There are several reasons public health authorities may seek to collect COVID-19 data from private companies, including hospitals and health care providers. One of the top reasons is to track the spread of the virus and monitor the emergence of new clusters of infections so resources can be directed to areas most in need. Another reason is to send information to people who may have come into contact with someone who was diagnosed with or is suspected to have COVID-19.
Given this reality, let's focus on the privacy and data protection rules that apply to such data sharing and draw upon information from data protection authorities and other government agencies in the EU and U.S.
While there is a significant amount of uncertainty, as well as variation from country to country, there are guiding principles that are relevant across multiple jurisdictions. These include aggregating, anonymizing or deidentifying COVID-19 data before sharing it; minimizing the amount and types of data that is collected; limiting data retention periods; being transparent about sharing data; and keeping records of all activities around COVID-19 data requests from government authorities.
Handling government requests for COVID-19 data
Many companies have already begun receiving government requests for data related to COVID-19, and the volume of these requests is likely to increase. Indeed, large-scale government efforts to collect COVID-19 data are underway.
For example, in late March, hospital administrators in the U.S. were sent a letter requesting they report on a daily basis to the National Healthcare Safety Network within the Centers for Disease Control and Prevention about the aggregate number of in-house COVID-19 cases, the number of those on ventilators and in overflow locations awaiting an inpatient bed, and number of deaths in confirmed or suspected COVID-19 cases.
Hospitals are also requested to provide data on the total number of beds, bed capacity, ICU beds, ventilators and ventilators in use. In addition, hospitals with in-house COVID-19 testing capacity have been requested to report the total number of tests performed, rejected specimens and positive test results in a daily email to NHSN. It was also reported that a White House task force has reached out to health technology companies to create a “national coronavirus surveillance system.”
Some DPAs and policymakers, however, have expressed concern about tools that keep records of personally identifiable health data, contacts and location history. In a recent statement, for example, EU Parliament Civil Liberties Committee Chair Juan Fernando López Aguilar said, “These tools could seriously interfere with people’s fundamental rights to a private life and the protection of personal data, and are tantamount to a state of surveillance of individuals.”
In light of these concerns, what can companies do to provide protection against privacy threats while sharing COVID-19 data with government authorities?
Aggregate, anonymize or deidentify COVID-19 data
In general, with regard to sharing data with public health or other governmental authorities, sharing anonymized data is permissible in most EU countries. (The Netherlands appears to be an exception here, as is Finland, although that may change). In the EU, both the European Data Protection Supervisor and European Data Protection Board have indicated that as long as data is anonymized and “does not allow for individuals to be identified in any way,” data falls outside the scope of data protection rules.
In its COVID-19 data protection guidance, Lithuania’s State Data Protection Inspectorate advises that if only aggregate statistics are requested by a public health authority, data that identifies individual data subjects should not be provided. The Finnish Office of the Data Protection Officer similarly advises against naming individual employees when providing data about employees diagnosed with COVID-19 or under quarantine to third parties. As a guiding principle, the identities of the individuals to whom the COVID-19 data belongs should only be revealed if there is a justification for doing so. When the anonymity of the data subjects cannot be guaranteed, “careful thought needs to be given to whether narrow exceptions relating to public health apply” before a company decides to share data with a government agency.
One problem, however, is that anonymizing some data may be difficult, and assumptions about what types of data are anonymous need to be carefully examined.
In its guidance, the Dutch Autoriteit Persoonsgegevens referenced a study, published in Nature, that analyzed the mobility data of 1.5 million individuals over a period of 15 months and found that four spatio-temporal points are enough to identify 95% of individuals. The authors of the study concluded that location data “provides little anonymity.” (Think about the unique combination of your neighborhood, workplace, grocery store and gym as essentially comprising your “geoprint” — that is, no one else may visit this same configuration of locations with the frequency and regularity that you do.)
Compared to many EU countries, guidelines in the U.S. seem to be more permissive with regard to the anonymization of COVID-19 data. The U.S. Equal Employment Opportunity Commission, for example, states on its coronavirus webpage (as of April 9) that, upon learning an employee has COVID-19, an employer may disclose that employee’s name to a public health agency.
Nonetheless, as Alston & Bird Senior Counsel Peter Swire has argued cogently, before agreeing to provide data to the federal government without any plans about providing transparency to data subjects or the wider public, companies should consider how their actions today will be viewed by an observer in the future. While it may be legally permissible to share personally identifiable COVID-19 data with a government agency, it may not be necessary or even in the company’s interest to do so. Drawing a parallel to the call records provided by AT&T and Verizon to the government in the wake of 9/11, Swire reminds us that “this history is a vivid lesson to company executives that actions taken during a crisis can subsequently come under harsh criticism.”
