How is data being used to combat COVID-19? Privacy regulators respond

In January, the World Health Organisation declared COVID-19 to be a Public Health Emergency of International Concern. The virus has triggered a range of interventions, some of which involve the use of data to track the virus, including intrusive disclosures about affected individuals.

We consider these interventions and the extent to which they are raising concerns among privacy regulators. This includes concerns about the steps some companies are taking to combat the virus, as well as consequential issues such as safe homeworking or the doxxing of infected individuals on social media. We have provided a Q&A for companies responding to the virus.

The privacy of infected individuals is important but given the serious implications of COVID-19 most companies should not be deterred from taking reasonable steps to protect the health of their employees and others.

How are governmental institutions using data?

The World Health Organisation has a situation dashboard (here) that tracks the progression of the virus in different jurisdictions, including providing data on the incidents of infection over time. This broad disclosure on the progress of the disease is reflected in many individual jurisdictions which provide aggregated information about the progression of the virus, such as the UK Department of Health (here), Santé Publique France (here) and the German Robert-Koch-Institute (here).

This aggregate information is backed up by more detailed information about each infection which is vital to both try to contain the outbreak and create models for the progression of the virus. The importance of this data is demonstrated by the German Federal Office of Public Health’s new ordinance (Coronavirus-MeldeVO) which extends the reporting obligations for communicable diseases to COVID-19 infections. Cases of COVID-19 infection must now be reported by the hospitals to the public health departments and onwards to the Robert-Koch-Institute. Nearly all personal data must be reported including, name, gender, address, contacts, date of diagnosis, source of infection, occupation as well as the contacts of the reporting person and the testing laboratory.

Stronger surveillance measures have been taken in other jurisdictions, such as mainland China. where the outbreak of COVID-19 is thought to have originated. The Cyberspace Administration of China (the main privacy regulator) has actively encouraged private companies and large state-owned enterprises, such as the big three telecoms operators, to provide data for detailed analytics to track the virus. For example, providing location information for individuals infected or suspected of inflection. Transport operators have also been directed by emergency notices to collect and provide information on passengers to the relevant health departments. Joint public-private cooperation measures such as these appear to be curbing instances of new cases in mainland China.

This data supports the modelling that is being used as the basis for public health response in many jurisdictions, such as the UK’s decision that the disease is now established and so the UK will move from phase 1 of its response (containment) to phase 2 (delay).

Disclosures about infected individuals

More detailed information supporting these models has not been published in most jurisdictions, though there are some exceptions that are taking a more aggressive approach. For example:

Singapore: The Ministry of Health has provided detailed information about infections, for example here. This information has been used to create various dashboards and other tools (e.g. see co.vid19.sg/dashboard). The information disclosed about individuals includes gender, age, nationality and information about their historic location prior to infection. The location information lists recent travel, place of work, and the hospital at which the patient has been treated.

South Korea: Similarly, the South Korean government has been disclosing information about individuals infected with the virus, including details of their location that has allowed others to draw inferences about those individuals. For example, it has been used to infer that two infected individuals were likely to be having an affair based on their location and behaviour.

Hong Kong Special Administrative Region, China (“Hong Kong”): The Hong Kong government has a detailed local situation dashboard (here) showing the sex, age and residential location of infected cases. It has also compiled a list (here) of all compulsory quarantine cases and their locations. Pursuant to emergency legislation/powers, there are now a number of travel restrictions/compulsory quarantine measures imposed on persons arriving in Hong Kong from Mainland China, Korea, Italy and Iran.

Neither Singapore, South Korea nor Hong Kong actually name the infected individuals but the combination of the information being disclosed, together with other information in the public domain, will potentially allow their identification and there are real concerns about this being used to doxx those individuals (see below).

There are potential benefits to this more granular disclosure of information. It provides greater transparency about the spread of the disease and allows the public to more readily identify if they are at risk of infection, e.g. if they have been in a location close to an infected individual. However, these disclosures are potentially intrusive, and this model has not been followed in other jurisdictions, such as EU Member States.

Nor is this approach consistent across Asian jurisdictions. In Japan, the Ministry of Health, Labour and Welfare is providing ongoing updates on the number of infected individuals, but the end of each announcement will always state that the “media should refrain from collecting data online in light of patients’ privacy”.

Local governments in Japan are also continuing to announce newly infected individuals in their prefecture but only with approximate details such as gender, rough age (e.g. in his 30’s), which area they live, whether they have travelled abroad recently and where they became infected (e.g. a gym located in particular area). Almost all local governments repeat the same message that the media should not report on patients’ details beyond what is disclosed in official announcements and should not collect information from related organisations, in order to protect patients and their family’s privacy.

What concerns are Asian and Russian privacy regulators raising?

The position of regulators will vary from jurisdiction to jurisdiction.

