News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Privacy questions for COVID-19 testing and health monitoring Related reading: The privacy issues for EU, UK and US employers during COVID-19

rss_feed

""

Diagnostic and antibody testing for COVID-19 is increasing significantly as governments and health authorities look for data to inform decisions about how to safely end lockdowns and restart economies. This testing and other health monitoring efforts will result in the collection of massive amounts of personal data. While public health and safety concerns are paramount, there are numerous privacy issues worth considering, particularly since the life cycle of the data is unclear.

Data privacy laws, like the EU General Data Protection Regulation and the U.S. Health Insurance Portability and Accountability Act, have exceptions applicable in a pandemic that may allow processing of personal data. At the same time, guidance from the European Data Protection Board makes clear this data still should be protected. In its statement, the EDPB highlighted the principles of purpose limitation, transparency, security and confidentiality, and accountability.

Industry guidance followed, with Microsoft publishing seven privacy principles “for governments, public health authorities, academics, employers and industries to consider as we collectively move forward into this next phase of tracking, tracing and testing” during COVID-19. The Microsoft principles are similar to those referenced by the EDPB and focus on consent, transparency, data minimization, security, deletion and limiting data collection for public health purposes only. 

In the U.S., the pandemic recently prompted a group of Senate Republicans to introduce the COVID-19 Consumer Data Protection Act, noting “individual privacy, even during times of crisis, remains critically important.” The bill contains protections for “personal health information,” as well as geolocation and proximity data.

The importance of privacy is being widely discussed in the context of contact tracing but not necessarily with respect to the actual COVID-19 testing. Perhaps it is because people expect existing privacy laws will protect this information. We are learning, however, that testing in a pandemic raises novel privacy issues because of the scale of the data collection, the non-traditional methods and reasons for its collection, and the benefits and risks to sharing the data widely. The scope, scale and context of this data collection require that we consider these issues carefully and ask some key questions.

Scope of testing and health monitoring

The testing initiatives underway related to COVID-19 involve collecting and sharing a tremendous amount of data. In Europe, Germany is conducting approximately 120,000 diagnostic tests a day. The U.K. set a goal of performing 100,000 tests a day by the end of last month. In the U.S., Politico’s tracker illustrates the significant increase in COVID-19 testing in each state, and experts have suggested the U.S. needs to more than triple its testing before it can safely reopen, performing 500,000 to 700,000 test per day. Another report puts that number at 5 million tests per day, increasing over time to 20 million. 

Countries like Germany, Italy and the U.S. also are beginning to conduct antibody testing, a blood test that looks for coronavirus antibodies that may provide some immunity to the disease. 

Temperature checks and even thermal imaging are expected to be a large part of any reopening plans. In the U.S., some states are requiring employers to perform daily temperature checks on employees and/or ask specific health screening questions. Businesses may even insist customers submit to temperature checks and health screening, as discussed in a compelling New York Times opinion piece. Recent guidance from the American Academy of Pediatrics regarding planning considerations for returning to school discusses “screening, monitoring, and testing for illness among staff and students.”

Nontraditional testing and data collection

Governments are being creative about how they approach testing, and it is not always done by a health care provider or in a lab. Drive-through testing is now the global norm. New York conducted its initial antibody testing in grocery stores using public health nurses and is allowing pharmacists to perform diagnostic tests for COVID-19. Massachusetts has mobile testing for long-term care and assisted living facilities, using “trained personnel from the Massachusetts National Guard” to collect samples on-site. Individuals in the U.S. can now order antibody tests directly without a health care provider’s order. Recent guidance from the U.S. Equal Employment Opportunity Commission allows employers “to administer COVID-19 testing to employees before they enter the workplace to determine if they have the virus.”

Widespread sharing of data

Personal data and test results are sometimes shared broadly. Health care providers are sending this information to public health departments and governments as they try to control the spread of the disease. As IAPP Editorial Director Jedidiah Bracy, CIPP, discussed in a piece last month, first responders are being given the addresses of people who have tested positive for COVID-19. Employers can review test results for employees and keep logs of temperature screenings.

It seems likely antibody test information will be shared, too, especially given the potential immunity implications. Countries, including Germany, Italy, the U.K. and the U.S., have considered whether to use antibody testing to issue “immunity certificates” or other documentation to those individuals who test positive for the presence of COVID-19 antibodies. The World Health Organization has criticized this idea because of the current lack of information about immunity, dampening enthusiasm for this approach. However, this could change with further studies.     

