United States

The Family Educational Rights and Privacy Act (FERPA): 

 

Monitoring Outbreaks: Educational agencies and institutions should prepare consent forms for parents and eligible students to sign in order to allow the potential sharing of personal data if they want the ability to create, or intend to create, a tracking system to identify an outbreak of COVID-19.

 

Disclosure Rules:

  • Data may be disclosed without consent to public health officials, law enforcement, trained medical personnel, and others as directed by public health authorities if "an articulable and significant threat exists...as a result of the virus that causes COVID-19," to  (e.g., FERPA's health or safety emergency exception).

  • May be disclosed to students and parents within the school community, but only in non-personally idenifiable form.

 

Records Management:

  • When making a disclosure under the health or safety emergency provision in FERPA, educational agencies and institutions are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the agency or institution disclosed the information. 34 C.F.R. § 99.32(a)(5). 
  • The record of each request for access to and each disclosure of PII from student education records must be maintained with the education records of each student as long as the records are maintained. 34 C.F.R. § 99.32(a)(2). This requirement enables parents and eligible students who do not provide written consent for disclosure of education records to see the circumstances under which and the parties to whom their information was disclosed.
 

HIPAA:

 

Covered entities can disclose individuals’ personal health information (PHI) that either have COVID-19 or have been exposed to it with law enforcement, paramedics, other first responders and public health authorities without an individual’s authorization.

 

Disclosure Rules: Disclosure is permitted without authorization.

 

1. when needed to provide treatment;

 

2. when required by law;

 

3. to notify a public health authority to prevent or control spread of disease;

 

4. when first responders may be at risk of infection;

 

5. when disclosure to first responders may prevent or lessen serious or imminent threat to health and safety of a person or the public; and

 

6. in response to a request from law enforcement or correctional institution having lawful custody of an individual.

 

7. the Centers for Disease Control and Profesion (CDC)

 

8. Centers for Medicare and Medicaid Services (CMS)

 

Americans With Disabilities Act (ADA):

 

It is permissible for employers to ask whether employees are experiencing symptoms such as:

  • fever

  • chills

  • cough

  • shortness of breath

  • sore throat

 

The collection of body temperature is also permitted. Screening questions can be composed from defiance provided by the EEOC, CDC, public health authorities or other reputable medical sources.


Records Management: Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Department of Health and Human Services Office for Civil Rights: 

 

According to the Department of Health and Human Services Office for Civil Rights, the disclosure of personal data is permitted without authorization:

 

  • when needed to provide treatment

  • when required by law

  • to notify a public health authority to prevent or control spread of the disease

  • when first responders are at risk of infection

  • when disclosure to first responders may prevent or lessen serious or imminent threat to health and safety of a person or the public

  • in response to a request from law enforcement or correctional institution regarding an inmate

Learn more here.

Europe

European Regulations:

The European Data Protection Board (EDPB): The EDPB advises organizations to only collect health data to the extent that it is permitted by law. Furthermore, location data can only be used by Telecom operators and that data can only be transmitted to authorities after it has been anonymized by the provider and with consent from the user.

Learn more here.

Committee of Convention and Council of Europe: If you are required to process employee health data, respect the principles of necessity, proportionality and accountability in order to mitigate risks of processing. Digital contact tracing should be done on the basis of connection between devices rather than the collection of location data. Any applications designed for contact tracing must ensure that location data is not used.

Learn more here.

Click on any of the European countries below for more regulatory detail from each region.

Albania

Telecom operators must complete an impact analysis before transmitting location data for COVID-19 tracking purposes. The processing of location data has to be carried out in an anonymous and aggregated way.

Learn more here.

Austria

Collection of data is allowed from people who have been diagnosed with COVID-19 and/or are suspected of being in contact with an infected person or is staying in a risky region.

Learn more here.

Belgium

A health assessment or questionnaire concerning COVID-19 can only be carried out by an occupational physician.

Learn more here.

Croatia

Symptom collection must be necessary and proportionate to fulfill legal basis. The service industry can collect the time of entry and exit of a consumer to and from the premises, along with their phone number. However, they are not allowed to collect consumer temperatures.

Learn more here.

Czech Republic

Organizations should only disclose identifying information when necessary to protect employee health. Disclosure of the information may not harm the dignity and integrity of the infected individual. Public health authorities may require telecoms to provide data to identify and track the outbreak. This includes location data from mobile phones. Users must be informed of such disclosures.

Learn more here.

Denmark

 

It is permissible to collect the following information from an employee or visitor:

 

  • whether the employee or visitor has returned from a risk area

  • whether they are under quarantine (without stating the reason)

  • whether they are ill (without stating the reason)

 

Limit details of personal data to only what is necessary.

