What we know about COVID-19 health data privacy under GDPR

The global outbreak of COVID-19 has sent many organizations on a health information hunt to control the spread of the virus.

Businesses, airlines and airports, educational institutions, and others are processing individuals' health data with the intent to protect employees and the general public from risk.

Some are performing temperature checks, as well as asking about recent travel history, contact with infected individuals, and current medical conditions or symptoms. 

As such, we've seen a rise in global contact tracing. That is, the process of identifying, monitoring, and following up with anyone who is infected with the virus, or who has come into contact with someone who is infected.

However, contract tracing efforts tapping into personal health information has raised concerns around health data privacy.

US tech giant and Google parent company Alphabet has already ignited such concerns for its COVID-19 screening project, which collects data to understand who is at risk of the virus. 

Given varying health data privacy laws across the world, this pandemic raises a one serious, overarching question: what can and can’t businesses ask individuals concerning their health? 

For those within the EU, we'll start by tackling the following questions around GDPR:

1. How should organizations handle health data privacy under GDPR during COVID-19?
2. Who can lawfully process health data during COVID-19? 
3. What are the core principles for processing personal data under GDPR?
4. Can organizations process mobile location data? 
5. Can employers require specific health data from visitors and employees in the context of COVID-19?  
6. Should employers notify colleagues or visitors if a staff member is infected?

How should organizations handle health data privacy under GDPR during COVID-19?

In the specific case of the COVID-19 outbreak, “emergency is a legal condition which may legitimize restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.” 

This is according to the European Data Protection Board (EDPB), which recently released a statement (March 19, 2020) regarding health data privacy and COVID-19, following GDPR regulations. 

“It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.” - European Data Protection Board

For EU organizations questioning whether specific mandatory health-related questions remain compliant with GDPR, the EDPB stressed that the following considerations should be taken into account.

Who can lawfully process health data during COVID-19? 

Competent health authorities and employers may process data in the context of an epidemic. This must be in accordance with national law and conditions. (see Section 1 of the statement for full details)

The GDPR provides rules for processing personal data in a context such as the COVID-19 global health emergency.

According to the EDPB, “...when processing is necessary for reasons of substantial public interest in the area of public health [...] there is no need to rely on consent of individuals.”

When it comes to processing telecom data like location data, the EDPB states that “national laws implementing the ePrivacy Directive must also be respected.” In certain circumstances, however, Member States can “introduce legislative measures to safeguard public security.”

What are the core principles for processing personal data under GDPR?

The core principles for processing personal data are as follows: 

1. Subjects should be informed that their data is being processed.
2. This information should be clearly communicated.
3. All measures to process health data during the global pandemic should be clearly documented. (see Section 2)

The subjects whose data is being collected should be made aware of what data is being processed and stored, why it’s being processed and stored, and for how long it will be stored. 

This transparent information should be easily accessible, and explained clearly in plain language. Security measures and confidentiality policies are crucial to ensure that personal data doesn’t end up in the wrong hands.

Lastly, any measures implemented to measure the current emergency (and the underlying decision-making process leading one to take these measures) should be properly documented. 

Can organizations process mobile location data? 

Processing of mobile location data during the pandemic must first be attempted anonymously. If this is impossible, follow guidance per the ePrivacy Directive, and take into consideration the principle of proportionality. (see Section 3)

If processing of mobile location data is necessary to monitor, contain or mitigate the spread of COVID-19, public authorities should first attempt to process this data in an anonymous way so that individuals cannot be re-identified.

As suggested by the EDPB, this could be used for reports on the concentration of mobile devices at a given location, or “cartography.”

However, when it’s not possible to process anonymous data, “the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security.”

If this happens, the Member State must put safeguards into place - and the proportionality principle applies.

“[Any necessary invasive measures] should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).”

Can employers require specific health data from visitors and employees in the context of COVID-19? 

Employers should only ask for health information to the extent that national law allows it, and store this information for the least amount of time possible to achieve their goal. (see Section 4)

Here, the EDPB emphasizes data minimization and the proportionality principle. Employers should also “only access and process health data if their own legal obligations require it.” 

To ensure business continuity in a time of crisis, some organizations have required the support of a visitor management system in order to administer such questions when individuals arrive at a building or workplace. Based on the responses, front desk staff can grant or deny an individual access to a given premises to decrease potential health risks.

As a reminder, Proxyclick allows you to set data to automatically delete from the system after a given period of time.

Should employers notify colleagues or visitors if a staff member is infected?

EDPB stresses that employers should inform staff about COVID-19 cases, but only share information that is necessary. (see Section 4)

If the name of an infected employee or external individual who contracted the virus must be shared (given national law permits it), this person should be informed in advance and “their dignity and integrity should be protected.” 

Health data privacy in the US

American companies should follow special circumstances for health data processing under the Health Insurance Portability and Accountability Act (HIPAA) and Americans with Disabilities Act (ADA).

Given the fact that there is no one law covering data protection for the entire US, health data privacy is handled differently in each state.

The Health Insurance Portability and Accountability Act (HIPAA) keeps patients’ health information private. However, “protections are not absolute,” according to the International Association of Privacy Professionals (IAPP).

“In February, the U.S Department of Health and Human Services released a Bulletin outlining when disclosure of health information is allowed, including for public health purposes and ‘to prevent a serious and imminent threat.’” - International Association of Privacy Professionals

But similar to the GDPR’s guidelines, in specific circumstances such as a global pandemic, processing of health data in the US may be permitted to prevent international threats to health. This may even extend to businesses that are not associated with a HIPAA-covered entity. 

As for employers in the US, the IAPP suggests that the Americans with Disabilities Act (ADA) provides some guidance as to when employers can ask specific health-related questions during a global pandemic.

However, the U.S. Equal Employment Opportunity Commission currently states on its website that these guidelines are subject to change.

Where we’re headed: health data privacy during future pandemics

The current search for answers around what's acceptable for organizations to ask during a mass pandemic, what is not, and who is authorized to ask the questions puts future health data processing into perspective.

As Yuval Noah Harari recently wrote:

"A big battle has been raging in recent years over our privacy. The coronavirus crisis could be the battle’s tipping point. For when people are given a choice between privacy and health, they will usually choose health."

Governments may decide to implement clearer pandemic-specific health data laws, and organizations will learn to properly process and manage data to comply with them. 

Until then, we're taking it day by day.

Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action. 


Looking for more ways to strengthen health and safety measures at your workplace? See our COVID-19 resource center to find articles, videos, shared customer experiences and more.