The novel coronavirus, COVID-19, has been classified as a global pandemic. At such a critical time for public health, nations and the global economy, the World Health Organisation, governments, Chief Medical Officers and public health organisations provide much needed scientific and practical expertise. In our data-driven world, data and information are vital to effectively responding through contact tracing, outbreak analysis, vaccine research, risk-assessments, diagnosis, treatment, modelling and government policy decisions. In this emergency, transparent and proportionate data privacy practices, confidentiality and data security procedures can help to inform these efforts, increase trust and encourage win-win outcomes. Data excellence is crucial.
Health Data: The sword and shield to combat the crisis
Health and medical data are often classified as sensitive and confidential. In the European Union, the General Data Protection Regulation (GDPR) lists these as special categories of personal data. Collecting, storing and sharing these types of data in high-volumes is called high risk data processing. Globally, best practice in health care data management insists that these kinds of data must be kept secure, data sharing should be specific and limited, data must be highly accurate, complete and relevant. Individual consent is often the means by which these types of data are collected, stored and used. Health data processing for COVID-19 identification, treatment and public health countermeasures necessarily pressures and adjusts this status quo. The frequency and intensity of health data processing and sharing around the world, will challenge data controllers, data owners, data guardians and individuals alike. A targeted and purposive approach is required. In this crisis, necessity must be the mother of invention and provide much needed public health and medical solutions and outcomes.
Looking for Leadership: Guidance from Key Data Regulators
Aware of the increase in health data collection, storage and use as well as the increased data security risks, data protection and other key regulators have published guidance to assist companies, organisations, governments, health care systems and individuals. These include:
The Italian data protection regulator, the Garante (Garante per la protezione dei dati personali), has published a statement encouraging employers not to collect covid-19 related health data and location information about employees in a spontaneous, systematic and generalised way. Health data collection should be left to the health authorities or otherwise such collections must be specifically required by law. Employers are encouraged to strictly comply with requests and nationwide initiatives from Italy’s Ministry of Health. The statement clarifies that employees have a duty to inform their employers of health and safety risks, such as exposure to COVID-19. Employers may invite employees to notify them of exposure. The statement in Italian, is here.
The data protection regulator for the Republic of Ireland, the Data Protection Commission Ireland (DPC Ireland) has issued guidance stating that measures taken to combat COVID-19, including the collection and use of health data should be necessary and proportionate. All decisions should be informed by the guidance and instructions of public health and other relevant authorities. The GDPR should be applied and key GDPR principles of proper legal bases for processing health data, transparency, confidentiality, data minimisation and accountability should be practiced. The guidance presents a number of employment scenarios, as questions and answers. DPC Ireland acknowledges that an organisation’s response to an individual’s data protection rights may be impacted or delayed by COVID-19 and this will be taken into account, but GDPR legal obligations cannot be waived. Where COVID-19 impacts data protection compliance, organisations should communicate with individuals, respond as quickly as possible, reply in stages and maintain clear internal records. The guidance is here.
Spain’s data protection regulator, La Agencia Española de Protección de Datos (AEPD), has published a statement and a report on data protection and COVID-19. AEPD clearly states that data protection rules should not be used as a barrier to respond to COVID-19. The GDPR and local Spanish laws provide the proper legal basis for dealing with these exceptional cases, public interest efforts and activities to protect the vital interests of individuals. Employers should process health data that are necessary to safeguard staff and limit further contagion. The statement is here and the report is here, in Spanish.
The United Kingdom’s data protection regulator, the Information Commissioner’s Office (ICO), issued a statement asserting that data protection and electronic communications laws do not prevent responding to COVID-19, including the additional collection of personal data for public health reasons. The ICO says that it is a reasonable and pragmatic regulator who will consider the compelling public interest in the coronavirus health emergency. It offers its website address and helpline number as sources of assistance. The statement is linked to questions and answers with scenarios about employers, employees and health professionals. The statement and questions and answers in English are here.
France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued guidance emphasising that the GDPR applies to health data collection relating to COVID-19. It outlines prohibitions which include employers asking staff and visitors to provide temperature readings every day or to collect health questionnaires from all employees. Systematic and generalised collection of health data is discouraged. Employees are encouraged to inform their employers about their potential COVID-19 exposure and employers can provide reports to public health authorities and set up business continuity plans. Organisations should follow the recommendations of the health authorities and collect data in accordance with their requests and instructions. The guidance is available in French, is here.
United States of America
The United States responds to COVID-19 both on the federal level and on the state level, in each 50 states. City, regional and local-level responses are also evident. Without comprehensive all-sector national or federal-level data privacy laws, the broadest guidances available relate to the Federal Health Insurance Portability and Accountability Act 1996 (HIPAA). The Department for Health and Human Sciences published a Bulletin covering HIPAA and COVID-19 related issues, which is here. The US Centers for Disease Control and Prevention provides up to date general coronavirus updates, advice, health guidance and mitigation strategies, available here.
The National Health Commission of China published a notice, available in chinese here, on the personal data protection issues in responding to Covid-19. In addition, one of China’s key cybersecurity and data protection bodies, the Cyberspace Administration of China (CAC) published a Circular on “Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” to provide detailed guidance, which is available in chinese, here.
Switzerland’s data protection regulator, the Federal Data Protection and Transparency Officer (PFPDT) has published guidance on the protection of personal data while containing COVID-19. The guidance is available in German, French and Italian.
Belgium’s data protection regulator, Autorité de protection des données, has published guidance on COVID-19. The guidance is available in French, here.
The Baden-Württemberg data protection regulator, LfDI Baden-Württemberg published frequently asked questions (FAQs) on data protection compliance and COVID-19. The FAQs are here.
New Zealand’s data protection regulator, the Office of the Privacy Commissioner of New Zealand (OPCNZ) published frequently asked questions (FAQs) on COVID-19. The FAQs are here.
Denmark’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Danish, here.
Iceland’s data protection regulator, Persónu Vernd, has published guidance on COVID-19. The guidance is available in Icelandic, here.
Luxembourg’s data protection regulator, Commission Nationale pour la Protection des Données, has published guidance on COVID-19. The guidance is available in French, here.
Norway’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Norwegian, here
Poland’s data protection regulator, Urząd Ochrony Danych Osobowych, has published guidance on COVID-19. The guidance is available in Polish, here
The Netherland’s data protection regulator, Autoriteit Persoonsgegevens, has published guidance on COVID-19. The guidance is available in Dutch, here
Hungary’s data protection regulator, Nemzeti Adatvédelmi és Információszabadság Hatóság, has published guidance on COVID-19. The guidance is available in Hungarian, here.
Slovakia’s data protection regulator, Úrad na ochranu osobných údajov Slovenskej republiky, has published guidance on COVID-19. The guidance is available in Slovak, here.
Slovenia’s data protection regulator, Informacijski pooblaščenec, has published guidance on COVID-19. The guidance is available in Slovenian, here.