 

Learn more here.

Estonia

 

It is permissible to ask whether an employee or visitor:

 

  • has been in a risk area

  • has been exposed to infected people

  • is fit to work

 

Personally identifying information should only be disclosed if necessary to protect employees’ lives, health or liberty. Personally identifying information can be disclosed to specific individuals with whom the infected worker has been in contact.

 

Learn more here.

Finland

Organizations can ask whether an employee:

  • is infected by the virus

  • returned from an infected area

  • is in quarantine (without additional information).

 

However, individual identities cannot be disclosed to others.

 

Learn more here.

France

Personal data should only be collected to manage the virus. Any individual inquiries into symptoms presented by an individual are prohibited. 

 

Temperature screenings using a thermometer are permitted at entrances. However, automated tools, such as thermal cameras, are not permitted. Furthermore, temperature screenings cannot be mandatory and employees are entitled to refuse.

 

Learn more here.

Germany

 

It is permissible to ask whether an employee:

  • has been infected

  • has been in contact with an infected person

  • has visited an known infected area

Learn more here.

In workplaces with particularly close contact employers can measure employees’ body temperatures and ask employees if they are experiencing specific symptoms.

Learn more here.

Names and contact details of visitors can be collected and transmitted to health authorities upon request.

Learn more here.

 

Prior to the transmission of cell phone data, the following must be considered:

  • voluntary participation based on informed consent

  • narrow purpose limitation for movement and contact data

  • effective pseudonymisation and secure transmission

  • decentralized storage on mobile devices

  • deletion of data after the 14 day quarantine period

Learn more here.

Hungary

Employee questionnaires are permitted based on risk assessment. However, they cannot include medical history or health documentation.  In addition, screenings with diagnostic devices (thermometer) are prohibited. Only healthcare professionals can test employees, and share results of exams with employers only.

Learn more here.

Iceland

 

Questionnaires are permitted that ask if an employee:

  • visited a risk area

  • is experiencing symptoms

  • had contact with someone who traveled to a risk area.

 

Temperature measurements are permitted only with employee consent.

 

Learn more here.

Ireland

Organizations can ask whether an employee:

  • visited an affected area

  • is experiencing symptoms

  • has been diagnosed with the virus. 

 

However, employee identities can not be disclosed. 

 

Learn more here.

Italy

It is permissible to collect from employees and visitors whether they have come in contact with an infected person. Systemic, continuous or generalised collection of symptoms or visits to places outside the workplace is prohibited.

 

An individual’s temperature should only be recorded when necessary to document the reasons that prevented access. 

 

Employers must communicate the names of infected employees to public health authorities and work with public health authorities to identify close contacts of the individual. The identity of the individual should not be disclosed to coworkers or other staff.

 
 

Learn more here.

Latvia

Organizations are permitted to ask employees if they have been abroad in the last 14 days and/or in contact with COVID-19. 

 

Employers are not entitled to disclose information reported from employees.

 

Learn more here.

Lithuania

Employers are allowed to test for symptoms if an employee travelled to a country of risk, was in contact with an infected person or someone who travelled to a country of risk, is at home due to quarantine and lastly if an employee feels sick even without specifying the illness. Collection of medical records or temperature readings of staff or visitors is prohibited. Data involving location can only be processed when anonymous or the individual has given consent.

 

Learn more here.

Luxembourg

Organizations can ask employees and agents to provide information about virus exposure to the employer or competent health authorities. 

 

Organizations do not need to require employees to communicate daily about their body temperatures or fill out medical questionnaires; or for visitors to sign pre-established declarations certifying their health or recent travel.

 

If an employer is informed of an infected employee, they must record:

  • the date and identity of the person

  • the containment measure taken

  • any contact with occupational health services.

 

Communicate information to health authorities upon request.

 

Learn more here.

Moldova

All data collected must be for a specific and legitimate purpose. Data regarding location for isolation moderating must be secured properly and deleted once the purpose is achieved.

Learn more here.

Netherlands

Employers should not: 

  • process medical data of staff

  • ask employees about their health or to take a test

  • keep track of the reason for absences due to illness.

 

A company doctor may test employees for COVID-19. Personal medical data can not be collected or processed. Company doctors can test employees, but results are only shared with the employee tested.

 

Learn more here.

Poland

Employers can collect employee and visitor temperatures and health data when instructed to do so by the Chief Sanitary Inspector. Employers must inform all persons whose personal data will be collected in accordance with GDPR requirements.

