COVID-19 Guidance and Resources

Below, access a collection of privacy news, resources, guidance and tools covering the COVID-19 global outbreak.

Daily Updates

The latest COVID-19 privacy developments from the Asia-Pacific region

As the COVID-19 pandemic continues, here are the latest stories on how the outbreak has affected privacy in the Asia-Pacific region: The Philippines’ Bohol province is using QR code contact-tracing cards to track individuals who may have been in contact with a confirmed COVID-19 case, the Manila Bulletin reports. Philippines' National Privacy Commission issued guidelines on how businesses handle customers' or visitors' personal information for contact tracing. According to Stuff, New Zealan... Read More

IAPP Coverage

Below, find the latest IAPP coverage surrounding the COVID-19 outbreak and its impact on the privacy industry.

Google, Apple outline privacy considerations for Exposure Notification System

The COVID-19 pandemic has seared contact tracing into our collective consciousness, but it doesn't mean the concept is anywhere near new. Noted Deputy U.S. Chief Technology Officer Nicole Wong recently during an online event: Contact tracing was used to identify the original Typhoid Mary in 1907, as well as helping to quell outbreaks of smallpox, SARS and Ebola. As COVID-19 continues to spread, entities around the world hope to use technological advancements to take contact tracing to the next... Read More

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

Despite economic downturn, privacy jobs seem to be (mostly) safe

Privacy and those who make a career from it were thriving prior to COVID-19. The job market and job security for highly trained professionals within the space were on the upswing as privacy made its ascension to being a mainstream topic. There were some initial thoughts and concerns that, like most industries, privacy and its professionals would feel the adverse effects of the pandemic in the way of layoffs and other budget-cutting measures. Those feelings came to light after some privacy pros,... Read More

Manual contact tracers and privacy: Building trust is a local effort

As states ramp up manual COVID-19 contact tracing across the United States, a rapidly growing corps of citizen data collectors are discovering why data privacy rules matter. More than 100,000 contact tracers could be needed in the U.S. alone, according to guidance from the Centers for Disease Control and Prevention and a national contact-tracing plan developed by John Hopkins University and the Association of State and Territorial Health Officials. These tens of thousands of new data collectors ... Read More

Defining a 'new normal' for data privacy in the wake of COVID-19

As the COVID-19 pandemic continues to roil economies and confine people to the solitude of their homes, much of the public discourse regarding the pandemic is focused on defining the “new normal.” Will wearing masks become an indefinite feature of public gathering? How long will the handshake remain social taboo? Some of the behavioral norms and social expectations we take with us will be innocent, unconscious footnotes to the compendium of our moment. Others will require long overdue deliberati... Read More

Infographic: IAPP Resources for COVID-19

This infographic breaks down the major topics related to COVID-19 and privacy, while connecting back to the IAPP Resource Center to help you locate tools, guidance and information to help you meet these complex challenges. Read More

DPA guidance on COVID-19

The IAPP has rounded up all COVID-19 guidance published by DPAs to date. The guidance linked below provides information and frequently asked questions pertaining to data processing and COVID-19. Read More

OSHA revises guidance on tracking COVID-19 in the workplace

The U.S. Occupational Safety and Health Administration revised guidelines May 19 that require employers to determine whether employees who have contracted COVID-19 did so in the workplace.  According to OSHA's recordkeeping requirements, employers are required to conduct investigations about the cause of an employee's infection with certain parameters. In the revised guidelines, which went into effect May 26, "employers should be taking action to determine whether employee COVID-19 illnesses ar... Read More

Vendor seeks to balance workplace safety, employee privacy during COVID-19 pandemic

Evident closed its offices in the early days of the COVID-19 pandemic. Despite the vendor's best efforts to keep staff safe, employees still came down with the virus, which frustrated Evident CEO David Thomas. "As a business leader, I feel burned that we didn’t have the right data that I needed to make effective decisions, and some of my employees got sick as a result," Thomas said. As companies gradually allow employees to return to the workplace, Thomas does not want them to be unprepared in... Read More

With COVID-19, privacy is more central than ever before

Last year, with the shockwaves of the Cambridge Analytica scandal still echoing, the U.S. Federal Trade Commission fining Facebook $5 billion, and the U.K. Information Commissioner's Office announcing its intention to fine British Airways and Marriott hundreds of millions of pounds, we thought privacy had reached its zenith. California privacy advocates were stirring Washington, D.C., into legislative action, Brazil and India competing to put in place comprehensive privacy laws, 500,000 organiza... Read More

Infographic: COVID-19 Testing and Health Monitoring

The IAPP created an infographic outlining the privacy-related questions surrounding COVID-19 testing and health monitoring. As economies reopen, the scope and scale of health data collection, use and sharing will only increase. Employers and businesses are conducting testing, temperature checks and health screenings. This data collection raises novel privacy issues because of its scale, the non-traditional methods and reasons for its collection, and the benefits and risks to sharing the data w... Read More

Deja vu? The politics of privacy legislation during COVID-19

While the COVID-19 outbreak has brought about numerous changes to our daily lives, it has not brought U.S. Congress any closer to bridging the partisan divide over the shape and scope of federal privacy legislation. Although both Democrats and Republicans in Congress have introduced privacy legislation related to the ongoing COVID-19 pandemic in recent weeks, lawmakers from either side of the aisle remain at odds over at least two key provisions: a private right of action and preemption of state... Read More

Privacy questions for COVID-19 testing and health monitoring

Diagnostic and antibody testing for COVID-19 is increasing significantly as governments and health authorities look for data to inform decisions about how to safely end lockdowns and restart economies. This testing and other health monitoring efforts will result in the collection of massive amounts of personal data. While public health and safety concerns are paramount, there are numerous privacy issues worth considering, particularly since the life cycle of the data is unclear. Data privacy la... Read More

Contact tracing apps: Why tech solutionism and privacy by design are not enough

Tech solutionism In many countries, including the Netherlands, a contact tracing app act is presented as the solution to get out of lockdown, but in my experience, technology is only part of the solution. Apps can only be used as a supporting measure in situations like this. You cannot ignore the organizational measures that will have to be created around the app. For example, what can employers ask from their employees? Will access to public transportation become dependent on your score in o... Read More

2020 and data protection: Not only COVID-19

It is only May, but 2020 is already shaping up to be a crucial year for data protection. At least in Europe where the data protection authorities’ enforcement engine is starting to warm up. In Italy, for example, the Italian DPA, the Garante, started the year by handing down some very important fines. Beginning with provisions no. 231 and no. 232 issued Dec. 11, 2019, and published Jan. 17, 2020, against one of the global leading oil companies and with provision no. 7 issued Jan. 15, 2020, again... Read More

Geolocation and other personal data used in the fight against COVID-19

As COVID-19 continues to spread throughout the country, the Peruvian government has implemented stronger policies and strategies that are aligned with measures that have proven to be effective around the world. These strategies now include the temporary collection and treatment of the population’s personal data, specifically, the geolocation data of those infected with COVID-19 as a way to track their movements and identify possible contagion hot spots. This article takes a look at the three mos... Read More

The pandemic and the evolution of health care privacy

When I teach privacy law, I try to make the issues real for the students. It often isn’t that hard — privacy issues remain in the news almost every day. The evolution of the pandemic has made more of these issues real and is leading to a series of critical questions for the future of health care privacy. These issues are not new, but the focus of the attention on pandemic issues has made the need for discussion and resolution of these issues even more critical. We are seeing four distinct categ... Read More

Virtual justice and privacy: What does COVID-19 mean for due process?

