Coronavirus is part of our reality and while governments, schools, community schemes and organisations try to #FlattenTheCurve and prevent the spread of the virus, it is important to ask: what effect does this have on privacy and data protection? How do we beat this virus without infringing people’s rights and freedoms? Generally, when faced with a choice between health and privacy, people will choose health. The ideal would be to achieve both.

Privacy in healthcare has always been very important and still is during a pandemic. To help everyone, we thought we’d create a collection or hub of useful resources on coronavirus and COVID-19. And also summarise the key considerations. What we need is global solidarity during this pandemic and sharing information is part of that.

Key considerations on coronavirus and data protection

These are ten key considerations for controllers and processors on how to process personal data in a time of coronavirus and COVID-19 based on the guidance issued by various authorities.

  1. You should try to anonymise personal data where possible – in this way we can fight the disease and protect privacy.
  2. You must have a lawful ground for processing data concerning health. For example, the processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i)) or the purpose serves a public interest (section 27) or the law authorises it. You may be able to process a person’s health information without their consent for reasons of public interest or to protect vital interests.
  3. Personal data must be processed fairly and transparently. Controllers (like Governments and healthcare providers) must be open about how they are processing the personal data of patients and citizens. For example, Governments must tell people if they are monitoring their location. Transparency leads to empowered citizens – the more correct information citizens have the better.
  4. Personal data used for a specific purpose (like fighting a pandemic) must only be used for that purpose and not further purposes. For example, organisations should not use positive test results to discriminate against people. Governments should not use a person’s location to arrest them for evading tax.
  5. Health data (like a positive or negative infection result) should only be used as necessary and no longer than necessary. For example, try not to mention a specific individual who has tested positive. Rather say a person in the HR department. The surveillance of infected people (and those they have been in contact with) should be a temporary measure and stop once no longer infectious.
  6. You must process the data accurately and keep it secure.
  7. You can transfer personal data across borders to other countries because “the transfer is necessary for important reasons of public interest” (Article 49(1)(d)). Disease knows no boundaries and neither should the data that relates to it. It is definitely in the public interest for one country to share data with another – even if the receiving country does not have adequate protection for personal data. As part of global solidarity, all countries need to share data.
  8. Authorities (DPAs) are going to be lenient – at least during the crisis phase but this doesn’t mean you can do whatever you like.
  9. Access to information is key to beating this disease. For example, Governments should ensure that accurate current information is made available to citizens.
  10. Keep your head and don’t let panic or fear take over.

“We have to keep dancing when the lights go out” – Coldplay

Guidance from authorities on COVID-19

Many DPAs have issued guidance. The IAPP has a useful list of most of them. Below is a summary of some of the important ones. The real trick though is in converting all this guidance into practical action.

European Data Protection Supervisor

The EDPS published a letter addressing telecommunication providers using location data to track the spread of COVID-19. The EDPS reiterated that European data protection laws do not prevent taking measures that help fight pandemics. The letter considers the following factors that telecommunication providers must take into account when utilising location data to track the spread of the virus:

  • Data anonymisation
  • Data security and data access
  • Data retention

The EDPS emphasised that even if the telecommunication providers anonymise the data, and it, therefore, falls outside of data protection laws, proper security and confidentiality measures must still be in place to protect the data.

European Data Protection Board

The EDPB released a statement requiring anyone processing personal information to do so on a lawful basis: ‘This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.’

Global Privacy Assembly

The GPA issued a statement supporting organisations and governments sharing personal information to help combat the spread of COVID-19. This includes sharing this information across borders. The GPA reiterated that universal data protection principles do not inhibit the sharing of personal information if it’s in the public interest. The statement included the GPA’s acknowledgement that many jurisdictions consider health information sensitive. This, however, has not stopped governments and data protection authorities from using this information to identify and remain up to date on the spread of the virus.

The GPA also showed support for health practitioners and public bodies to share information directly with people, government and scientific bodies both nationally and globally.

You can find the various statements made by the GPA’s member states on their data protection and COVID-19 resources page.

Information Regulator (South Africa)

The Information Regulator (IR) released a COVID 19 guidance note on the processing of personal information in the management and containment of the COVID-19 pandemic. The guidance note acknowledges that everyone has the constitutional right to privacy. However, public and private organisations may limit this right in order to assist in effectively managing the spread of COVID-19. The IR highlights the conditions that a responsible party must adhere to when processing personal information such as:

  • only collecting the data for a specific purpose (e.g. manage the spread of COVID-19)
  • ensuring adequate security measures are in place
  • deleting or destroying the information when they are no longer authorised to keep it

In addition, the IR answers questions relating to the sharing of location-based data, employment and consent in the context of COVID-19.

The IR also released a media statement imploring health and testing centres to protect the personal information they have relating to COVID-19. The IR acknowledged that POPIA permits the processing of personal information for statistical and research purposes. However, it emphasised that health and testing centres must comply with POPIA at all times. These centres must ensure that the personal information relating to COVID-19 is secure and not used for any other purpose.

As there has been an influx in online shopping and banking, the IR also called on public and private bodies to increase their security around their digital and physical operating systems. This is to protect everyone’s personal information from unlawful and unauthorised access.

Information Commissioner’s Office in the UK

The ICO in the UK issued a statement emphasising that public safety and security is their primary concern. Data Protection law isn’t going to prevent the government, NHS or health professionals from informing the public about the virus or using technology to facilitate diagnoses, among other things.

ICO Q&A for data controllers is also very useful. It outlines to what extent you can share COVID-19 health information. It also states the implications of prioritising other areas of your organisation over data protection compliance during this time.

COVID-19 recovery period

The ICO has also released six data protection steps that organisations must take during the COVID-19 recovery period. The steps for data protection are:

  • Only collect and use what’s necessary
  • Keep it to a minimum
  • Be clear, open and honest with staff about their data
  • Treat people fairly
  • Keep people’s information secure
  • Staff must be able to exercise their information rights

There is also a link to additional guidance for businesses who are starting to open up as a result of the easing of lockdown restrictions. The ICO reiterated that businesses must continue to comply with the data protection principles when collecting additional personal information. This will ensure they provide a safe environment for their personnel.

Ireland Data Protection Commission

Ireland’s Data Protection Commission (DPC) emphasises that any measures taken regarding personal information in relation to COVID-19 must be necessary and proportionate. Look at Article 6 and Article 9 for grounds that allow you to process the information.

The Belgium supervisory authority

The Belgium supervisory authority clarified that businesses could not rely on Article 6 or 9 of the GDPR to do generalised checks on their employees (e.g. temperature checks). Only occupational physicians could do these. Employers were also not allowed to ask employees to fill out forms regarding their health or recent travels. In addition, the supervisory authority prohibited employers from disclosing the identity of an employee who tested positive for COVID-19 to other colleagues.

The International Association of Privacy Professionals

The IAPP has released an article highlighting the privacy risks to individuals in the wake of COVID-19. The article focuses on the risks of stigmatization, scapegoating and ostracization and the role organisations can play in mitigating these risks.