Guidance on processing personal data during the COVID-19 pandemic

The evolving COVID-19 scenario has raised new challenges for companies about how to adequately manage data protection and cybersecurity issues. Indeed, even in particularly difficult situations such as the one we are living through, data protection principles must be respected and, in order to do that, it is very important that companies have a clear idea on which is the correct way to process personal data. 

The GDPR Temperature Tool developed by Cyberwatching.eu is an optimal instrument for European SMEs to understand how much they comply with the General Data Protection Regulation that came into force in May 2018 with the objective of gathering the most highly respected standards and principles around the world and applying them to protect EU citizens’ data privacy.

About it, Andrea Jelinek, Chair of the EDPB, recently said that “the GDPR is designed to be flexible. As a result, it can enable an efficient response to support the fight against the pandemic, while at the same time protecting fundamental human rights and freedoms. When the processing of personal data is necessary in the context of COVID-19, data protection is indispensable to build trust, to create the conditions for social acceptability of any possible solution and, therefore, to guarantee the effectiveness of these measures”.

In order to better understand how to deal with the processing of personal data in the context of the COVID-19 outbreak, a number of European organizations and National institutions has released different series of guidelines and recommendations. ICT Legal Consulting has gathered official resources about Privacy and Data Protection in the context of the current health crisis. You can find them all listed below.

Statements from EDPS, EDPB and UN

Council of Europe – Joint Statement on the right to data protection in the context of the COVID-19 pandemic

European Commission – Coronavirus: Commission adopts Recommendation to support exit strategies through mobile data and apps; Coronavirus: An EU approach for efficient contact tracing apps to support gradual lifting of confinement measures;  Coronavirus: Commission adopts Recommendation to support exit strategies through mobile data and apps; Recommendation on apps for contact tracing 

European Data Protection Board – Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak; Statement on the processing of personal data in the context of the COVID-19 outbreak Adopted on 19 March 2020; Twentieth plenary session of the European Data Protection Board – scope of upcoming guidance on data processing in the fight against COVID-19; EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic

European Data Protection Supervisor – Monitoring the speed of COVID-19, EDPS Comments to DG CONNECT of the European Commission on monitoring of COVID-19 spread; EU Digital Solidarity: a call for a pan-European approach against pandemic’ – Wojciech Wiewiórowski

Europol – How criminals profit from the COVID-19 Pandemic

United Nations Special Rapporteurs – COVID-19: States should not abuse emergency measures to suppress human rights

National Statements and Guidance

Abu Dhabi Global Market – Coronavirus (COVID-19) – Implications for Data Protection Frequently Asked Questions

Albania – IDP Guidelines on the protection of personal data in the context of the measures taken against COVID-19

Andorra – Data Protection Authority of Andorra, Recomanacions sobre tractaments de dades personals en el context actual de pandèmia; Sobre Tractament de fades en la crisi del Covid-19

Argentina – Agencia de Acceso a la Información Pública  Tratamiento de datos personales ante el Coronavirus; Argentina Ministry of Health information on reporting framework 

Australia – Office of the Australian Information Commissioner (OAIC), Coronavirus (COVID-19): Understanding your privacy obligations to your staff – Agencies; Coronavirus (COVID-19): Understanding your privacy obligations to your staff; Australian Cybersecurity Centre, Cyber security is essential when preparing for COVID-19

Austria – Austrian Data Protection Authority, Information on Coronavirus (Covid-19); Coronavirus FAQ; Data security and home office 

Belgium – Data Protection Authority of Belgium, COVID-19 and processing of personal data at work

Bosnia and Herzegovina – Data Protection Authority of Bosnia and Herzegovina, Press release regarding the processing of personal data in the context of activities triggered by the Coronavirus pandemic

Bulgaria – Commission for Personal Data Protection, CPDP introduces anti-epidemic measures against the spread of COVID-19

Burkina Faso – National Commission for Informatics and Liberties, Message on Coronavirus Pandemic (COVID-19)