Effective March 25, New York City’s Criminal Court announced, "All parties will participate in court proceedings by videoconferencing." Due to the COVID-19 pandemic, the court news release explained that all "arraignments will be virtual, with the Judge, prosecution and defense attorney and defendant all from remote locations." As the virus spread, courts across the country echoed this approach.   Few would argue with the immediate necessity of such arrangements. The move to virtual court is d... Read More

Striking the right balance: Government contact tracing powers and the right to privacy

A first-of-its-kind judicial decision sets out the rules for lawful tracking in an epidemic outbreak situation. The Israeli Supreme Court strikes a balance between COVID-19-related contact tracing technology and the right to privacy in a landmark decision about the government’s limits of power and the rights to privacy and dignity. The Israeli government enforces the isolation of confirmed patients and people who came in close contact with them in an effort to contain the spread of the COVID-19... Read More

Sharing COVID-19 data with government authorities: Guidance from DPAs

There are several reasons public health authorities may seek to collect COVID-19 data from private companies, including hospitals and health care providers. One of the top reasons is to track the spread of the virus and monitor the emergence of new clusters of infections so resources can be directed to areas most in need. Another reason is to send information to people who may have come into contact with someone who was diagnosed with or is suspected to have COVID-19. Given this reality, let's ... Read More

Checklist: Expedited Vendor Privacy and Security Assessment

As companies, educational institutions, governments and other organizations shift to remote work environments during the COVID-19 pandemic, the need for technologies to facilitate engagement has exploded. In this checklist are key questions for privacy professionals to consider as they navigate this process. Read More

Here are the contact tracing apps being deployed around the world

As countries begin to lift lockdowns from COVID-19, they are relying on contact tracing apps to identify and break the transmission chain of the disease. While some Asian countries have implemented their contact tracing apps with strict surveillance measures, Europe and the U.S. are scrambling to build apps with privacy in mind. Countries are working with app developers and technology companies to develop contact tracing in hopes they can contain the transmission of COVID-19. While more privacy... Read More

Aggregated data provides a false sense of security

We are in the midst of a global pandemic, and the need to access COVID-19-related data has become increasingly important to make evidence-based policy decisions, develop effective treatments, and drive operational efficiencies to keep our health care systems afloat. Accessing personal data comes at a risk to privacy, and there are many unfortunate examples of harm coming to individuals diagnosed with COVID-19. These challenging times are likely putting pressure on many privacy professionals the ... Read More

Centralized vs. decentralized: EU's contact tracing privacy conundrum

Contact tracing is on the radar of the majority of European privacy professionals these days. More specifically, the focus is on whether tracing apps should function based on centralized or decentralized systems. The debate over the better approach boils down to effectiveness versus the current and future risks associated with the potential use of personally identifiable data. Member of European Parliament Alexandra Geese recently hosted a webinar on the matter, seeking to sort out the privacy ... Read More

How to employ privacy by design in the fight against COVID-19

As COVID-19 is rapidly spreading around the world, public health authorities are eagerly searching for effective measures to flatten the curve and decrease the rate of contamination. Among others, many governments are using or considering using surveillance technology to track the movements of people infected by COVID-19 and notify those who may have been exposed to the virus. Naturally, the use of such measures on a wide scale raises serious privacy concerns. In Israel, for example, there is a ... Read More

How to comply with data localization regulations amid COVID-19’s impact

As health care organizations across the globe look to conduct important clinical trials in regions such as the Asia-Pacific for a wide variety of ailments — and now most urgently COVID-19 — they need to make sure that health care data gathered from these trials meet the increasingly stringent privacy standards and regulations put in place by various countries in the region, including Russia, China and Australia. Health care organizations must learn to operate within each country’s specific data ... Read More

Shift to online learning ignites student privacy concerns

Privacy professionals are watching concerns compound during the COVID-19 outbreak as the effects of the virus bring new problems and magnify prior issues. Student privacy is one area in which this collision of problems has revealed itself the most.  The decision by schools across the world to move to online learning has only exaggerated preexisting and fresh privacy issues about the technology facilitating virtual learning experiences. With their adoption of technologies, many schools and teach... Read More

The privacy issues for EU, UK and US employers during COVID-19

As COVID-19 becomes our new normal, we increasingly see the tension between protecting the public’s health and privacy rights. Employers are faced with providing a safe work environment while complying with applicable privacy laws. Regulatory agencies and data protection authorities have issued guidance to help employers navigate these issues (see the DPA Guidance on COVID-19 collected by the IAPP). The situation for employers is made more challenging because it is fluid: Each day there is new ... Read More

COVtech in India: Privacy considerations amid COVID-19

"The Blind Men and the Elephant" is an ancient Indian parable that should be revisited in these unprecedented times. The following is a rendition of the parable:  "An elephant comes to a village and a group of blind men generate curiosity regarding its form and appearance. They decide to feel the elephant individually to decipher how it may be in actuality. One blind man feels the elephant’s ear and declares, 'an elephant is like a big fan,' another blind man feels the elephant’s leg and says, ... Read More

How is COVID-19 affecting privacy programs? A call for research action

Like many of you, we are closely following new developments and working hard to understand the unfolding dynamics of the COVID-19 pandemic. To further our understanding of the interplay between COVID-19 and privacy and data protection more narrowly, we are conducting a survey on how companies, in general, and privacy programs, in particular, are responding to the COVID-19 pandemic, and we need your help. If you have five minutes or so, please take this survey to aid in our research efforts arou... Read More

Should first responders know the addresses of those with COVID-19?

I think it's safe to say the COVID-19 pandemic has hit close to home for all of us. Many of you are likely balancing video conference calls for work with your children's schooling. (I don't have kids and haven't the foggiest idea how the heck you're managing all that at the same time. Hang in there and kudos to you!) What was once a simple trip to the grocery store is now an anxiety-filled mission replete with strategically placed protective wear: face mask, gloves, sanitizers, and the like. Do... Read More

The Privacy Advisor Podcast: What happens to data privacy in a pandemic?

It's a scary time by any standard. There's news every day about the latest number of those infected by an invisible danger that'll make some sick and kill others, and to stay safe ,we have to stay away from each other in a time when we most need each other for support. And when we're scared, sometimes we make decisions based on fear. In this episode of The Privacy Advisor Podcast, Michelle De Mooy of DeMOOY Consulting and former director of privacy and data at the Center for Democracy and Techno... Read More

Web Conference: Saving Direct Marketing in the Post-Pandemic Economic Recovery

Original broadcast date: April 30, 2020 Join us for this data privacy education web conference to learn about these issues and more. You’ll hear from experts in the field about the benefits of pseudonymization under the GDPR, how pseudonymization enables legitimate interest processing under the GDPR, the benefits of legitimate interest processing under the GDPR among others. Read More

Web Conference: COVID-19 Privacy and Security Issues: An Expert Discussion

Original broadcast date: March 31, 2020 Join us for this educational web conference to hear from legal and privacy operations leaders and government officials in the health care and employment field. They’ll discuss with you their best current thinking about these new and emerging challenges and their potential resolutions. Practical considerations will be discussed, as well as open and settled legal questions. Read More

The Privacy Advisor Podcast: Should we give up our data to help the herd?