What questions should we be asking?

As economies reopen, health data collection, use and sharing will only increase. Mindful of the privacy principles identified by regulators, legislators and industry, those controlling the data collected will face critical questions. The following come to mind:

What is the context of the data collection?

  • In what jurisdiction is the testing or health monitoring taking place?
  • Who is conducting the testing or health monitoring? A hospital, a pop-up testing site, an employer, an individual, a school?
  • What is the purpose of testing or health monitoring? Is it a voluntary health assessment, or is it mandated by national, state or local officials, employers, or health and safety regulations?

What are the applicable legal requirements given the context of the data collection?

  • What privacy or data collection laws are applicable to the data you collect, how you use it, and with whom you can share it?
  • Do exceptions apply during the pandemic?
  • Is guidance from government authorities available?
  • Are you collaborating with HR and legal colleagues to avoid discriminatory uses of the data?

Are data minimization principles being followed?

  • What data points are you collecting?
  • Which are you recording? 
  • Is all data retained or shared necessary for the intended purposes?

What is the retention plan?

  • Have you determined the minimum amount of time needed to retain the data and set a deletion schedule and process for compliance?
  • Are there legal requirements that impact your data retention policy?

Is there transparency in the process?

  • What information are you providing to affected individuals about the testing or health monitoring process? 
  • Do you inform individuals how their data will be used, with whom it will be shared, and how long it will be retained?

Are there specific use limitations?

  • Have you limited the roles or individuals with access to the data?
  • Do you have rules and guidelines in place for sharing test results internally, specifically or anonymously?
  • Do you have rules and guidelines in place for sharing the data with third parties, such as governments or nongovernmental organizations? 

How secure is the data collected?

  • Is the data anonymized, aggregated, deidentified and/or encrypted?
  • Do you have stringent security measures and confidentiality policies in place? 
  • Is the data stored securely and with limited access controls?

Given the nontraditional way testing and health monitoring is taking place, issues like transparency, consent and data minimization seem more difficult to ensure. Similarly, for some communities, sharing test results and health monitoring data is considered necessary, outweighing any privacy concerns. Perhaps most important are the principles related to safeguarding the data and deletion, particularly given the volume of data the COVID-19 testing process will generate.

Most guidance today recommends collecting health screening data when necessary for the health and well-being of the data subjects and those who may come into contact with them but safeguarding their identity as much as feasible. This includes limiting internal and external access to test results that may identify a particular person, sharing the information only anonymously or only with explicit consent (if possible), and keeping health screening records only for as long as necessary to comply with workplace health policies and legal requirements.

As we begin this next phase of "tracking, testing and tracing" to combat COVID-19, it will be interesting to see how these privacy issues are addressed.       

Photo by Jair Lázaro on Unsplash

Infographic: COVID-19 Testing and Health Monitoring

The IAPP created an infographic outlining the privacy-related questions surrounding COVID-19 testing and health monitoring. As economies reopen, the scope and scale of health data collection, use and sharing will only increase. Employers and businesses are conducting testing, temperature checks and health screenings.

View Here


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Cathy Cosgrove Nonmember Contributor
Tags
Government
Health Care
Personal Privacy
Privacy Law
Privacy Operations Management
Westin Research Center
2 Comments

If you want to comment on this post, you need to login.

  • comment Daniele Canestro • May 14, 2020 
    Very interesting and thought-provoking, considering the amount of entrepreneur already looking for setting up private test facilities.
  • comment Marc Techner • May 19, 2020 
    Very nice piece of research and analysis on the coming COVID-19 privacy concerns, especially as testing finally begins to ramp up. Thanks.
Related Stories
Infographic: COVID-19 Testing and Health Monitoring

The IAPP created an infographic outlining the privacy-related questions surrounding COVID-19 testing and health monitoring. As economies reopen, the scope and scale of health data collection, use and sharing will only increase. Employers and businesses are conducting testing, temperature checks and health screenings.

View Here

Related Stories
Tags
Government
Health Care
Personal Privacy
Privacy Law
Privacy Operations Management
Westin Research Center
Recent Comments