A guide to data privacy laws during a pandemic
Since the COVID-19 outbreak, governments and businesses around the world have leveraged the power of data and digital solutions to help monitor and contain the virus.
Personal health data has been collected to ensure public health and safety through contact tracing apps, mobile location data, and facial recognition data via advanced surveillance systems. This has enabled local authorities and public health providers to access real time information concerning the spread of the virus, and the health of quarantined and infected individuals.
Nonetheless, the use of tracking apps and facial recognition technology has raised a series of questions when it comes to the privacy of our personal information, such as:
- How is our health data is being handled?
- How do international data privacy laws work during a pandemic?
- Which questions can employers ask related to COVID-19?
- What are the data privacy issues we'll need to address in the future?
- How are businesses securing our personal information today?
As securing data privacy and security is a central part of our business, we decided to take a closer look at each of the above questions in this guide.
How has health data privacy been handled during COVID-19?
EU data protection during the pandemic is based on the data privacy principles of GDPR. The European Commission has also undertaken the task of providing written guidance for the development of new contact tracing apps that support the fight against COVID-19 in relation to data protection.
Outside the reach of GDPR, countries such as China and South Korea have employed what have been called more intrusive technologies to monitor infected individuals and enforce quarantine measures. In the US, the government’s collaboration with Verily which aims to offer online screening tests only to users possessing a Google account has sparked controversy.
While health data collected by governments and companies can be vital in determining the effectiveness of COVID-19 preventive measures, understanding how data privacy laws apply during the pandemic is still unclear.
How do data privacy laws work during a global pandemic?
According to guidance published by The European Data Protection Board (EDPB), European organizations processing health data must ensure that the collection, storage, and use of sensitive data comply with all the principles and requirements under the GDPR and the ePrivacy Directive.
We recently covered everything you need to know about who can legally process health data, how they can do that fairly and transparently under GDPR, and what data they can collect from their visitors and employees - learn more here.
The California Consumer Privacy Act (CCPA) came into effect in the state of California at the start of 2020.
Under this regulation, individuals have the right to access the personal data a company has collected, used, shared or sold, the right to deletion, and the right to opt out of the sale of their data.
The rights of Californians and the responsibilities of businesses processing their sensitive data remain the same during the COVID-19 pandemic.
In the US, the processing and privacy of health data are regulated under the Health Insurance Portability and Accountability Act (HIPAA), which restricts how health care providers collect and share patients’ personal health data.
The HIPAA Privacy Rule was added in 2003 to clarify data privacy in healthcare. This regulation aims to safeguard highly sensitive data, also called Protected Health Information (PHI), and it includes "any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual."
During the current public health emergency, the Department of Health and Human Services (HHS) decided not to enforce some HIPAA provisions, while the rest of the requirements remain applicable.
In the case of Japan’s Act on Protection of Personal Information (APPI), the processing or transfer of personal data to third parties without consent from the individual is allowed under existing law only in statutory exceptions such as preventing the spread of coronavirus.
However, companies must ask for transferred data to be anonymized, and have the right to know the exact purpose of its use and to cease data transfer at any time.
Which questions can employers ask related to COVID-19?
Although these questions vary depending on the region or country a business is located in, and the data privacy laws that apply to that territory, employers need to know what they can and can't ask employees or job candidates about their health.
Here’s a quick overview of questions employers can ask while keeping everyone safe and respecting data privacy laws.
Which health questions can employers in Europe ask?
European-based employers can use the European Data Protection Board (EDPB)'s latest statement on the lawful processing of personal data as a starting point for their data collection procedures. This statement mentions that,
“[T]he employer should only require health information to the extent that national law allows it." - European Data Protection Board (EDPB)
However, it doesn’t provide any practical advice for those looking to protect both the health and the privacy of their employees.
Aware of the difficulties this presents to employers taking the necessary steps to prevent the spread of the virus, the Data Protection Authorities (DPAs) of most EU countries have published guidance concerning data processing and COVID-19.
Guidance, however, is not consistent throughout all EU countries. Overall, they “explain that GDPR standards still apply throughout the pandemic” and “[encourage] organizations to be thoughtful about collecting excessive data and ensure health data, in particular, are not collected unless a special condition can be met.”
At the same time, some EU countries have expressed that, given data privacy issues that this pandemic presents, “any shortfalls in compliance will be considered appropriately.”
Overall, businesses in the EU should check with their local DPA before asking employees questions related to the pandemic.
Which health questions can employers in the United States ask?
The Equal Employment Opportunity Commission (EEOC), which enforces anti-discrimination laws in the workplace, has provided US employers with guidance and a comprehensive, official Q&A document to help them mitigate the effects of COVID-19 in the workplace.
The EEOC indicates that employers should refrain from asking such questions of teleworking employees, as they don’t represent a direct health threat to their coworkers.
Here's what US employers CAN ask their employees:
- if they have COVID-19 symptoms such as a fever, dry cough, shortness of breath, fatigue, or a sore throat, or if they currently are diagnosed with the virus
- if they have been tested for COVID-19
- if they came into contact with someone who tested positive for COVID-19
- if they’re currently under quarantine
- if they have recently traveled to a country with a level 3 health notice issued by the US Centers for Disease Control and Prevention (CDC)
When it comes to hiring, employers CAN screen job applicants for symptoms of COVID-19 as long as they do the same for all new employees in that job position.