Telecommunications companies across the world, including in Germany, Brazil and China, have granted their governments access to customers' cellphone data in an effort to help track COVID-19. In the U.S., government officials are consulting with big tech companies and public health professionals on the possibility of doing so, while authorities in the Netherlands have said emergency legislation must be enacted before sharing occur. In this episode of The Privacy Advisor Podcast, Heather Federman,... Read More

Pandemic incites concerns about data-sharing overreach

Proportionality — that’s the watchword companies need to adhere to in times of crisis. The challenge of the COVID-19 pandemic and concerted efforts to stop its spread have thrown data protection law into the global spotlight. With companies and authorities alike doing everything they can to stem the transmission of the disease, measures like checking recent travel histories, taking body temperature and tracking patients’ movements have come to seem acceptable. But many are asking, how far shoul... Read More

On balancing personal privacy with public interest

It's hard to imagine going through a day right now without thinking about COVID-19, the disease caused by the coronavirus. You likely already know the basic facts: It appears to have originated in Wuhan, Hubei Province, China; the disease can cause severe illness in people, including death, though, according to the U.S. Centers for Disease Control and Prevention, serious illness occurs in only 16% of cases; the disease is rapidly spreading around the world; and there's still a lot of unknowns su... Read More

COVID-19 response and data protection law in the EU and US

Managing the COVID-19 outbreak and stopping its spread is now a global challenge. In addition to the significant health and medical responses underway around the world, governments and public health officials are focused on how to monitor, understand and prevent the spread of the virus. Data protection and privacy laws, including the EU General Data Protection Regulation and various U.S. laws, are informing these responses. One major response to limiting the spread of infection is contact traci... Read More

IAPP offices go virtual: An update

Hello, everyone. The IAPP has taken the precautionary step in response to COVID-19 by having employees work virtually in order to prioritize everyone’s health and safety. To the greatest extent possible, it is business as usual at the IAPP. Operations will continue on a remote basis — we recognize that the work of privacy is ongoing, and we’re here for you. I wanted to provide some reminders and updates that I hope will address concerns you may have: IAPP trainings are available virtually. W... Read More

Artificial Intelligence

AI camera detects COVID-19 fever

An Austin, Texas-based company’s artificial intelligence camera can detect those who may have a COVID-19-related fever, Fast Company reports. Athena Security’s camera system uses an AI model to view a subject’s inner eye, which can reflect body temperature. The thermal camera records an image of those with a fever. Athena CEO Lisa Falzone said the technology will be seen more in places like airports and hospitals where access depends on an individual’s temperature.Full Story... Read More

Facial recognition to monitor pedestrians at Texas border crossing

U.S. Customs and Border Protection will begin using biometric facial-comparison technology to monitor pedestrians traveling through the Brownsville, Texas, border crossing, Government Technology reports. The technology will photograph each pedestrian traveler entering the U.S. and compare that image to passport and ID photos stored in government records. Privacy advocates argue the program violates travelers’ privacy rights, adding CBP is not following an opt-out policy for U.S. citizens.Full St... Read More

CCPA

California attorney general's office: No delay on CCPA enforcement amid COVID-19

The COVID-19 pandemic has brought many things in life to a screeching halt. For many organizations, the outbreak has meant shuttering, limiting or digitalizing most, if not all, operations. Those types of transitions and subsequent hardships have led some in the privacy space to question whether it's right for California Attorney General Xavier Becerra to go forward with California Consumer Privacy Act enforcement July 1. A coalition of 35 advertising groups sent the attorney general a letter M... Read More

Ad groups call for delay of CCPA enforcement in wake of COVID-19

MediaPost reports the Association of National Advertisers, Interactive Advertising Bureau, American Association of Advertising Agencies and 32 other groups want the California attorney general to delay enforcement of the California Consumer Privacy Act due to the current COVID-19 outbreak. “Now is not the time to threaten business leaders with premature CCPA enforcement lawsuits,” the groups write. Meanwhile, DLA Piper has published its take on the third version of the California Consumer Privac... Read More

Cybersecurity

COVID-19 Data Privacy & Security Survey

This guide from Baker McKenzie is designed to assist employers' assessments of certain data processing they may consider in light of COVID-19 and whether they are compliant with data privacy regulation. Read More

Phishing scams, spam rise during COVID-19 outbreak

Phishing scams and spam attacks are on the rise during the COVID-19 outbreak, CNBC reports. Thirty-six percent of executives on the CNBC Technology Executive Council said cyberthreats have increased as the majority of their employees work from home. “Businesses should anticipate that bad actors will assume that people aren’t manning the gates, providing them with an opening,” Nationwide Chief Technology Officer Jim Fowler said.Full Story... Read More

Web Conference: COVID-19 Privacy and Security Issues: An Expert Discussion

Original broadcast date: March 31, 2020 Join us for this educational web conference to hear from legal and privacy operations leaders and government officials in the health care and employment field. They’ll discuss with you their best current thinking about these new and emerging challenges and their potential resolutions. Practical considerations will be discussed, as well as open and settled legal questions. Read More

Cybersecurity groups, professionals advise on VPN security

ZDNet reports cybersecurity agencies and firms are suggesting companies update the security of their virtual private networks as they ramp up use during the COVID-19 pandemic. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, New Jersey's Cybersecurity and Communications Integration Cell, the SANS Technology Institute's Internet Storm Center, and cybersecurity firm Radware are among the groups offering warnings and guidance regarding VPN security. Tips ... Read More

FBI offers guidance for secure teleconferencing

The U.S. Federal Bureau of Investigation issued recommendations to improve user privacy and security as it relates to teleconference platforms. The guidance focuses on "exercising due diligence and caution in your cybersecurity efforts" and offers best practice to do so, including managing personal and software privacy settings. Meanwhile, advocacy group NOYB published a report that analyzes teleconference platforms' privacy policies.Full Story... Read More

Education and Virtual Learning

FIPPA and online learning during the COVID-19 pandemic

This document, published by the Office of the Information and Privacy Commissioner for British Colombia, provides guidance for educators in choosing online learning tools in compliance with British Colombia's Freedom of Information on Protection of Privacy Act. Read More

Warren, Markey question Zoom over student data protection

U.S. Sens. Elizabeth Warren, D-Mass., and Edward Markey, D-Mass., have asked Zoom Founder and CEO Eric Yuan for more information on how the teleconference platform is “protecting the safety and privacy of students." Zoom was asked for details regarding data breaches, if student data was exposed and whether policies have changed to protect student data. Meanwhile, the U.S. District Court for the Western District of Washington has rejected Amazon's motion for arbitration in a lawsuit related to Al... Read More

Shift to online learning ignites student privacy concerns

Privacy professionals are watching concerns compound during the COVID-19 outbreak as the effects of the virus bring new problems and magnify prior issues. Student privacy is one area in which this collision of problems has revealed itself the most.  The decision by schools across the world to move to online learning has only exaggerated preexisting and fresh privacy issues about the technology facilitating virtual learning experiences. With their adoption of technologies, many schools and teach... Read More

Op-ed: Student privacy at risk with e-learning shift

In an op-ed for The Washington Post, San Jose State University Professors Roxana Marachi and Lawrence Quill write about the student privacy dilemmas stemming from the sudden shift to online learning amid the COVID-19 outbreak. Noting how data is "the new oil" and the tech shifts represent "a watershed moment," Marachi and Quill opine there is every reason to suspect the world of education will not return to "business as usual" following the pandemic.Full Story... Read More

US Dept. of Education on FERPA procedures amidst crisis

The U.S. Department of Education has published a frequently-asked-questions document addressing personal information disclosures for COVID-19 inquiries under the Family Educational Rights and Privacy Act. The department states parental consent for disclosures is still required in most cases, but notes there are exceptions to the requirement in the event of a health or safety emergency. Educational agencies and institutions determine consent exceptions based on whether the "information is necessa... Read More

Student Privacy during the COVID-19 Pandemic

This report, published by The School Superintendents Association and the Future of Privacy Forum, provides guidance on how the Family Educational Rights and Privacy Act and Health Insurance Portability and Accountability Act govern the disclosure of students’ health information held by schools. Read More

