Diagnostic and antibody testing for COVID-19 is increasing significantly as governments and health authorities look for data to inform decisions about how to safely end lockdowns and restart economies. This testing and other health monitoring efforts will result in the collection of massive amounts of personal data. While public health and safety concerns are paramount, there are numerous privacy issues worth considering, particularly since the life cycle of the data is unclear.

Data privacy laws, like the EU General Data Protection Regulation and the U.S. Health Insurance Portability and Accountability Act, have exceptions applicable in a pandemic that may allow processing of personal data. At the same time, guidance from the European Data Protection Board makes clear this data still should be protected. In its statement, the EDPB highlighted the principles of purpose limitation, transparency, security and confidentiality, and accountability.

Industry guidance followed, with Microsoft publishing seven privacy principles “for governments, public health authorities, academics, employers and industries to consider as we collectively move forward into this next phase of tracking, tracing and testing” during COVID-19. The Microsoft principles are similar to those referenced by the EDPB and focus on consent, transparency, data minimization, security, deletion and limiting data collection for public health purposes only. 

In the U.S., the pandemic recently prompted a group of Senate Republicans to introduce the COVID-19 Consumer Data Protection Act, noting “individual privacy, even during times of crisis, remains critically important.” The bill contains protections for “personal health information,” as well as geolocation and proximity data.

The importance of privacy is being widely discussed in the context of contact tracing but not necessarily with respect to the actual COVID-19 testing. Perhaps it is because people expect existing privacy laws will protect this information. We are learning, however, that testing in a pandemic raises novel privacy issues because of the scale of the data collection, the non-traditional methods and reasons for its collection, and the benefits and risks to sharing the data widely. The scope, scale and context of this data collection require that we consider these issues carefully and ask some key questions.

Scope of testing and health monitoring

The testing initiatives underway related to COVID-19 involve collecting and sharing a tremendous amount of data. In Europe, Germany is conducting approximately 120,000 diagnostic tests a day. The U.K. set a goal of performing 100,000 tests a day by the end of last month. In the U.S., Politico’s tracker illustrates the significant increase in COVID-19 testing in each state, and experts have suggested the U.S. needs to more than triple its testing before it can safely reopen, performing 500,000 to 700,000 test per day. Another report puts that number at 5 million tests per day, increasing over time to 20 million. 

Countries like Germany, Italy and the U.S. also are beginning to conduct antibody testing, a blood test that looks for coronavirus antibodies that may provide some immunity to the disease. 

Temperature checks and even thermal imaging are expected to be a large part of any reopening plans. In the U.S., some states are requiring employers to perform daily temperature checks on employees and/or ask specific health screening questions. Businesses may even insist customers submit to temperature checks and health screening, as discussed in a compelling New York Times opinion piece. Recent guidance from the American Academy of Pediatrics regarding planning considerations for returning to school discusses “screening, monitoring, and testing for illness among staff and students.”

Nontraditional testing and data collection

Governments are being creative about how they approach testing, and it is not always done by a health care provider or in a lab. Drive-through testing is now the global norm. New York conducted its initial antibody testing in grocery stores using public health nurses and is allowing pharmacists to perform diagnostic tests for COVID-19. Massachusetts has mobile testing for long-term care and assisted living facilities, using “trained personnel from the Massachusetts National Guard” to collect samples on-site. Individuals in the U.S. can now order antibody tests directly without a health care provider’s order. Recent guidance from the U.S. Equal Employment Opportunity Commission allows employers “to administer COVID-19 testing to employees before they enter the workplace to determine if they have the virus.”

Widespread sharing of data

Personal data and test results are sometimes shared broadly. Health care providers are sending this information to public health departments and governments as they try to control the spread of the disease. As IAPP Editorial Director Jedidiah Bracy, CIPP, discussed in a piece last month, first responders are being given the addresses of people who have tested positive for COVID-19. Employers can review test results for employees and keep logs of temperature screenings.

It seems likely antibody test information will be shared, too, especially given the potential immunity implications. Countries, including Germany, Italy, the U.K. and the U.S., have considered whether to use antibody testing to issue “immunity certificates” or other documentation to those individuals who test positive for the presence of COVID-19 antibodies. The World Health Organization has criticized this idea because of the current lack of information about immunity, dampening enthusiasm for this approach. However, this could change with further studies.     

What questions should we be asking?

As economies reopen, health data collection, use and sharing will only increase. Mindful of the privacy principles identified by regulators, legislators and industry, those controlling the data collected will face critical questions. The following come to mind:

What is the context of the data collection?

  • In what jurisdiction is the testing or health monitoring taking place?
  • Who is conducting the testing or health monitoring? A hospital, a pop-up testing site, an employer, an individual, a school?
  • What is the purpose of testing or health monitoring? Is it a voluntary health assessment, or is it mandated by national, state or local officials, employers, or health and safety regulations?

What are the applicable legal requirements given the context of the data collection?

  • What privacy or data collection laws are applicable to the data you collect, how you use it, and with whom you can share it?
  • Do exceptions apply during the pandemic?
  • Is guidance from government authorities available?
  • Are you collaborating with HR and legal colleagues to avoid discriminatory uses of the data?

Are data minimization principles being followed?

  • What data points are you collecting?
  • Which are you recording? 
  • Is all data retained or shared necessary for the intended purposes?

What is the retention plan?

  • Have you determined the minimum amount of time needed to retain the data and set a deletion schedule and process for compliance?
  • Are there legal requirements that impact your data retention policy?

Is there transparency in the process?

  • What information are you providing to affected individuals about the testing or health monitoring process? 
  • Do you inform individuals how their data will be used, with whom it will be shared, and how long it will be retained?

Are there specific use limitations?

  • Have you limited the roles or individuals with access to the data?
  • Do you have rules and guidelines in place for sharing test results internally, specifically or anonymously?
  • Do you have rules and guidelines in place for sharing the data with third parties, such as governments or nongovernmental organizations? 

How secure is the data collected?

  • Is the data anonymized, aggregated, deidentified and/or encrypted?
  • Do you have stringent security measures and confidentiality policies in place? 
  • Is the data stored securely and with limited access controls?

Given the nontraditional way testing and health monitoring is taking place, issues like transparency, consent and data minimization seem more difficult to ensure. Similarly, for some communities, sharing test results and health monitoring data is considered necessary, outweighing any privacy concerns. Perhaps most important are the principles related to safeguarding the data and deletion, particularly given the volume of data the COVID-19 testing process will generate.

Most guidance today recommends collecting health screening data when necessary for the health and well-being of the data subjects and those who may come into contact with them but safeguarding their identity as much as feasible. This includes limiting internal and external access to test results that may identify a particular person, sharing the information only anonymously or only with explicit consent (if possible), and keeping health screening records only for as long as necessary to comply with workplace health policies and legal requirements.

As we begin this next phase of "tracking, testing and tracing" to combat COVID-19, it will be interesting to see how these privacy issues are addressed.       

Photo by Jair Lázaro on Unsplash