Click to open contact form.
Your Global Partners in the Business of Innovation

Privacy Issues Abound as the World Scrambles to Combat the Coronavirus Pandemic

Client Update / Apr 01, 2020

Article written by Haim Ravia, Dotan Hammer and Adi Shoval

Israel Government Authorizes its Security Agency to Monitor Whereabouts of Individuals

In the fight against the proliferation of the Coronavirus, the Israeli government has directed Israel’s national security agency (known as the General Security Service, or colloquially, the Shabak) to use mobile network location data to monitor the whereabouts of individuals diagnosed with COVID-19 and the persons they met with and possibly infected. This measure continues after the Israeli Supreme Court weighed in and decided to generally affirm the measure so long as it is done under parliamentary oversight.

Under the National Security Agency Law, the government may direct the agency to take on missions that promote the vital interests of national security in Israel. Such missions are also subject to parliamentary approval and oversight by the Secret Services Sub-Committee of the Knesset. The Sub-Committee indeed approved the government’s directive to the national security agency, subject to certain modifications, at least until April 30th.

The national security agency cross-checks the whereabouts of individuals who tested positive for Coronavirus with individuals who were near them in the 14 days before the diagnosis. The resulting list of individuals is disclosed to the Israeli Ministry of Health. Those individuals are then sent a text message ordering them to remain in quarantine for 14 days from the date of their contact with the diagnosed individual.

The agency has been authorized to process 14-day lookback location data, full names, national identification number, phone number and possibly the person’s date of birth. The use of the data for any purposes other than those explicitly authorized under the emergency regulation is strictly prohibited.

The national security agency is prohibited from taking any enforcement action, including enforcement of quarantine orders. The agency may not disclose or transfer the data that it processes to any government agencies other than the Ministry of Health. The Ministry will monitor those who must be quarantined with the assistance of the Israeli national police. The government also authorized the Police to process the location data of individuals who have tested positive for coronavirus to enforce quarantine orders.

CLICK HERE to read the Israeli Government’s directive to the Israeli Security Agency (in Hebrew).

Regulators Worldwide Issue Statements on Privacy during the Coronavirus Pandemic.

  • European Data Protection Board

The European Data Protection Board (the “EDPB”), has issued a statement explaining that the GDPR will Not Impede Efforts against Coronavirus. According to the EDPB, the GDPR allows for derogations from the general prohibition on processing special categories of personal data, such as health-related data. This applies where processing is necessary for reasons of substantial public interest in the area of public health based on EU or national law, or where there is the need to protect the vital interests of the data subject.

The EDPB also indicated that the EU e-Privacy Directive allows processing telecom data, such as location data, in that it authorizes the EU member states to introduce legislative measures to safeguard public security, so long as the legislation is necessary, appropriate and proportionate within a democratic society.

In the employment context, the EDPB clarifies that employers can inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. Where it is necessary to reveal the name of the employee(s) who contracted the virus and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.

CLICK HERE to read the European Data Protection Board’s statement.

  • Israel

The Israeli Protection of Privacy Authority published guidelines on privacy protection issues relating to the Coronavirus pandemic. Among other matters, the authority’s guidelines explain that disclosing information about an employee who has been exposed to Coronavirus may be permitted if done in good faith to protect other employees.

The authority emphasized that where possible, employers should refrain from identifying an employee by name and instead should preferably provide information only about the relevant times and whereabouts of that employee while they were at work.

The guidelines also address other issues such as whether public authorities may disclose information among them in connection with the pandemic, privacy aspects of working or studying remotely, and the rights of data subjects.

CLICK HERE to read the Israeli Protection of Privacy Authority’s guidelines (in Hebrew).

  • U.S. Department of Health and Human Services

The U.S. government’s Department of Health has announced that it will not strictly enforce the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as it pertains to telemedicine during the Coronavirus pandemic.

According to the Department’s announcement, a health care provider that wishes to use audio or video communication technology to provide telehealth to patients during the COVID-19 public health emergency may use any non-public facing remote communication product that is available to communicate with patients. It may do so regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. However, health care providers must notify patients that these third-party applications may introduce privacy risks, and enable all available encryption and privacy modes when using them.

CLICK HERE to read the U.S. Department of Health’s statement.

  • Spain’s Data Protection Authority

The Spanish data protection authority has issued a report explaining that the legal basis under the GDPR which allows processing personal data to protect the vital interest of an individual applies to an employer processing personal data of its employees to protect them from pandemic infection.

In addition, the report indicates that national employment laws in Spain impose a duty on employers to protect their employees from occupational risks and guarantee the safety and health of all workers at their service in aspects related to work. They also require that employees inform their employers if they believe they may be a health risk to others.

Nevertheless, the report emphasizes that data protection principles, such as data minimization, proportionality, and necessity of the processing still apply.

CLICK HERE to read the Spanish data protection authority’s report.

  • United Kingdom’s Privacy Regulator

The UK Information Commissioner’s Office (the “ICO”) published guidelines on data protection in the UK during the pandemic. The ICO explains that while it cannot lawfully extend statutory timescales, it will not penalize organizations for not meeting the necessary data protection standards due to the pandemic’s fallout.

The ICO also acknowledges that public bodies may need to engage in additional collection and sharing of personal data and the use of novel technologies and processing methods to protect against serious threats to public health. The ICO recognizes that an organization may collect, process and disclose certain types of data of its employees to protect their health. However, such processing should be performed using the least intrusive measures and the minimum data necessary.

CLICK HERE to read the ICO’s guidelines.

  • Italian Government

The Italian Government has issued new guidelines on protecting personal data of employees. According to the guidelines, an employer is allowed to measure the temperature of employees before allowing them to enter the workplace. However, employers must refrain from storing such personal data, unless they need do to so to maintain a record that a specific employee is not permitted to enter because of a fever.

Employers must also notify employees of the purpose and legal basis for the processing, retention period, protective measures taken. They also must refrain from disclosing the personal data to any third party.

CLICK HERE for the Italian government guidelines (in Italian).

INNOVATION HIGHLIGHTS