Employee Health Monitoring

Infographic: COVID-19 Testing and Health Monitoring

The IAPP created an infographic outlining the privacy-related questions surrounding COVID-19 testing and health monitoring. As economies reopen, the scope and scale of health data collection, use and sharing will only increase. Employers and businesses are conducting testing, temperature checks and health screenings. This data collection raises novel privacy issues because of its scale, the non-traditional methods and reasons for its collection, and the benefits and risks to sharing the data w... Read More

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

OSHA revises guidance on tracking COVID-19 in the workplace

The U.S. Occupational Safety and Health Administration revised guidelines May 19 that require employers to determine whether employees who have contracted COVID-19 did so in the workplace.  According to OSHA's recordkeeping requirements, employers are required to conduct investigations about the cause of an employee's infection with certain parameters. In the revised guidelines, which went into effect May 26, "employers should be taking action to determine whether employee COVID-19 illnesses ar... Read More

PwC develops facial recognition tool for employee monitoring

Global accounting firm PricewaterhouseCoopers created a facial recognition tool to help financial institutions track employees as they work from home, Personnel Today reports. The software taps into employees' webcams to capture face images and detects when employees are not in front of their screens during work hours. PwC said the technology aims to help traders abide by regulations "in the least intrusive, pragmatic way." Meanwhile, Amazon plans to deploy artificial intelligence tracking syste... Read More

Privacy questions to ask when testing, monitoring for COVID-19

Diagnostic and antibody testing for COVID-19 is increasing significantly as governments and health authorities look for data to inform decisions about how to safely end lockdowns and restart economies. While public health and safety concerns are paramount, there are numerous privacy questions worth asking when testing and health monitoring for COVID-19. IAPP Legal Research Fellow Cathy Cosgrove explores some of those issues and questions in this piece for The Privacy Advisor.Full Story Infograp... Read More

Employee COVID-19 screening technologies draw privacy concerns

The New York Times reports on the privacy pitfalls that come with COVID-19 symptom-tracking technologies being adopted by employers for employees. The tools, including biometric-based temperature screening, social-distancing wristbands and virus-screening questionnaires, have brought concerns over data collection, use and storage. American Civil Liberties Union Senior Policy Analyst Jay Stanley said society is "accepting encroachments on privacy" but urged a cautious approach "to make sure that ... Read More

The privacy issues for EU, UK and US employers during COVID-19

As COVID-19 becomes our new normal, we increasingly see the tension between protecting the public’s health and privacy rights. Employers are faced with providing a safe work environment while complying with applicable privacy laws. Regulatory agencies and data protection authorities have issued guidance to help employers navigate these issues (see the DPA Guidance on COVID-19 collected by the IAPP). The situation for employers is made more challenging because it is fluid: Each day there is new ... Read More

Pandemic incites concerns about data-sharing overreach

Proportionality — that’s the watchword companies need to adhere to in times of crisis. The challenge of the COVID-19 pandemic and concerted efforts to stop its spread have thrown data protection law into the global spotlight. With companies and authorities alike doing everything they can to stem the transmission of the disease, measures like checking recent travel histories, taking body temperature and tracking patients’ movements have come to seem acceptable. But many are asking, how far shoul... Read More

GDPR

Is it necessary to suspend GDPR in the fight against COVID-19?

Over the last few months, we have seen organizations impose various obligations on their employees, visitors and customers to combat the spread of COVID-19. The underlying measures first began with completed health questionnaires, moved to requiring temperature checks of people entering buildings, along with the installation of thermal cameras at office entrances, and now there are regular blood tests for employees whose presence is essential for business continuity. How did the Hungarian gover... Read More

Hungary halts some GDPR rights amid COVID-19

Euractiv reports the Hungarian government intends to suspend certain rights and protections provided by the EU General Data Protection Regulation until the COVID-19 outbreak subsides. Under the new measures, citizens will see a pause on their right to data access and erasure, while any legal actions pertaining to alleged GDPR violations will also be delayed. Opposition politician Bernadett Szél plans to challenge the suspension of rights in the Constitutional Court of Hungary, claiming that "res... Read More

Government Data Collection

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

Sharing COVID-19 data with government authorities: Guidance from DPAs

There are several reasons public health authorities may seek to collect COVID-19 data from private companies, including hospitals and health care providers. One of the top reasons is to track the spread of the virus and monitor the emergence of new clusters of infections so resources can be directed to areas most in need. Another reason is to send information to people who may have come into contact with someone who was diagnosed with or is suspected to have COVID-19. Given this reality, let's ... Read More

A timely resource: Updated guide to US government data sharing

Now, perhaps more than ever before, it is critical to understand how governments around the world protect the personal information they exchange with each other. In their just-released third edition of "The Guide to U.S. Government Practice on Global Sharing of Personal Information," Onfido Director of Privacy Neal Cohen, CIPP/E, CIPP/US, and Northrop Grumman Corporation John Kropf, CIPP/E, CIPP/G, CIPP/US, help us do just that. Cohen and Kropf’s guide walks readers through existing accords tha... Read More

Fauci: US may consider COVID-19 immunity certificates

National Institute of Allergy and Infectious Diseases Director Anthony Fauci said the U.S. government may consider issuing certificates to those who are immune to COVID-19, Politico reports. Fauci added the proposal would depend on the deployment of antibody tests. “It’s one of those things that we talk about when we want to make sure that we know who the vulnerable people are and not,” Fauci said. “This is something that’s being discussed. I think it might actually have some merit, under certai... Read More

On balancing personal privacy with public interest

It's hard to imagine going through a day right now without thinking about COVID-19, the disease caused by the coronavirus. You likely already know the basic facts: It appears to have originated in Wuhan, Hubei Province, China; the disease can cause severe illness in people, including death, though, according to the U.S. Centers for Disease Control and Prevention, serious illness occurs in only 16% of cases; the disease is rapidly spreading around the world; and there's still a lot of unknowns su... Read More

The Privacy Advisor Podcast: Should we give up our data to help the herd?

Telecommunications companies across the world, including in Germany, Brazil and China, have granted their governments access to customers' cellphone data in an effort to help track COVID-19. In the U.S., government officials are consulting with big tech companies and public health professionals on the possibility of doing so, while authorities in the Netherlands have said emergency legislation must be enacted before sharing occur. In this episode of The Privacy Advisor Podcast, Heather Federman,... Read More

Striking the right balance: Government contact tracing powers and the right to privacy

A first-of-its-kind judicial decision sets out the rules for lawful tracking in an epidemic outbreak situation. The Israeli Supreme Court strikes a balance between COVID-19-related contact tracing technology and the right to privacy in a landmark decision about the government’s limits of power and the rights to privacy and dignity. The Israeli government enforces the isolation of confirmed patients and people who came in close contact with them in an effort to contain the spread of the COVID-19... Read More

Health Care

The pandemic and the evolution of health care privacy

When I teach privacy law, I try to make the issues real for the students. It often isn’t that hard — privacy issues remain in the news almost every day. The evolution of the pandemic has made more of these issues real and is leading to a series of critical questions for the future of health care privacy. These issues are not new, but the focus of the attention on pandemic issues has made the need for discussion and resolution of these issues even more critical. We are seeing four distinct categ... Read More

How to comply with data localization laws during COVID-19

As health care organizations look to conduct important clinical trials in regions such as the Asia-Pacific for a wide variety of ailments, including COVID-19, they need to make sure that health care data gathered from these trials meet the increasingly stringent privacy standards and regulations put in place by various countries in the region. In this piece for The Privacy Advisor, InCountry Vice President and General Manager of Asia-Pacific John Childs-Eddy explores the challenges health care o... Read More

Dispatch from Peru: Should patients with COVID-19 be fully identified?