Here's what US employers CAN'T ask employees (and should keep in mind):
US employers should also pay close attention to guidance provided by the Americans with Disabilities Act (ADA). This law sets strict guidelines around employers' ability to ask disability-related questions, make health history inquiries, and require medical examinations.
Thus, employers in the US CAN'T ask:
- if an employee or job applicant suffers from underlying medical conditions (which would put them in the high-risk category), as this can disclose the existence of a disability
- if family members have COVID-19 symptoms due to the Genetic Information Nondiscrimination Act (GINA), which forbids inquiries about the medical conditions of an employee’s family
Employers can, however, ask if the employee came into contact with someone diagnosed or under quarantine, as mentioned above.
*Note: the EEOC requires that employers maintain all information collected about employee illness as a confidential medical record in compliance with the ADA. If an employee tests positive for COVID-19, the employer shouldn’t disclose their identity to the other employees.
Which data privacy issues did COVID-19 bring to light?
COVID-19 has undoubtedly changed how health data is collected and shared. It has also shed light on the intricacies and blurriness of international data privacy regulations during pandemics.
These are only a handful of data privacy issues that need to be solved in a pandemic-stricken era.
1. The possibility of future misuse of data.
With the extensive use of mobile tracking apps being a key element in the fight against the spread of COVID-19, some fear that governments could continue to use them for digital mass surveillance long after the pandemic is over.
Furthermore, many wonder if these apps disclose to their users how highly sensitive data is being processed and protected. According to a recent study published in Nature Medicine,
Only 16 out of 50 COVID-19 apps reviewed promise to anonymize and encrypt users' collected data.
Only 20 of the globally based apps from the study's research sample are issued by governments, health ministries, or other official sources.
What has yet to be determined is whether user data collected by these outside apps is protected by US-based data privacy regulations like HIPAA. In the EU, however, such apps must comply with GDPR.
2. The lack of a national data privacy framework in the US.
Other than the CCPA (which applies only to California) and HIPAA, there is currently no other data privacy framework that acts as a national federal law for US data privacy.
Although privacy legislation does exist in other states, these laws vary widely in terms of scope and contents, which leaves room for a lot of uncertainty.
Consequently, The Exposure Notification Privacy Act was introduced in June 2020 by US senators to mitigate security risks concerning the collection of healthcare data. Exactly how this new policy will be implemented is still unclear, but the need for a country-wide standard in data privacy is becoming increasingly recognized and important.
3. The increased risk of data theft.
Finally, the mass collection of geolocation data and sensitive personally identifiable data presents a great cybersecurity risk.
This threat causes reluctance in using contact tracing apps for COVID-19 (and future pandemics).
Even Bluetooth-based contact tracing apps are not entirely secure, despite the fact that they have gathered much more support than their location-based alternatives for being less traceable. If not fixed, Bluetooth security flaws discovered this year in some medical devices could also attract cybercriminals of the future.
4. The need to sacrifice privacy for public health.
Data privacy laws of the future will need to address how much data we can and should sacrifice for the greater health of the public. While data privacy regulators enforce restrictions and new policies to protect personal data, some public health officials argue that these laws (even pre-COVID-19) "have had a significant negative impact on important public health research."
This conflict between securing personal data and empowering public health research will persist during and after COVID-19 as we determine how to rewrite data privacy rules around global pandemics.
The good news: some companies are doing data privacy right
The increased use of technology in the workplace over the last decade has made data privacy a top concern for many companies.
Now, as businesses get "return ready" and reopen offices following COVID-19 lockdowns, the need to ask sensitive questions of employees and visitors (while keeping data secure and private) is ever more important.
Cloud-based visitor management systems (VMS) are one of the technologies that have become essential to reopening offices. Today's VMS act as a necessary safeguard between businesses and external visitors, and ensure a safe contactless check-in to prevent the spread of COVID-19 in the workplace.
But this can't be at the expense of employees' and visitors' data privacy.
To help companies comply with international data privacy regulations during this pandemic and beyond, Proxyclick allows companies to screen visitors before they reach the premises while respecting the privacy of their data.
Our automatic data deletion feature removes personal data recorded after a specified number of days, which makes it adaptable to local or national data retention laws.
One for all and all for privacy
We live in a digital world where governments, health authorities, and businesses share the immense responsibility of securely handling the data of hundreds of millions of individuals.
The COVID-19 pandemic has opened our eyes to the lack of clarity among data privacy regulations in extraordinary circumstances. It's also uncovered the need to be proactive when it comes to safeguarding data.
As the conundrum of sacrificing personal information for public safety further comes into light in the coming years, it will remain a key responsibility of authorities and businesses - especially SaaS providers of workplace technologies - to safeguard employees’, visitors’, and customers’ data privacy.
To learn how Proxyclick helps ensure return-to-work safety, book a demo here.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.