Resources on COVID-19 Privacy and Cybersecurity Issues
Privacy Plus+
Privacy, Technology and Perspective
Resources on COVID-19 Privacy and Cybersecurity Issues. This week, we offer a short overview of privacy and cybersecurity guidance recently released by U.S. and data protection authorities across the world, along with links to this guidance.
Recent guidance contextualizes privacy during pandemic, and covers a wide range of issues, including privacy and security risks in teleworking; implementing workplace policies; and processing health data, location data and other personal information related to contact tracing, especially as implemented digitally through smart phone technologies.
Generally, data protection authorities around the world acknowledge that privacy laws and related protections still apply in a public health crisis, and they do not prevent the appropriate collection, use and sharing of personal information in connection with supporting public health. Rather, privacy and public health risks must be considered together and balanced in a way that promotes individuals’ continued trust in their health systems and governments. Individuals also must be aware that there are increased cyberthreats during this pandemic, and they should be prepared to detect and mitigate such threats, including increased phishing and malware attacks using COVID-19 themed lures as well as attacks against rapidly deployed technologies, like remote access and teleworking infrastructure.
Broadly speaking, data protection authorities have emphasized the following in relation to providing a framework to adequately address privacy risks:
Necessity and proportionality: The processing of personal information—generally speaking, its collection, use, disclosure and storage—must be rationally connected to the specific purpose to be achieved and the amount of data collected must be minimized (i.e. it would not be appropriate for a contact tracing app to collect all information in a person’s smartphone address-book, because the app’s purpose is to identify only those persons who have been in contact with a person infected with the virus);
Information Security: Reasonable administrative, physical, and technical safeguards, such as encryption, de-identification, and strict access controls should be in place to safeguard personal information;
Openness and Transparency: Recognizing that transparency is a cornerstone of democratic governance, as well as privacy laws, the public, and wherever possible individuals, should be informed of the purpose of the collection of their personal information;
Purpose Limitation: Personal information collected, used, disclosed and stored during this crisis should only be used for the purpose for which it was originally collected, and it should not be commercialized (i.e. location information collected through a contact tracing app should only be used for that contact tracing, and not used for other reasons, such as to train AI or to deliver targeted advertising);
Storage Limitation: There should be strict time limits on storage of personal information. At the end of this crisis, the personal information should be destroyed; and
Consideration of Individual Rights: The rights of individuals vary depending on the jurisdiction in which they reside. This crisis does not suspend or restrict the exercise of those rights, whether exercised by an EU resident pursuant to Article 12 to 22 GDPR, or a resident of California under the California Consumer Privacy Act (CCPA).
Let’s turn to the links:
We start by highlighting the Global Privacy Assembly’s COVID-19 resources library, which has aggregated much of this guidance already. A link to the GPA’s library follows:
https://globalprivacyassembly.org/covid19/covid19-resources/.
In addition, we point to these resources published by various agencies and organizations in the United States:
OCR HIPAA Announcements Related to COVID-19:
https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html
OSHA Covid -19 Resource Page:
https://www.osha.gov/SLTC/covid-19/standards.html
EEOC Covid-19 Resource Page:
https://www.eeoc.gov/coronavirus/
FBI Guidance regarding "VTC Hijacking":
DOD Special Report on Protecting Patient Health Information During the COVID-19 Pandemic:
https://media.defense.gov/2020/Apr/27/2002289051/-1/-1/1/DODIG-2020-080.PDF
NIST COVID-19 Guidance:
https://www.nist.gov/coronavirus
Joint alert from DHS, CISA and the United Kingdom’s National Cyber Security Centre (NCSC): COVID-19 Exploited by Malicious Cyber Actors:
https://www.us-cert.gov/ncas/alerts/aa20-099a
CDC Interim Guidance on Developing a COVID-19 Case Investigation & Contact Tracing Plan:
https://www.cdc.gov/coronavirus/2019-ncov/downloads/case-investigation-contact-tracing.pdf
John’s Hopkins Guidance for A National Plan to Enable Comprehensive COVID-19 Case Finding and Contact Tracing in the US:
CDC Guidance on Digital Contact Tracing Tools:
CDC Preliminary Criteria for the Evaluation of Digital Contact Tracing Tools for COVID-19:
Australia’s COVIDSafe App Privacy Impact Assessment:
https://www.health.gov.au/resources/publications/covidsafe-application-privacy-impact-assessment
UK Information Commissioner’s Formal Opinion on Apple and Google Joint Initiative on COVID-19 Contact Tracing Technology:
Last updated: June 17, 2020
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.