed with COVID-19. Responsible Parties must cooperate with local health department contact tracing efforts.
- Responsible parties cannot mandate that customers complete a health screen or provide contact information but may encourage customers to do so. Responsible Parties may provide an option for customers to provide contact information so they can be logged and contacted for contact tracing, if necessary.
- Employers and employees should take the following actions related to COVID-19 symptoms and contact:
o If an employee has COVID-19 symptoms AND EITHER tests positive for COVID-19 OR did not receive a test, the employee may only return to work after completing a 14-day self-quarantine. If an employee is critical to the operation or safety of a facility, the Responsible Parties may consult their local health department and the most up-to-date CDC and DOH standards on the minimum number of days to quarantine before an employee is safely able to return to work with additional precautions to mitigate the risk of COVID-19 transmission.
o If an employee does NOT have COVID-19 symptoms BUT tests positive for COVID-19, the employee may only return to work after completing a 14-day self-quarantine. If an employee is critical to the operation or safety of a facility, the Responsible Parties may consult their local health department and the most up-to-date CDC and DOH standards on the minimum number of days to quarantine before an employee is safely able to return to work with additional precautions to mitigate the risk of COVID-19 transmission.
o If an employee has had close contact with a person with COVID-19 for a prolonged period of time AND is symptomatic, the employee should notify the Responsible Parties and follow the above protocol for a positive case.
o If an employee has had close contact with a person with COVID-19 for a prolonged period of time AND is NOT symptomatic, the employee should notify the Responsible Parties and adhere to the following practices prior to and during their work shift, which should be documented by the Responsible Parties:
- Regular monitoring: As long as the employee does not have a temperature or symptoms, they should self-monitor under the supervision of their employer’s occupational health program.
- Wear a mask: The employee should wear a face mask at all times while in the workplace for 14 days after last exposure.
- Social distance: Employee should continue social distancing practices, including maintaining, at least, six feet distance from others.
- Disinfect and clean work spaces: Continue to clean and disinfect all areas such as offices, bathrooms, common areas, and shared electronic equipment routinely.
o If an employee is symptomatic upon arrival at work or becomes sick during the day, the employee must be separated and sent home immediately, following the above protocol for a positive case.
B. Tracing and Tracking
- Responsible Parties must notify the local health department and DOH immediately upon being informed of any positive COVID-19 test result by a worker at their site.
- In the case of an employee, visitor, or customer who interacted at the business testing positive, the Responsible Parties must cooperate with the local health department to trace all contacts in the workplace and notify the health department of all employees logged and visitors/customers (as applicable) who entered the retail location dating back to 48 hours before the employee began experiencing COVID-19 symptoms or tested positive, whichever is earlier, but maintain confidentiality as required by federal and state law and regulations.
- Local health departments will implement monitoring and movement restrictions of infected or exposed persons including home isolation or quarantine.
- Employees who are alerted that they have come into close or proximate contact with a person with COVID-19, and have been alerted via tracing, tracking or other mechanism, are required to self- report to their employer at the time of alert and shall follow all required protocols as if they had been exposed at work.
[1] I spend a lot of time at this crossroads; so much so that If I ever find myself in line at the DMV next to a Hollywood agent, I have a pitch for a show: An archivist, a lawyer, an IT expert, a chemist, and a rogue town clerk, united by a traumatic loss of data, form an unlikely alliance to fight for justice, truth, and the use of acid-free paper. Called "For the Record", each episode would start with a Core Reveal (like a surveyor moving property line pins in the dark), while the rest of the episode would show the Team disentangling the plot. While “For the Record” would hinge on plot devices like hidden scrolls, encrypted data, and HVAC systems gone wild, what will really keep audiences coming back for more would of course be an elaborate, over-arching plot line involving the census, adoption records, and the complicated emotional lives of the protagonists. If any agent out there wants to take me up on this, I promise an epic, solid seven-season run.
And with that out of my system, I will answer the question.
[2] See "Ask the Lawyer" RAQ #163 and RAQ #144.
[3] Actually, I do know: the city employee. There is never enough money in a city budget to manage records properly.
[4] One of the primary ways such information is subject to disclosure is Article VI of the Public Officer's Law, or FOIL. There is a big FOIL fight going on right now over law enforcement disciplinary records, and my firm is in the thick of it.
[5] https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/offices-interim-guidance.pdf
[6] By "follow-up action," I mean the things an employer is required to do as a result of screening. If your library determines that it must follow the NYS requirements for retail, I have put those at the end of this answer, and highlighted in yellow the different COVID SCREENING RECORDS they will generate.
[7] Remember, anything specific to the employee (temperature, a positive diagnosis, disclosure of symptoms) are separate, confidential employee health records and should not be retained, or should be retained in confidence as required by ADA.
[8] Found at: http://www.archives.nysed.gov/common/archives/files/lgs1.pdf. WARNING! This is a rabbit hole. Have coffee and a protein bar on hand if you start reading it.
[9] There are, of course, a ton of exceptions, including health records of employees.
[10] FOIL §89(2)(b).