Mainland China: Cyberspace authorities have been clear that the collection of personal information without consent of individuals should only be conducted by authorised governmental departments and medical institutions. It should also follow principles of data minimisation by collecting only information necessary for the prevention and control of the outbreak, with a focus on the confirmed or suspected cases and their close contacts. Further, personal information should only be used and disclosed for the purposes of disease control after anonymisation.

Hong Kong: The public has expressed concerns about the ability of the government to collate a significant amount of data and to track the whereabouts and activities of individuals, particularly through allegedly intrusive means. For example, individuals in compulsory home quarantine have been required to wear an electronic tracking bracelet at all times.

The Privacy Commissioner acknowledges this data collection is subject to privacy legislation but considers that other important rights (e.g. right to life and public interest) prevail over the right to privacy. In particular, Hong Kong privacy law contains express health-related exemptions which permit timely access to personal data (identity and location), so that healthcare services can be provided to prevent the individuals concerned, or the community at large, from being subjected to serious harm to their physical or mental health.

Singapore: Taking a similar approach, the Personal Data Protection Commission has recently issued an advisory statement permitting organisations to collect, use and disclose personal data without the consent of individuals, to carry out contact tracing and other response measures. Organisations may even collect visitors’ NRIC, FIN or passport numbers for this purpose - the collection, use and disclosure of which were specifically limited under advisory guidelines issued as recently as September last year.

Organisations are however still required to comply with relevant data protection rules such as taking reasonable security steps to secure the personal data collected. Broader guidance has also been issued by Singapore’s Ministry of Manpower (here).

Russia: Russia has taken a range of steps to curb the spread of COVID-19. On 5 March 2020 the Mayor of Moscow ordered all companies operating in Moscow to take their employees’ temperatures and send the employees home if they have a fever. In response, many companies are using infrared thermometers on both staff and visitors.

The Russian data protection authority (Roskomnadzor) issued guidance on 10 March 2020 stating that companies do not need their employees’ consent for these checks. Instead they can rely on an exemption that allows the processing of health data, such as body temperature, where necessary to comply with their legal obligations as employers.

However, the Roskomnadzor’s guidance states that temperature checks on others, such as visitors, can only be carried out with consent. This is potentially difficult as Russian data protection law imposes a high standard of consent for the processing of health data; it must be in writing and contain, among other things, the data subject’s passport details. This may be the reason why guidance goes on to say companies should not check their identity of those visitors. This may be to ensure information collected is not personal data, and so the formal requirements for consent do not apply.

Finally, the guidance suggests that the information collected should be deleted within one day of collection. It is not entirely clear if the Roskomnadzor’s approach is fully aligned with Russian data protection law but may reflect the special circumstances of this infection.

How are EU regulators responding in light of the GDPR?

Within the EU, information about infected individuals will contain health information and so be special category data under the GDPR which means it is subject to additional protection. However, this health information can still be processed in a range of situations. This includes where there is a public interest in protecting public health such as protecting against serious cross-border threats to health and where the processing is to comply with employment law obligations, such as to provide a safe working environment.

A number of EU data protection regulators have now provided guidance on the implications of COVID-19. A selection of that guidance is discussed below.

Italy: However, the Italian data protection regulator (Garante per la protezione dei dati personali) has responded to steps taken by companies to prevent the spread of the virus within their business premises. In light of the legal duty on Italian employers to take all appropriate measures necessary to protect employees and prevent risks to their physical integrity, companies have launched internal awareness campaigns and adopted dedicated support hotlines.

Some companies have gone further issuing questionnaires to their employees to identify potential sources of contamination. These “home-made” precautionary measures include asking employees details about their health and records of their body temperature to spot possible COVID-19 symptoms, as well as details on visits to “red zones” of heightened risk. In some cases, these measures have been extended to the health status of employees’ family members and even visitors and service providers accessing companies’ premises.

To stop this widespread and excessive collection of health data, the Garante published a statement on 2 March 2020 stating that preventing the spread of Coronavirus and – by extension – processing information relating to COVID-19 symptoms are actions that must exclusively be performed by the competent healthcare authorities. Companies should stop collecting information in this systematic and generalised way through similar ‘do-it-yourself’ initiatives.

However, this is not to say no steps should be taken. The Garante noted that emergency legislation from the government requires individuals who have recently visited red zones a duty to inform healthcare authorities and that, in accordance with the national law, employees must notify the employer of any potential source of health and safety risks at work.

France: Similarly, the French data protection authority (Commission Nationale de l'Informatique et des Libertés) has published a notice summarizing what employers can and cannot do regarding the monitoring of COVID-19.