Canada – Office of the Privacy Commissioner of Canada, Announcement: Commissioner issues guidance on privacy and the COVID-19 outbreak  and Guidance: Privacy and the COVID-19 outbreak, Office of the Information and Privacy Commissioner of Alberta Privacy in a Pandemic. Province of British Columbia, Ministerial Order No. M085 of the Minister of Citizens Services. Information and Privacy Commissioner of Saskatchewan, Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19. Information and Privacy Commissioner of Ontario, Impact of COVID-19. Commission d’accès à l’information du Québec, COVID-19: Protection of personal information and information security. Yukon Information and Privacy Commissioner, Actions being taken by Yukon Ombudsman, Information and Privacy Commissioner and Public Interest Disclosure Commissioner in response to COVID-19. Office of the Information and Privacy Commissioner of the Northwest Territories, Privacy in a Pandemic. Office of the Information and Privacy Commissioner of Newfoundland and Labrador, Don’t Blame Privacy – What To Do and How To Communicate in an Emergency. Manatoba Ombudsman Advisory for trustees about responding to individuals’ access requests under PHIA during the COVID-19 pandemic

China – Cyberspace Administration of China, Notice on protecting personal information and using big data to support joint prevention and control

Colombia – Superintendency of Industry and Commerce on the prohibition to collect biometric information (sensitive data) with a view to preventing the spread of COVID-19 through indirect contact; Personal Data and Coronavirus COVID 19: Collection and use of data in cases of medical or health emergency

Croatia – Croatian Data Protection Authority, Processing of personal health information in the context of a COVID-19 virus emergency

Cyprus – Data Protection Authority of Cyprus, Announcement of the Commissioner for the Protection of Personal Data regarding the measures taken for the management of the pandemic

Czech Republic – For the processing of personal data in the framework of measures against the spread of coronavirus

Denmark – Datatilsynet, How about GDPR and coronavirus? and
Corona virus and digital infection detection

Estonia – Data Protection Authority of Estonia, Can an employee be required to talk about everything about his or her health?

Finland – Office of the Data Protection Ombudsman, Data protection and limiting the spread of coronavirus

France – Commission Nationale de l’Informatique et des Libertés, Coronavirus (Covid-19): les rappels de la CNIL sur la collecte de données personnelles; Recherches sur le COVID-19: la CNIL se mobilise; Crise sanitaire: audition de Marie-Laure DENIS, Présidente de la CNIL, devant la commission des lois

Gibraltar – Gibraltar Regulatory Authority Data protection and Coronavirus: What you need to know

Georgia – Statement Of The State Inspector’s Service, Covid-19

Germany – Office of the Federal Commissioner for Data Protection and Freedom of Information, DSK provides information on data protection and Coronavirus; German Data Protection Supervisory Authorities joint information paper on data protection and the Coronavirus pandemic; Hamburg DPA Datenschutz in Zeiten von Covid-19

Greece – Hellenic Data Protection Authority, Guidelines for personal data processing in the management of COVID-19

Hong Kong – Privacy Commissioner for Personal Data, The Use of Information on Social Media for Tracking Potential Carriers of COVID-19  and Privacy Commissioner Responds to Privacy Issues Arising from Mandatory Quarantine Measures and Provides Updates on Doxxing; Fight COVID-19 Pandemic Guidelines for Employers and Employees; PCPD Provides Guidelines on Children’s Privacy during the Pandemic

Hungary – Hungarian National Authority for Data Protection and Freedom of Information, Information on processing data related to the Coronavirus epidemic

Iceland –Data Protection Authority, COVID-19 and privacy

Ireland – Irish Data Protection Commission, Data Protection and COVID-19; Covid 19 and Subject Access Requests

Israel – Privacy Protection Authority, Privacy protection following the spread of the Corona virus: questions and answers for conduct; Q&A in the Corona Period

Italy – Garante per la protezione dei dati personali, Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA, Italian state – Urgent provisions for the strengthening of the National Health Service in relation to the COVID-19 emergency and Italian state – March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces; Informal hearing by videoconference of the Italian DPA on the use of new technologies and internet to combat the Coronavirus epidemiological emergency

Isle of Man – Information Commissioner, Coronavirus, Data Protection, and Freedom of Information

Japan – Personal Information Protection Commission, Handling of personal data for preventing the spread of Novel-Coronavirus (COVID-19) disease

Jersey – Office of the Information Commissioner, Data Protection and Coronavirus

Latvia – Data Protection Authority of Latvia, The DSI draws attention to the rights and obligations of individuals in the field of data protection in the context of health information