On Friday, March 6, Peruvians received the news that we feared the most: COVID-19 had arrived in our country. Patient zero, as initially identified, was a 25-year-old man, a LATAM airlines pilot, who likely contracted the virus during his vacation in Europe (Spain, France and the Czech Republic). The following day, six additional cases were reported (five corresponding to people close to patient zero and one in the city of Arequipa, after the patient traveled to the United Kingdom). On March 8,... Read More

Should first responders know the addresses of those with COVID-19?

I think it's safe to say the COVID-19 pandemic has hit close to home for all of us. Many of you are likely balancing video conference calls for work with your children's schooling. (I don't have kids and haven't the foggiest idea how the heck you're managing all that at the same time. Hang in there and kudos to you!) What was once a simple trip to the grocery store is now an anxiety-filled mission replete with strategically placed protective wear: face mask, gloves, sanitizers, and the like. Do... Read More

Why the new HIPAA telehealth announcement is a welcome move

As more doctors’ offices and care centers try to move non-urgent care patient visits from in-person to online to battle further spread of COVID-19, the U.S. Department of Health and Human Services issued new guidance that can help.  The guidance came in the form of a Notification of Enforcement Discretion for Telehealth Remote Communications directed at health care providers subject to the Health Insurance Portability and Accountability Act. It states the Office for Civil Rights “will exercise ... Read More

HHS News & Guidance

HHS relaxes privacy requirements for COVID-19 community testing sites

The U.S. Department of Health and Human Services is relaxing the Health Insurance Portability and Accountability Act privacy and security requirements for COVID-19 community-based testing sites to make it easier to collect patient data, Nextgov reports. The HHS Office for Civil Rights said in a notice other health care providers still have to fully comply with HIPAA. Meanwhile, the Hamburg Commissioner for Data Protection and Freedom of Information published guidance on data processing during th... Read More

HHS Guidance: HIPAA, Civil Rights, and COVID-19

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) published this guidance page providing announcements, guidance, notifications and bulletins on civil rights laws and the HIPAA Privacy Rule during the COVID-19 outbreak. Read More

HHS notice on telehealth penalties raises privacy concerns

The U.S. government just eased the path for doctors and nurses to do video chats with patients by lifting privacy and security compliance penalties and enforcement action against health care providers. The Office for Civil Rights at the U.S Department of Health and Human Services Tuesday said it will allow health care providers to use technology, such as Apple FaceTime, Facebook Messenger video chat or other video platforms, to communicate with patients. But, while federal response to the COVID... Read More

HHS announces HIPAA penalties waiver amidst COVID-19

The U.S. Department of Health and Human Services has issued a limited waiver protecting health care providers from Health Insurance Portability and Accountability Act penalties during the COVID-19 outbreak. The waiver absolves providers of certain HIPAA responsibilities, including being required to honor facility directory opt-outs and issue privacy notices. Patient rights to request confidential communications and privacy restrictions have also been temporarily revoked under the waiver.Full Sto... Read More

HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

This notification, published by the U.S. Department of Health & Human Services, announces that the Office for Civil Rights (OCR) will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency, effective immediately. Read More

Cookie Guidance from Greece

On 25 February 2020, the Hellenic Data Protection Authority published guidance on the use of cookies (and similar technologies). The guidance reiterates the rules around consent and provides examples of cookies which fall into the consent exemptions. Read More

International

DPA guidance on COVID-19

The IAPP has rounded up all COVID-19 guidance published by DPAs to date. The guidance linked below provides information and frequently asked questions pertaining to data processing and COVID-19. Read More

Israel introduces new contact-tracing bill

Throughout the COVID-19 global outbreak, Israel has taken a unique approach for fighting the pandemic. While other countries have developed and implemented new technologies for contact tracing, Israel preferred using a covert technology, operated by the General Secret Service for anti-terror purposes. During the first stages of the outbreak, the government established the use of the so-called “tool” through emergency regulations and then in governmental resolutions. However, on April 26, in fou... Read More

Study: Singapore contact tracing app rated best on privacy

The Data Protection Excellence Centre released a study showing Singapore's TraceTogether contact tracing app is best at assuring privacy to users compared to other apps in Southeast Asia, Computer Weekly reports. The study found TraceTogether's privacy policy and statements aligned with its permissions prompted to users. Meanwhile in Thailand, the Ministry of Digital Economy and Society announced the launch of the Thai Win tracing app. Also, countries may consider keeping contact tracing apps be... Read More

Turn contact tracing apps on by default — Europeans shouldn’t need to opt in

As European governments start easing lockdown restrictions, developing an effective contact tracing strategy has become a top priority to prevent a new surge of COVID-19 outbreaks. A key part of this strategy will almost certainly involve mobile contact tracing apps that automatically notify users who have encountered someone diagnosed with COVID-19. Unfortunately, the European Commission’s guidance issued in April recommends that, in line with the EU General Data Protection Regulation, users “s... Read More

French Council of State bans COVID-19 monitoring by drone

Courthouse News Service reports France's Council of State, Conseil d'État, ruled authorities in Paris are prohibited from using drones to enforce COVID-19 stay-at-home orders. In its decision, the court said the deployment of drones and video footage they capture may allow police to identify individuals being surveilled. "There are risks they could be used contrary to personal data protection rules," the court justices wrote. Meanwhile, India's contact tracing app created a surge in phishing sca... Read More

Hungary halts some GDPR rights amid COVID-19

Euractiv reports the Hungarian government intends to suspend certain rights and protections provided by the EU General Data Protection Regulation until the COVID-19 outbreak subsides. Under the new measures, citizens will see a pause on their right to data access and erasure, while any legal actions pertaining to alleged GDPR violations will also be delayed. Opposition politician Bernadett Szél plans to challenge the suspension of rights in the Constitutional Court of Hungary, claiming that "res... Read More

A look at the Peruvian government's measures to track COVID-19

As COVID-19 continues to spread throughout the country, the Peruvian government has implemented stronger policies and strategies that are aligned with measures that have proven to be effective around the world. These strategies now include the temporary collection and treatment of the population’s personal data, specifically, the geolocation data of those infected with COVID-19 as a way to track their movements and identify possible contagion hot spots. In this piece for Privacy Tracker, Barlaw ... Read More

How to comply with data localization regulations amid COVID-19’s impact

As health care organizations across the globe look to conduct important clinical trials in regions such as the Asia-Pacific for a wide variety of ailments — and now most urgently COVID-19 — they need to make sure that health care data gathered from these trials meet the increasingly stringent privacy standards and regulations put in place by various countries in the region, including Russia, China and Australia. Health care organizations must learn to operate within each country’s specific data ... Read More

COVtech in India: Privacy considerations amid COVID-19

"The Blind Men and the Elephant" is an ancient Indian parable that should be revisited in these unprecedented times. The following is a rendition of the parable:  "An elephant comes to a village and a group of blind men generate curiosity regarding its form and appearance. They decide to feel the elephant individually to decipher how it may be in actuality. One blind man feels the elephant’s ear and declares, 'an elephant is like a big fan,' another blind man feels the elephant’s leg and says, ... Read More

EU member states develop COVID-19 app toolbox

EU member states developed a toolbox to be used when designing mobile apps to track the spread of COVID-19. With support from the European Commission, member states have examined the privacy and data protection elements of various digital tools to address the pandemic. The toolbox includes several requirements for contact tracing apps, such as ensuring they are implemented with and approved by public health authorities and that they adhere to EU privacy laws.Full Story... Read More