Employers are responsible for the health and safety of their staff and must implement appropriate measures. However, employers cannot take measures which could infringe the privacy of the data subjects, in particular by collecting health data which goes beyond the management of suspected exposure to the virus. For example, employers must refrain from systematically collecting personal data to identify possible symptoms presented by employees and their relatives. It is therefore not possible to implement mandatory body temperature readings of employees and visitors, neither is it possible to collect medical information through questionnaires. However, employers may record the identity of a person suspected of having been exposed to the virus, the date of exposure, as well as the measures taken as a consequence (such as confinement, work from home or referral to a doctor). The CNIL considers that the assessment and collection of further information relating to the virus is the responsibility of public authorities, which may contact employers directly should they need to obtain more information about possible cases.

Luxembourg: The data protection authority (Commission nationale pour la protection des données) has published guidelines for employers which explains that, while employers must ensure the safety and health of their employees and others, they must also consider data protection law. Employers can ask their staff to inform them or the competent health authorities if they have been exposed to the virus. In turn, employees must take measures to preserve the health and safety of others and must inform their employer if they suspect they have been exposed to the virus. An employer may, as part of its safety and health obligations, record the date and the identity of the person suspected of having been exposed to the virus, as well as the organisational measures the employer has taken.

If requested, employers can give health authorities information necessary for the health or medical care of the exposed person. The identity of the concerned employee should however not be disclosed to third parties, including other employees, without a clear justification.

However, employers should not collect information in a systematic and generalised manner or ask employees about possible symptoms presented by them or their family. This includes not making employees provide daily body temperature readings and not making them fill in medical forms or questionnaires. Similarly, employers cannot ask visitors sign a certificate confirming they do not have any symptoms of COVID-19 or that they have not recently travelled to a risk area.

UK: The Information Commissioner has also issued brief guidance on COVID-19 (here) which recognises the virus has created “unprecedented challenges”. The guidance addresses many of the issues raised by other EU regulators and states that any response to the virus must the proportionate. However, the overall tone is that data protection law will not prevent employers taking reasonable steps to respond to this pandemic. 

Poland: In contrast, the Polish data protection authority has not yet issued any guidance on COVID-19. However, the Polish National Labour Inspectorate has provided answers to common employment law questions, some of which cover privacy issues.

Employers have a general responsibility for ensuring health and safety at work. However, Polish employers are not allowed to independently assess the health of employees, which should only be carried out by medical professionals. If employers do not allow an employee to work due to potential COVID-19 infection, they should be alert to the risk of this leading to that employee being harassed as a result of that suspected infection.

Germany: Similar protections apply in Germany. Under employment law, an employer is not allowed to know the reason for the incapacity to work. Due to the highly contagious nature of COVID-19 two German data protection authorities (Landesbeauftragter für Datenschutz und Informationsfreiheit des Landes Baden-Württemberg and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) see legal grounds for the processing of (special categories of) personal data.

The legal grounds encompass (i) processing data of employees who have been tested positive for Covid-19; (ii) processing data of employees regarding a potential stay at a high risk area (as defined by the Robert-Koch-Institute) or regarding contact with a person diagnosed positive for Covid-19; and (iii) processing personal data of employees who were in contact with colleagues who were tested positive.

The authorities stress that the name of the employee who is diagnosed positive with Covid-19 must generally not be disclosed and that any processed data must be deleted without undue delay, once there is no more legitimate interest for the processing, which is after the end of the Corona-crisis.

Spain: While the Spanish data protection authority has been silent on COVID-19, employers cannot implement disproportionate and privacy-intrusive measures or collect excessive information from their employees, e.g. mandatory medical reports or mandatory temperature data. The Spanish Labour Ministry has clarified that Spanish employers should take all appropriate organisational and preventive measures to reduce social contact. Where there is a serious and immediate risk of transmission of the virus, employers must suspend employment activity in the workplace, inform their employees of the risk and implement prompt measures to allow employees to leave work.

What is the position in the US?

The US Department of Health and Human Services (HHS) declared a public health emergency on 31 January 2020. HHS issued a bulletin on 3 February 2020 about compliance with federal HIPAA privacy obligations and the Coronavirus. HIPAA covered entities must still comply with their privacy and security obligations under HIPAA’s Privacy and Security Rules in relation to protected health information (PHI). HHS warned that these protections are “not [be] set aside during an emergency.”

  • Notably, health care providers may “share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public,” including family, friends, caregivers, and law enforcement without a patient’s permission – such disclosures should be consistent with applicable federal and state law and ethical standards.
  • Regarding the news media, reporting about an identifiable patient, or publicly disclosing specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s (or their authorised representative’s) written authorisation. If a patient has not affirmatively objected to the release their PHI, however, a covered hospital or provider may, upon request, disclose information about a particular patient by name, may release limited directory information to acknowledge a patient is at its facility, and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, incapacitated, or treated and released).
  • HIPAA covered entities must continue to make reasonable efforts to limit publicly disclosed information to the “minimum necessary” to satisfy the purpose of the disclosure.
  • HIPPA covered entities must continue to implement reasonable technical, physical and administrative safeguards for electronically-stored PHI under the HIPAA Security Rule.
What wider privacy issues are arising?