Lithuania – State Data Protection Inspectorate, Personal Data Protection and Coronavirus COVID-19

Luxembourg – National Commission for Data Protection, Coronavirus (COVID-19): recommendations by the CNPD on the processing of personal data in the context of a health crisis

Malta – Office of Information and Data Protection Commissioner, Processing of personal data in the context of COVID-19

Mexico – Government of Mexico, Guide for workplaces in light of COVID-29.  National Institute for Transparency, Access to Information and Personal Data Protection, Ante casos de COVID-19, INAI emite recomendaciones para tratamiento de datos personales, Suspende INAI eventos públicos, por recomendación de la SSA para evitar contagio de COVID-19, and Adoptará INAI como medida de prevención el trabajo a distancia ante COVID-19;

Netherlands – De Autoriteit Persoonsgegevens, AP gives organizations more time due to corona crisis; Access to medical files is only permitted with the patient’s consent; Using telecom data against corona is only possible with emergency law; AP: Corona apps only if privacy is guaranteed; Dutch Ministry of Health, Welfare and Sport, the National Attorney for Health, Welfare and Sport-Commissioned Summary privacy analysis contact research apps

New Zealand – Office of the Privacy Commissioner, Covid-19 and privacy FAQs, Privacy and Covid-19: Hospitality establishment guest registers; Privacy Commissioner briefed on Police contact and trace system for returning travellers

North Macedonia – Personal Data Protection Agency of the Republic of Northern Macedonia, Data Protection and Coronavirus

Norway – Datatilsynet,  Corona and privacy; New tracking app to prevent coronavirus infections

Peru – Autoridad Nacional de Protección de Datos Personales del Peru, Divulgar datos personales de pacientes con coronavirus puede ser multado hasta con 215 mil soles

Phillipines –National Privacy Commission, NPC PHE BULLETIN No. 3: Collect what is necessary. Disclose only to the proper authority

Poland  – Personal Data Protection Office of Poland, Statement by the President of the Personal Data Protection Office on coronavirus

Romania – National Supervisory Authority for Personal Data Processing, Processing of health status data

San Marino – Autorità Garante per la protezione dei dati personali, Public announcement on COVID-19 emergency

Singapore – Personal Data Protection Commission, Advisory on Collection of Personal Data for COVID-19 Contact Tracing

Slovakia – Office for Personal Data Protection of the Slovak Republic, Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and Coronavirus and processing of personal data

South Africa – Information Regulator, Guidance Note on the processing of personal information of data subjects in the management and containment of COVID 19

Spain –  Agencia Española de Protección de Datos, Report from the State Legal Service Department on Processing Activities Relating to the Obligation for Controllers from Private Companies and Public Administrations to Report on Workers Suffering from Covid-19, Covid-19 FAQs,  La AEPD publica un informe sobre los tratamientos de datos en relación con el COVID-19, Campañas de phishing sobre el COVID-19; Comunicado de la AEPD sobre apps y webs de autoevaluación del Coronavirus

Sweden – Datainspektionen, Corona virus and personal data

Switzerland – Federal Data Protection and Information Commissioner, Data protection legal framework for the containment of the coronavirus

Tunisia – Instance Nationale de Protection des Données Personnelles, Recommendations of the National Authority for the Protection of Personal Data Relating to the Protection of Personal Data in the Period of COVID-19

Turkey  – Turkish Data Protection Authority KVKK, Public Announcement on COVID-19; Turkish DPA announcement in connection with the COVID-19, reminding of the general principles of the Turkish Data Protection Law and related FAQ

Ukraine – Ministry for Digital Transformation, We launched a digital coronavirus tool

United Kingdom –  Information Commissioner’s Office (ICO), Data protection and coronavirus: statement for health and care practitioners; COVID-19: general data protection advice for data controllers; and The power of data in a pandemic; Blog: Combatting COVID-19 through data: some considerations for privacy

United States of America  – Federal Communications Commission, Declaratory Ruling on COVID, and Department of Health and Human Services, HIPAA Privacy and Novel Coronavirus; Department of Health and Human Services, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities; California AG, Attorney General Becerra Reminds Consumers of their Data Privacy Rights During the COVID-19 Public Health Emergency