COVID-19 Data Privacy

Covid-19 data privacy concerns refer to the balance between health and privacy during the pandemic and the concerns that citizens have over their personal information. As Covid-19 caused a global emergency in March 2020, several restrictions were put in place by governments and institutions in order to save lives. Mounting evidence demonstrates that the collection, use, sharing and further processing of data can help limit the spread of the virus and aid in accelerating the recovery, especially through digital contact tracing.^[1] Data collection could include vast amounts of personal and non-personal sensitive data. As a result, there have been several concerns from the public that certain measures put in place during the Covid-19 pandemic have led to the infringement of fundamental human rights and freedoms.

Concerns by Country

China

Baidu, a Chinese search engine company, developed an algorithm for the Beijing subway police to identify commuters who were not wearing masks. Baidu also has an online consultation service, which has handled over 15 million inquiries. Chinese legislation doesn’t limit Baidu in what they can do with health information from its users. Alibaba, the world’s largest e-commerce company, launched a drug delivery service to treat people with chronic illnesses. The service entered health information from patients into an extensive database, which also tracked their online purchases.^[2]

South Korea

In South Korea, a quarantine protection tracking app worked by alerting officials if people were violating restrictions. South Korea also introduced a facial recognition app that allowed health providers to quickly identify names of patients.

Israel

When Israel ordered citizens to stay at home, it used a cell phone tracking tool, also used to track terrorists, so that the government could tell if citizens were breaking protocols. Some politicians in Israel referred to the mobile phone tracking system as an assault on the privacy of Israelis. Supercom, a biometric company headquartered in Israel, introduced an electronic monitoring and tracking platform for the population.^[3]

United States

In the US, the government worked with data mining company Palantir to model the virus outbreak. The government also worked with other companies to scrape public social media data to monitor public discussion of symptoms. The government also had active talks with Facebook and Google (among others) about using location data from Americans’ phones to map the spread of the infection.^[4]

Concerns by Practice

Contact Tracing

Contact tracing is the process of identification of persons who may have come into contact with an infected person and subsequent collection of further information about these contacts. According to the World Health Organization (WHO), data protection and privacy laws need to be in place to provide a legal basis for data processing, restrictions on data use, measures to establish oversight, and sunset clauses to dismantle certain technologies. The WHO also outlined several principles for the appropriate use of tracking technologies, which include time limitation, data minimization, and transparency.^[5]

Testing

Covid-19 testing has led to increased data collection from citizens. Personal data and test results are sometimes shared freely between health care providers and public health officials. In some cases, first responders have been given the addresses of people who have tested positive for Covid-19. Several countries, including the UK, US, and Germany, have considered using antibody test information as “immunity certificates.”^[6]

Vaccines

Vaccinations for Covid-19 require data collection from the general public. In an effort to vaccinate the population quickly, Philadelphia partnered with a nonprofit, Philly Fighting COVID. It was eventually discovered that the nonprofit changed its status to ‘for profit’ and its private policy claimed that it could sell preregistration data it collected. The data it collected included name, birthday, address, and occupation.^[7] There have also been concerns that collecting personal data could dissuade undocumented people from getting vaccinated.^[8]

Legislation

Introduced in April 2020, the Covid-19 Consumer Data Protection Act,^[9] would make it unlawful for a covered entity to “collect, process, or transfer the covered data of an individual” without prior notice and express consent unless necessary to comply with a legal obligation. Covered in the bill, entities would need to provide individuals with the right to opt-out from having data collected. Entities would also be required to delete information when it is no longer useful and minimize their collection of data.^[10]

Senators are trying to pass better privacy health laws in order reassure the public that their health information stays private. The Public Health Emergency Privacy Act^[11] is one piece of legislation that would provide some legal safeguards. The act, introduced in May 2020, would do the following:

• Ensure that data collected for public health is strictly limited for use in public health;
• Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;
• Prevent the potential misuse of health data by government agencies with no role in public health;
• Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;
• Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;
• Require regular reports on the impact of digital collection tools on civil rights;
• Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent;
• Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

Notes

1. ↑ https://www.who.int/news/item/19-11-2020-joint-statement-on-data-protection-and-privacy-in-the-covid-19-response
2. ↑ https://businesslawtoday.org/2020/03/covid-19-data-privacy-health-vs-privacy
3. ↑ https://businesslawtoday.org/2020/03/covid-19-data-privacy-health-vs-privacy
4. ↑ https://www.wsj.com/articles/to-track-virus-governments-weigh-surveillance-tools-that-push-privacy-limits-11584479841
5. ↑ https://www.who.int/publications/i/item/WHO-2019-nCoV-Ethics_Contact_tracing_apps-2020.1
6. ↑ https://iapp.org/news/a/should-first-responders-know-the-addresses-of-those-with-covid-19/
7. ↑ https://www.vox.com/recode/22251118/vaccine-health-data-privacy-laws-philadelphia
8. ↑ https://www.beckershospitalreview.com/cybersecurity/state-officials-express-privacy-concerns-over-cdc-s-call-for-covid-19-vaccine-data-registry.html
9. ↑ https://iapp.org/news/a/republican-senators-to-introduce-the-covid-19-consumer-data-protection-act/
10. ↑ https://www.congress.gov/bill/116th-congress/senate-bill/3663
11. ↑ https://www.bennet.senate.gov/public/_cache/files/e/f/eff19960-ab72-42df-b49f-7e3dbe66c75a/87421A2A334F7DD17EE87A9F75AFA39F.public-health-emergency-privacy-act---one-pager.pdf