Global Regulatory Guidance for COVID-19 Privacy and Security Issues: Key Takeaways from 60+ Jurisdictions
More than 60 U.S. and global data protection authorities and governmental agencies have issued guidance on health data collection, COVID-19 diagnosis disclosure, work-at-home practices, and return-to-work approaches. The guidance concerning company processing of personal health information related to COVID-19 varies in its level of restrictiveness. Generally, more restrictive countries prohibit systematic or general data collection and disclosure of the identity of individuals who are suspected or confirmed to be impacted by COVID-19. Less restrictive countries acknowledge that processing may be permissible if necessary to protect the vital interests of the data subject or third parties (the general public), but that processing must be proportional, adequate, relevant and limited to the minimum necessary.
The table below shows where each of the countries that has released guidance falls with respect to restrictiveness of processing. We also summarize the guidance in actionable dos and don’ts.
Our team is assisting many clients in addressing challenging legal, operational, and compliance challenges related to COVID-19. If you would like to discuss those that you are facing, please contact us:
The table below summarizes common elements or perspectives for each level of restrictiveness. (Note: Some slight variations across jurisdictions may exist. Not all jurisdictions are represented.)
Actionable Dos and Don’ts
The following dos and don’ts help summarize some of the commonalities and key takeaways across the regulatory guidance.
Data Collection and Prevention Efforts
Don’ts. Generally sensitive or restricted practices:
Recording temperatures taken
Conducting employee/worker health surveys asking questions relating to family members and others living in the home
Requesting and collecting information about employee/worker social interaction and information about locations visited outside of work
Dos. Generally acceptable and/or recommended practices:
Taking non-recorded temperature readings and recording only people with temperatures sent to home quarantine
Conducting health surveys of employees and other workers, including asking them if they are experiencing symptoms of the virus, such as fever and shortness of breath
Requiring home quarantine for people suspected of coming into contact with someone with COVID-19 and/or exhibiting symptoms (i.e., temperature, dry cough or other symptoms) or otherwise not feeling well
Requiring a doctor’s note to certify fitness-for-duty to return to work
Using cell phone tracking software to track location information and confirm home quarantine compliance for people with COVID-19 (Israel only). Consent to collect precise location information may be required in some countries
Disclosures of Names of Individuals with Confirmed or Suspected Cases
Don’ts. Disclosure of impacted individuals should never be made to:
Co-workers and other company personnel (disclosures to co-workers should not focus on the name of the individual impacted, but should rather focus on the location (i.e., office, building)) and the people who should closely monitor their health as they may have come in contact with one or more individuals who potentially had the virus
Executives and direct supervisors, to the extent possible and on a need-to-know basis under the circumstances
Dos. Disclosures of the name of the impacted individual should only be made in three limited circumstances:
To health and safety government agencies without consent of the individual in cases of confirmed illness
To healthcare providers with consent of the individual to aid the individual’s treatment
To family members with consent of the individual to help the family protect themselves and/or aid the individual’s treatment
Returning to the Workplace
Do’s. Follow the approach outlined below, which is based on guidance from the Centers for Disease Control and Prevention (CDC), the Equal Employment Opportunity Commission (EEOC) and global data protection authorities, to comply with applicable regulations and best practices:
Testing. Measure or verify employee/worker wellness through temperature readings.
Be transparent to employees (communicate protocol, provide privacy notice, set temperature threshold for consistency)
Obtain consent to the performance of the testing
Minimize invasiveness (e.g., through contactless thermometers)
Appoint a designated tester—ideally an on-site medical staff person or other medical professional (e.g., R.N., M.A.) if possible
Designate a testing site to preserve privacy and maintain distancing
Limit recordkeeping to only suspected or confirmed cases; store records separately from personnel records and treat as a confidential medical record
Office Strategy. Develop an office strategy for minimizing risk going forward. Options include:
Staggering employee returns
Maintaining social/physical distancing in the office (e.g., don’t sit in cubicles next to each other)
Continue heightened cleaning, including all frequently touched surfaces
Require infection control practices (e.g., regular hand-washing, PPE such as masks, discourage handshaking)
Provide necessary supplies to employees (e.g., tissues, no-touch disposal receptacles, soap and water, hand sanitizers).
Place posters that encourage good hygiene practices
Contact Tracing. Track individual contact using technology.
Encourage (not require, unless by law) participation
Collect the minimum data needed to effectively trace
Enforce tight access controls to the data, limiting to a small group or health authorities only
Disaster Recovery Resumption. Approach the return-to-work situation in the same way you might for disaster recovery
Define the “new normal” for the company
Identify adjustments made during the pandemic that may need to be discontinued (e.g., access controls, subscriptions/memberships)
Consider using a questionnaire for planning purposes
Remote Working. Encourage continued remote working, especially for at-risk groups.
The above summary of regulatory guidance is not meant to be all-inclusive, and organizations are recommended to review the source of the information directly for definitive guidance, especially given the variations that may exist across jurisdictions. The International Association of Privacy Professionals have compiled a resource of links to the original regulatory guidance for further review: click here .
*Brent Tuttle and Jim McKenzie are privacy and cybersecurity advisors at Fenwick and contributed to this research and report.