Some privacy regulators are also considering wider concerns. Given the increasing number of employees working from home in Hong Kong, the Privacy Commissioner has reminded companies of the need to secure data, and encouraged organisations to report data breaches even though there is no mandatory reporting requirement under Hong Kong data protection rules. This is partly in relation to recent data breaches, such as the suspected theft of two mobile phones of civil servants which contained contact details of individuals who were then under compulsory home quarantine.

The Hong Kong Privacy Commissioner has also publicly condemned the increasingly widespread practice of illegal doxxing, where infected individuals’ identities and personal data (gathered from public and private sources) has been disclosed on websites, social media and public forums without their consent and with the potential for psychological harm to the data subject.

In mainland China, disclosures on the internet or through messaging apps such as WeChat of the personal information of individuals infected or suspected of inflection, or even their family members or other close contacts, have been commonplace. Local governments have been quick to sanction the relevant individuals for illicit publication of personal data in violation of existing data protection laws.

The UK Information Commissioner has made it clear (here) that the restrictions on direct marketing in ePrivacy laws will not prevent the Government, the NHS or any other health professionals from sending public health messages, for example sending text or email updates regarding the status of the virus. Similarly, these organisations should feel free to use “the latest technology to facilitate safe and speedy consultations and diagnoses”, which presumably opens the way for medical consultations using Skype or Facetime.

Finally, there have been some wider implication of misinformation spread as a result of COVID-19. The US Securities and Exchange Commission issued an alert (here) in early February to consumers warning about the risks of “investment opportunities,” online promotions and other scams like “pump and dump” schemes seeking to take advantage of consumers, particularly in the context of COVID-19’s impact on US markets. Similarly, the US Federal Trade Commission issued guidance (here) in mid-February warning of potential scams, including related to testing, medical treatments, and preventative products, related to growing fears around the COVID-19 outbreak. Similarly, state attorneys general are trying to crack down on consumer scams related to COVID-19.

How are private companies responding?

The position of private companies will vary depending on the jurisdiction and sector in which they operate. (For example, those in the healthcare sector will face very different issues.) However, the following points will be broadly applicable across most jurisdictions and sectors.

Can I provide advice to my employees on how to protect themselves, e.g. hand washing?

Yes. You absolutely should be taking these steps. You should also ensure that advice reflects current medical guidance.

Can I ask employees to notify the company if they have recently visited infection hot-spots or believe they have COVID-19?

Yes. In most jurisdictions, this is an appropriate step to try and control the spread of infection within your company, so long as the information being collected is targeted and proportionate. You should also consider asking the individual if they have informed the relevant authorities.

Where an employee within my company has contracted COVID-19, can I inform other employees with whom that individual has come into contact?

Yes. In most jurisdictions, this is an appropriate step to try and control the spread of infection. You would need to consider carefully if it is necessary to identify the actual employee who was infected. However, it is unlikely that an external announcement would be justified.

Can I carry out checks on employees and visitors, for example taking the temperature of visitors to company premises?

It is unlikely this will be permissible in most jurisdictions, or that this will be an effective way to help combat the spread of COVID-19, though some jurisdictions are taking a more aggressive approach to identifying infection. You can, of course, ask visitors not to attend your premises if they think they are at risk and to observe relevant health and safety standards (such as hand washing) when on site.

Can I ask employees to work from home, either because they might be infected or to stop the spread of the virus more generally?

This will raise a range of issues, including the practicality of home working arrangements. From a data protection perspective, the key issue is to ensure the security of information in a home working environment.

Are there any other issues to consider?

You should ensure the information you collect about employees is held securely, and you may want to update your privacy notices to refer to this new processing. In some cases, you may also need to carry out a data protection impact assessment, for example if you are based in the EU and subject to the GDPR. If you are in the UK, this processing may also require you to create an appropriate policy.

For a broader picture of legal issues raised by the response to COVID-19, please see the Asian and UK versions of our coronavirus guidance, as appropriate. Other local guidance is available from your normal Linklaters contact. 

By the Linklaters Global Data Family, including Saverio Puddu, Samantha Cornelius, Alex Roberts, Jakub Brecka, Mamiko Nagai and Caitlin Potratz Metcalf 

***As COVID-19 spreads, a number of our team members and authors are working from home. Writing this article has been a way for us to stay linked up and demonstrates the spirit of community and thirst for sharing knowledge in our global team. We may be far apart, but we remain connected every day. While we have had input from too many people to name as authors here, their contribution is hugely valued and always felt. We wish all of them, and you, good health.***