Brazilian Senate postpones its national data protection law

On April 3, the Brazilian Senate approved a Bill of Law (PL 1179/2020) with several emergency measures to deal with the COVID-19 pandemic in Brazil. The bill includes a specific rule that postpones the entry into force of the Brazilian General Data Protection Law, the LGPD. The bill, led by Sen. Antonio Anastasia and advocated by Brazilian Supreme Court President Dias Toffoli, was rapidly approved by the Brazilian Senate on a remote session and will be presented in the next week for another rou... Read More

Report: WHO-China Joint Mission on COVID-19

This report from the World Health Organization-China's Join Mission reviews national and local government reports, discussions on control and prevention measures with national and local experts and response teams, and observations made and insights gained during site visits. Read More

EDPS: COVID-19 a 'game changer'

In a blog post, European Data Protection Supervisor Wojciech Wiewiórowski discussed how the COVID-19 pandemic has altered the office's 2020–2024 strategy. Wiewiórowski explained the strategy was set for publishing March 19, but now he intends to reassess given the effects of the outbreak on society. "I am sure we are facing a new stage in the discussion about fundamental rights," Wiewiórowski wrote. "In the next few months, we will need to find the time to reflect on the crucial principles that ... Read More

Philippines NPC issues privacy reminder during COVID-19 outbreak

Philippines’ National Privacy Commission says the government must balance individual privacy with public health interests as the number of COVID-19 patients increases, Back End News reports. The Data Privacy Act does not prevent government and health entities from processing personal and sensitive information “when necessary to fulfill their mandates during a public health emergency.” Unnecessarily disclosing personal information “may stunt government efforts to identify and test individuals wit... Read More

GPA issues statement on data protection during COVID-19 pandemic

The Executive Committee of the Global Privacy Assembly has released a statement regarding COVID-19 and the challenges it presents to maintaining data protection protocols. The GPA said it is "confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic." Additionally, the GPA pointed to the resources page it has launched to aid privacy professionals' efforts during the pandemic. Editor's note: The IAPP has publish... Read More

EDPB issues statement on COVID-19

The European Data Protection Board released a statement on processing personal data as the COVID-19 pandemic continues. EDPB Chair Andrea Jelinek said data protection rules such as the EU General Data Protection Regulation do not hinder the fight against the virus. "However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects," Jelinek said. The U.K. Information Commissioner's Office released it... Read More

Legal requirements

COVID-19 response and data protection law in the EU and US

Managing the COVID-19 outbreak and stopping its spread is now a global challenge. In addition to the significant health and medical responses underway around the world, governments and public health officials are focused on how to monitor, understand and prevent the spread of the virus. Data protection and privacy laws, including the EU General Data Protection Regulation and various U.S. laws, are informing these responses. One major response to limiting the spread of infection is contact traci... Read More

Legislation

US lawmakers propose bipartisan contact tracing bill

U.S. Senate lawmakers proposed a bipartisan bill to regulate contact tracing apps, The Washington Post reports. The Exposure Notification Privacy Act would ensure those who do not want to use the apps are not tracked and prohibit any data that is collected by the apps to be used for commercial purposes. “The important thing we wanted to get done, as people started to look at this, is make sure the privacy protections are in place,” said Sen. Maria Cantwell, D-Wash.Full Story... Read More

Deja vu? The politics of privacy legislation during COVID-19

While the COVID-19 outbreak has brought about numerous changes to our daily lives, it has not brought U.S. Congress any closer to bridging the partisan divide over the shape and scope of federal privacy legislation. Although both Democrats and Republicans in Congress have introduced privacy legislation related to the ongoing COVID-19 pandemic in recent weeks, lawmakers from either side of the aisle remain at odds over at least two key provisions: a private right of action and preemption of state... Read More

Public Health Emergency Privacy Act

After Senate Republicans proposed the COVID-19 Consumer Data Protection Act April 30, Democrats from the Senate and House of Representatives offered their response Thursday, May 14, with the introduction of the Public Health Emergency Privacy Act. The Democrats' bill aims to provide safeguards for health data during the pandemic and regulate the use of that data with contact tracing technologies. Read More

Location Tracking

Manual contact tracers and privacy: Building trust is a local effort

As states ramp up manual COVID-19 contact tracing across the United States, a rapidly growing corps of citizen data collectors are discovering why data privacy rules matter. More than 100,000 contact tracers could be needed in the U.S. alone, according to guidance from the Centers for Disease Control and Prevention and a national contact-tracing plan developed by John Hopkins University and the Association of State and Territorial Health Officials. These tens of thousands of new data collectors ... Read More

Illusions of consent and COVID-19-tracking apps

COVID-19-tracking apps help identify parties with whom a COVID-19-infected person had contact. The apps do so by drawing on information about the location of a person’s mobile phone and its proximity to other devices. Experts, including the Bloomberg School of Public Health at John Hopkins University, view this technology as a necessary boost to manual contact tracing by public health officials. Countries are currently split into those where the government requires the use of these apps and tho... Read More

Protecting privacy on COVID-19 surveillance apps

Right now, there are signs that the curve of new COVID-19 cases in the United States is reaching a plateau, if not yet declining. We also have at least rough agreement among public health experts about the nation’s necessary next steps. The need is for a dramatic expansion of testing, a ramping up of the ranks of public health workers to trace contacts, and interoperable digital platforms that permit real-time analysis of COVID-19 outbreaks. As part of this effort, there is a frequently envisio... Read More

Contact tracing apps: Why tech solutionism and privacy by design are not enough

Tech solutionism In many countries, including the Netherlands, a contact tracing app act is presented as the solution to get out of lockdown, but in my experience, technology is only part of the solution. Apps can only be used as a supporting measure in situations like this. You cannot ignore the organizational measures that will have to be created around the app. For example, what can employers ask from their employees? Will access to public transportation become dependent on your score in o... Read More

Geolocation and other personal data used in the fight against COVID-19

As COVID-19 continues to spread throughout the country, the Peruvian government has implemented stronger policies and strategies that are aligned with measures that have proven to be effective around the world. These strategies now include the temporary collection and treatment of the population’s personal data, specifically, the geolocation data of those infected with COVID-19 as a way to track their movements and identify possible contagion hot spots. This article takes a look at the three mos... Read More

Here are the contact tracing apps being deployed around the world

As countries begin to lift lockdowns from COVID-19, they are relying on contact tracing apps to identify and break the transmission chain of the disease. While some Asian countries have implemented their contact tracing apps with strict surveillance measures, Europe and the U.S. are scrambling to build apps with privacy in mind. Countries are working with app developers and technology companies to develop contact tracing in hopes they can contain the transmission of COVID-19. While more privacy... Read More

Centralized vs. decentralized: EU's contact tracing privacy conundrum

Contact tracing is on the radar of the majority of European privacy professionals these days. More specifically, the focus is on whether tracing apps should function based on centralized or decentralized systems. The debate over the better approach boils down to effectiveness versus the current and future risks associated with the potential use of personally identifiable data. Member of European Parliament Alexandra Geese recently hosted a webinar on the matter, seeking to sort out the privacy ... Read More

Google, Apple prepping release of COVID-19 contact tracing app

TechCrunch reports Google and Apple plan to present developers with the first version of a COVID-19 contact tracing application programming interface April 28. European Commissioner for Internal Market and Services Thierry Breton acknowledged the launch of the app and its decentralized system during a recent call with Apple CEO Tim Cook. The app's release was originally expected by the middle of May. Meanwhile, Dutch engineer and Bluetooth creator Jaap Haartsen says Bluetooth, in its current for... Read More