One last point to consider is that, as a report by Bird & Bird indicates, sharing data that identifies suspected or confirmed COVID-19 cases by an employer may only be permissible in some countries if the company has received a formal order from the public health authority to do so.
Minimize collection and limit retention
In some cases, it may be necessary to resort to more invasive data processing measures, such as processing non-anonymized location data of individuals to track the spread of COVID-19. Guidance from the EDPB suggests such tracking “could be considered proportional under exceptional circumstances,” although it “should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles,” including proportionality and limits on data retention. In other words, as the EDPB puts it in its COVID-19 guidance, “The least intrusive solutions should always be preferred.”
On this point, Lithuania’s State Data Protection Inspectorate has also made a narrow but useful distinction on the types of data processing with respect to COVID-19 that are permissible. Namely, it differentiates between access and storage. While it argues that employers should be able to access data about whether their employees have symptoms of or have been diagnosed with COVID-19, they may not necessarily need to “document the information received or compile relevant data files.”
In other words, data controllers may preserve privacy protections by setting up a process to make decisions based upon COVID-19 data in a way that does not necessitate files containing personal information to be created.
Furthermore, Lithuania’s DPA urges data controllers to assess requests for personal data from public authorities for health purposes “on a case-by-case basis.”
Be transparent
While the post-COVID-19 era may remind us in some ways of the post-9/11 era, there is at least one key difference: Although governments often demanded secrecy for their surveillance efforts, there seems to be no such need for secrecy in the surveillance of COVID-19. On the contrary, the more information that is made publicly available about what steps companies, governments and other organizations are taking to counter the virus’s spread, the more likely that coordination can occur and the better off we all are likely to be.
Thus, companies that receive a request to share data with government agencies related to COVID-19 should work to communicate that to the data subjects. Companies should not only be clear about the purposes of their data processing efforts around COVID-19 and how long they plan to retain the data, but also whether they have any plans to share or have already shared COVID-19 data with governments or public health authorities.
Keep records of government requests for COVID-19 data
One final piece of guidance is for companies to document, in a detailed and accurate way, government requests for COVID-19 data they receive. In this vein, the Lithuanian DPA suggests data controllers keep a record of data submissions to public health authorities, in line with the accountability principle. Similarly, Ireland’s Data Protection Commission recommends data controllers “document any decision-making process regarding measures implemented to manage COVID-19.”
Conclusion
Although responses to the COVID-19 crisis, levels of preparedness and general approaches to data privacy issues involving the pandemic have differed from country to country and the approach to the crisis within each jurisdiction is unique, there are some general principles that apply across multiple jurisdictions and that should preserve privacy rights without negatively affecting efforts to slow the spread of and eliminate the outbreak.
Specifically, companies that aggregate, anonymize or deidentify data before sharing it with governments or public health authorities can reduce the chance that individuals affected by COVID-19 will also be exposed to privacy risks. Minimizing data collection, limiting access and retaining data only for the minimum amount of time it is needed can also reduce the harms that may arise from secondary, unintended and potentially harmful uses of COVID-19 data.
Being transparent about government requests for COVID-19 data can keep data subjects informed about the ways in which their data is being used while also enhancing their trust. Keeping records of requests to share COVID-19 with government agencies and how those were handled can also keep companies prepared in the event of an audit of their data protection practices.
Last but not least, multiple DPAs have pointed to the importance of adequate staff training on data protection, a tried-and-true means of protecting privacy under any circumstance.
It is also worth mentioning that sharing data with the consent of data subjects is another way to preserve privacy protections for individuals affected by COVID-19. Yet, it seems unlikely that many data controllers will rely on it as a lawful basis for processing, giving the nature of the situation, as well as the exceptions built into Articles 6.1.d-e and Article 9.2.i of the EU General Data Protection Regulation.
Nevertheless, the EU Parliament's Juan Fernando López Aguilar has expressed skepticism about whether the consent of COVID-19 patients would be “freely given, specific, informed and unambiguous” because some “people may feel compelled” to share their contacts and location history once they test positive for COVID-19.
In general, DPAs around the world seem to be mostly in agreement that data processing around COVID-19 should be guided by necessity, proportionality and transparency, which are critical principles to adhere to, especially during times of crisis.
Photo by Markus Spiske on Unsplash