French government asks Apple to remove tech limitations for its COVID-19 app

France's government asked Apple to remove technical limitations as it creates its own COVID-19 tracking app, Bloomberg reports. Apple's operating system prevents apps using its Bluetooth technology from constantly running when information is moved off-device. French Digital Minister Cedric O said this feature has impeded progress on the government's contact tracing app. Apple referred to the statement it made on its Google partnership in which the tech company said it would allow Bluetooth-enabl... Read More

White House task force seeks national COVID-19 surveillance system

U.S. White House Senior Adviser Jared Kushner's task force seeks to create a national COVID-19 surveillance system, Politico reports. The task force asked health technology companies to provide information to see where patients have sought treatment and for what illness. According to seven tech executives asked about the project, the federal government would be able to monitor bed availability and the number of patients in emergency rooms. White House Spokesman Avi Berkowitz denied any proposals... Read More

Facebook launches COVID-19 tracking map for US counties

NBC News reports Facebook released a map with a county-by-county look at self-reported COVID-19 symptoms in the U.S. The map, which will be updated daily, is based on responses to a Carnegie Mellon University survey taken by Facebook users. The map was designed to help health officials detect virus hot spots and better allocate resources to those areas. "Providing aggregate data to governments and health officials is one of the most important tools tech companies can provide," Facebook CEO Mark ... Read More

Apple, Google debut COVID-19 contact tracing technology

Apple and Google debuted tools that could track if someone comes into contact with a person infected with COVID-19, The Washington Post reports. The companies say their smartphones could communicate through Bluetooth technology and a contact tracing app that senses nearby devices. When an app user indicates they’ve been infected, it would notify those with smartphones in the vicinity. Apps could be developed as soon as mid-May.Full Story... Read More

ICO lists privacy considerations for COVID-19 tracking tech

The U.K. Information Commissioner's Office produced a list of privacy considerations for organizations as they use technology to track COVID-19. The questions, which were presented by Information Commissioner Elizabeth Denham, include whether any personal data collected is necessary and how privacy is built into the "processor technology." The ICO also published its opinion on Apple and Google's joint COVID-19 initiative.Full Story... Read More

Federal, provincial officials consider COVID-19 contact tracing methods

Federal and provincial officials are hiring staff and looking into different technological methods to conduct contact tracing as the COVID-19 pandemic continues, National Post reports. The different measures include using cellphone location data. Canadian Chief Public Health Officer Theresa Tam said any contact tracing must have privacy considerations in mind. Meanwhile, the Ontario government plans to bring researchers and artificial intelligence professionals together to study public health in... Read More

Senate holds "paper hearing" on fighting pandemic with location data

In a sign of the dangerous time we're living in and as most of the U.S. self-quarantines to protect health during the COVID-19 pandemic, the U.S. Senate Committee on Science, Commerce and Transportation held an unusual "paper hearing" on how responsibly technology companies and the government can work together to employ big data in an effort to combat spread of the virus. Witnesses submitted testimony to the committee and will have a "96-business-hour turnaround time to answer member questions,"... Read More

Privacy advocates emphasize safeguards in potential COVID-19 tracking

The Washington Post reports some privacy advocates are in favor of the U.S. using cellphone or location data to track the COVID-19 pandemic so long as it is done appropriately. Advocates are seeking assurance on basic safeguards and the potential for user opt-ins to allow government access. "There’s no reason to have to throw out our principles like privacy and consent to do this," Electronic Frontier Foundation Distinguished Technology Fellow Peter Eckersley said. Meanwhile, the U.K. is develop... Read More

Privacy concerns stirred over potential COVID-19 tracking

Wired reports on the potential privacy dilemma facing Americans if the U.S. government and big tech companies team up on COVID-19 tracking through forms of user location data. University of Georgia Center for Geospatial Research Director Marguerite Madden said citizens will likely balk at the potential data sharing unless they are "made fully aware of the use of the data and trusted the data would be used as specified in the data agreement." Meanwhile, Facebook and Google have each downplayed th... Read More

Trudeau: Canada will not use location data to track COVID-19 for now

Prime Minister Justin Trudeau said Canada has not considered using location data to track COVID-19; however, he did not rule out the option, CBC News reports. "I think we recognize that in an emergency situation we need to take certain steps that wouldn't be taken in non-emergency situations, but as far as I know that is not a situation we're looking at right now," Trudeau said. "But as I've said, all options are on the table to do what is necessary to keep Canadians safe in these exceptional ti... Read More

US government exploring location data tracking for COVID-19

The Washington Post reports U.S. government officials are consulting with big tech companies and public health professionals on the possibility of using location data from cellphones to track individuals infected by COVID-19. The health professionals have pitched the idea of companies, like Facebook and Google, compiling anonymized data that would be used for a map to track the spread of the disease. However, Google has already stated it has privacy concerns over the use of location data. Senate... Read More

German, Austrian telecoms disclose location data for COVID-19 tracking

Telecommunications companies in Germany and Austria have granted their governments access to customers' cellphone data in an effort to help track the COVID-19 outbreak, Der Tagesspiegel reports. German-based Telekom and Austrian-based A1 each offered the initial government access to the anonymized data within the last few days. "This allows movement flows to be modeled — broken down nationwide, at the state level and down to the district-community level," a Telekom spokeswoman said. (Original ar... Read More

Israel plans COVID-19 tracking through phone data

The New York Times reports the Israeli government has received Prime Minister Benjamin Netanyahu's authorization to use undisclosed cellphone data to track movements of citizens infected by COVID-19. The data was collected under the radar and was meant to be used for counter-terrorism efforts. In addition to tracking infected individuals, Israel's internal security agency aims to also identify people that have been in contact with those being tracked.Full Story... Read More

Personal Data Protection

2020 and data protection: Not only COVID-19

It is only May, but 2020 is already shaping up to be a crucial year for data protection. At least in Europe where the data protection authorities’ enforcement engine is starting to warm up. In Italy, for example, the Italian DPA, the Garante, started the year by handing down some very important fines. Beginning with provisions no. 231 and no. 232 issued Dec. 11, 2019, and published Jan. 17, 2020, against one of the global leading oil companies and with provision no. 7 issued Jan. 15, 2020, again... Read More

How function creep may cripple app-based contact tracing

The U.S. is in the throes of a pandemic caused by the SARS-CoV-2 virus, COVID-19. Realizing that long-term lockdowns are not sustainable, governments are seeking alternative methods of controlling the pandemic. “Testing and tracing” has been touted as a way to reopen economies with the pandemic still raging. While testing has its own set of privacy challenges, the methods discussed to accomplish contact tracing are rife with problems. In simple terms, contact tracing involves determining who ha... Read More

FBI warns of COVID-19 testing scams

The U.S. Federal Bureau of Investigation is urging awareness around scams offering fake COVID-19 antibody tests, which they say could be used to steal personal information, CNN reports. Scammers are attempting to offer fake or unproven antibody tests to obtain Social Security numbers or health insurance information, the FBI warns. Meanwhile, the amount of time data accumulated from the U.K.’s Test and Trace program will be retained has been reduced from 20 years to eight years.Full Story... Read More

The Privacy Advisor Podcast: Should we give up our data to help the herd?

Telecommunications companies across the world, including in Germany, Brazil and China, have granted their governments access to customers' cellphone data in an effort to help track COVID-19. In the U.S., government officials are consulting with big tech companies and public health professionals on the possibility of doing so, while authorities in the Netherlands have said emergency legislation must be enacted before sharing occur. In this episode of The Privacy Advisor Podcast, Heather Federman,... Read More

Google's COVID-19 site raises privacy concerns

Google launched a website to assist the COVID-19 response, AdAge reports. The website is designed to help direct individuals to medical services and to provide information on the pandemic. Privacy concerns have arisen, as users need to share medical information to access the site's features. “The nature of digital data is such that it lingers forever,” Sparrow Advisors Principal and Co-Founder Ana Milicevic said. The site's terms of service states no data will be shared with insurance companies ... Read More

Commissioner: Proper handling of personal data ‘crucial’ in COVID-19 response

The Philippines’ National Privacy Commission is reminding government agencies and the public to not share sensitive personal data as the COVID-19 outbreak continues, ABS-CBN News reports. NPC Commissioner Raymund Liboro said the proper handling of personal data is “crucial in stopping the spread of the virus” and response must balance individual data privacy and public health interests. It is “prudent” to confirm information, Liboro said, “especially information that would lead to the identifica... Read More

Privacy Programs

Checklist: Expedited Vendor Privacy and Security Assessment

As companies, educational institutions, governments and other organizations shift to remote work environments during the COVID-19 pandemic, the need for technologies to facilitate engagement has exploded. In this checklist are key questions for privacy professionals to consider as they navigate this process. Read More

ICO publishes data protection steps for businesses as COVID-19 measures ease

The U.K. Information Commissioner's Office has published six data protection steps businesses can follow as lockdown measures begin to ease during the COVID-19 pandemic. The ICO recommends businesses only collect information as needed, to be transparent about what data they gather from staff and to keep all data secure. The agency also answers questions on its pandemic regulatory approach and COVID-19 testing.Full Story... Read More

How to employ privacy by design in the fight against COVID-19

As COVID-19 is rapidly spreading around the world, public health authorities are eagerly searching for effective measures to flatten the curve and decrease the rate of contamination. Among others, many governments are using or considering using surveillance technology to track the movements of people infected by COVID-19 and notify those who may have been exposed to the virus. Naturally, the use of such measures on a wide scale raises serious privacy concerns. In Israel, for example, there is a ... Read More

How is COVID-19 affecting privacy programs? A call for research action

Like many of you, we are closely following new developments and working hard to understand the unfolding dynamics of the COVID-19 pandemic. To further our understanding of the interplay between COVID-19 and privacy and data protection more narrowly, we are conducting a survey on how companies, in general, and privacy programs, in particular, are responding to the COVID-19 pandemic, and we need your help. If you have five minutes or so, please take this survey to aid in our research efforts arou... Read More

Pandemic incites concerns about data-sharing overreach

Proportionality — that’s the watchword companies need to adhere to in times of crisis. The challenge of the COVID-19 pandemic and concerted efforts to stop its spread have thrown data protection law into the global spotlight. With companies and authorities alike doing everything they can to stem the transmission of the disease, measures like checking recent travel histories, taking body temperature and tracking patients’ movements have come to seem acceptable. But many are asking, how far shoul... Read More

How to Build a Privacy Program

This topic page contains a curation of the IAPP's guidance, coverage, analysis and relevant resources covering how to build a privacy program from the ground up. Read More

Workplace Privacy & Remote Workforce

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

Web Conference: The New Normal: Navigating Work-from-Home Privacy and Cybersecurity Risks

Original broadcast date: May 8, 2020  Join us to gain insight into how some large multinational organizations are handling this challenging new employer/employee environment. Real-world situations will be discussed through hypothetical scenarios, challenges and priorities drawn out by experienced privacy leaders from organizations operating globally, and practical takeaways will be shared. Read More

Companies deploying work-from-home surveillance

The Washington Post reports companies have begun surveilling employees and their productivity as they work from home during the COVID-19 outbreak. In addition to monitoring programs for determining employees' active work hours and online activities, organizations are also instituting other forms of oversight, including multiple daily check-ins, always-on webcam policies and "productivity scores." The tactics have drawn backlash as David Heinemeier Hansson, co-founder of the remote-work-software ... Read More

Research: Remote workers not worried about cybersecurity

According to research by mobile security company Promon, 77% of remote workers in the U.K. are not worried about cybersecurity, though two-thirds say their employer has not provided cybersecurity training in the last year, IT Security Guru reports. The research said 61% of remote workers are using personal devices. Promon Chief Technology Offier and Co-Founder Tom Lysemose Hansen said organizations must ensure staff working remotely “are doing so in secure environments” and have “necessary train... Read More

Dutch DPA tool comparing privacy features on video call apps

Published: April 17, 2020 The Dutch data protection authority, Autoriteit Persoonsgegevens, published a tool to help choose a teleconferencing app based on its privacy policies and practices. The tool was formulated from an AP review of 13 popular teleconferencing apps. Click To View (PDF)... Read More

Workplace Privacy

This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering Workplace Privacy. Read More

General Resources

Google, Apple outline privacy considerations for Exposure Notification System

The COVID-19 pandemic has seared contact tracing into our collective consciousness, but it doesn't mean the concept is anywhere near new. Noted Deputy U.S. Chief Technology Officer Nicole Wong recently during an online event: Contact tracing was used to identify the original Typhoid Mary in 1907, as well as helping to quell outbreaks of smallpox, SARS and Ebola. As COVID-19 continues to spread, entities around the world hope to use technological advancements to take contact tracing to the next... Read More

With COVID-19, privacy is more central than ever before

Last year, with the shockwaves of the Cambridge Analytica scandal still echoing, the U.S. Federal Trade Commission fining Facebook $5 billion, and the U.K. Information Commissioner's Office announcing its intention to fine British Airways and Marriott hundreds of millions of pounds, we thought privacy had reached its zenith. California privacy advocates were stirring Washington, D.C., into legislative action, Brazil and India competing to put in place comprehensive privacy laws, 500,000 organiza... Read More

Defining a 'new normal' for data privacy in the wake of COVID-19

As the COVID-19 pandemic continues to roil economies and confine people to the solitude of their homes, much of the public discourse regarding the pandemic is focused on defining the “new normal.” Will wearing masks become an indefinite feature of public gathering? How long will the handshake remain social taboo? Some of the behavioral norms and social expectations we take with us will be innocent, unconscious footnotes to the compendium of our moment. Others will require long overdue deliberati... Read More

Why it's important to be mindful of digital footprints during the COVID-19 pandemic

It feels like we’re all in a long episode of "Black Mirror." The global health crisis created by the COVID-19 pandemic has many difficult consequences that affect multiple aspects of our lives. In addition to alarming health concerns and a devastating number of people who suffer physically from the virus, the world economy has taken quite a hit, as well. Retailers are forced to rethink their supply chain, which up until now relied on China. The travel industry has crashed, businesses and indivi... Read More

COVID-19 and Business Continuity in the EU

This article from Hunton Andrews Kurth discusses key data protection considerations for businesses in connection with the COVID-19 pandemic, including the processing of personal data for health monitoring purposes, crisis management and cybersecurity preparedness, and steps businesses may take to ensure the business continuity of privacy compliance programs. Read More

Aggregated data provides a false sense of security

We are in the midst of a global pandemic, and the need to access COVID-19-related data has become increasingly important to make evidence-based policy decisions, develop effective treatments, and drive operational efficiencies to keep our health care systems afloat. Accessing personal data comes at a risk to privacy, and there are many unfortunate examples of harm coming to individuals diagnosed with COVID-19. These challenging times are likely putting pressure on many privacy professionals the ... Read More

EDPS comments: Monitoring spread of COVID-19

On March 25, the European Data Protection Supervisor provided comments to the Directorate-General for Communications Networks, Content and Technology of the European Commission on monitoring the spread of COVID-19. Read More