Learn more here.

Romania

The disclosure of the identity and health status of individuals is only permitted with consent. Data subjects must be informed if their data is being processed for COVID-19 purposes.

Learn more here.

Serbia

Health data can only be processed under a valid legal basis. Observe proportionality when processing data of the potentially infected. Employers and the media can not publicize information about infected individuals.

Learn more here.

Slovakia

The employer should only request health information to the extent permitted by national law. Temperature readings can be collected in accordance with national law and are required at entrances to hospitals and industrial plants. Records of employees who have had their temperature checked are kept and reported to the workplace management.

Learn more here.

Slovenia

On a case-by-case basis, temperatures can be collected, but must not be recorded in an identifiable way. Inform individuals that temperatures will be collected and conduct DPIA to determine risks associated with temperature collection. Apps can obtain location data through terminal equipment if the individual agrees or in a case of urgent exception. Data collected by contact tracing apps should be deleted.

Learn more here.

Spain

The processing of health data must be exclusively limited to what is necessary for the intended purpose. 

 

It is permissible to ask staff and visitors if they have been infected, however, questions should be limited exclusively to inquiring about the existence of symptoms or if the individual has been diagnosed or subject to quarantine.

 

Do not ask questions unrelated to the virus or circulate extensive health questionnaires.

 

Employees must inform their employer and/or occupational health delegates if they are not fit for work. 

 

The identity of the individual should not be disclosed unless where necessary for the purpose of protecting the health of staff. Disclosure to health authorities is permitted upon request.

 

Learn more here.

The Catalan Data Protection Authority noted that citizens can communicate information to public health authorities if the facts, data or circumstances may constitute a risk or serious danger to the health of the population.

Learn more here.

Sweden

The collection of body temperature is generally prohibited. Personal data should only be collected if necessary. The individual’s identity should not be disclosed unless necessary to fulfill a legal obligation under labour law.

Learn more here.

Switzerland

Any collection of health data for the purpose of preventing infection (e.g. collection of body temperatures at the entrance of a building) must be limited to what is necessary to achieve the purpose.

Learn more here.

Turkey

It is permissible to ask employees or visitors if they have traveled to an affected area and/or are experiencing symptoms of COVID-19. However, requests for information must have a strong rationale based on necessity and a risk assessment. Do not disclose the identity of the individual or provide excessive details. Where it is necessary to identify the employee or visitor, inform the infected individual in advance.

Learn more here.

United Kingdom

Employers are allowed to collect information about employees’ recent visits to particular countries or they are experiencing symptoms. Do not collect more specific health data than needed and ensure appropriate safeguards are applied. Before testing an individual or obtaining an individual’s test results an employer must be able to demonstrate the reason for testing or obtaining the individuals’ results.

 

Monitoring of employees must be necessary and proportionate as well as done within the employees’ reasonable expectations. Employers are urged to consider if less intrusive means can achieve the same purpose.

 

Learn more here.

Abu Dhabi (UAE)

It is permissible to ask whether an employer or visitor has visited a particular country or whether they are experiencing COVID-19 symptoms. However, it is not permissible to ask whether an individual or their family member or members has or have been diagnosed with COVID-19.

Andorra

When an employee has COVID-19 symptoms, document their identity, date they became aware and organizational measures taken (e.g. teleworking).

Learn more here.

Argentina

Individuals should be informed about tracking and collection activity. Consent required to disclose to staff the name of the patient. Cases must be reported within 12 hours by physicians and laboratories. Location data can be collected and processed if the subject gives their informed consent, the data was obtained from unrestricted public access sources, to comply with legal obligations, or derived from a contractual, scientific or professional relationship with the subject. Before implementing monitoring tools conduct a PIA. Delete data when no longer necessary.

Learn more here.

Australia

The Office of the Australian Information Commissioner has said that the collection of information is allowed from people exposed to a known COVID-19 case, people who have had close contact with someone exposed to a case, and people who have recently traveled overseas.

Australia has also released the COVIDSafe app and so far 6 million people have downloaded it.

Learn more about the privacy implications of the COVIDSafe app here.

Bermuda

The Privacy Commissioner of Bermuda has stated that employers can ask their employees whether they have engaged in international travel or are experiencing certain symptoms.

Learn more here.

Bonaire/St. Eustatius/Saba

Occupational health and safety services or a company doctor should collect employee symptoms or track where they have been, not employers. Occupational health and safety services or a company doctor should also be the ones to screen body temperatures.

Learn more here.

Canada

Canadian Federal Privacy Regulation:

According to the Office of the Privacy Comissioner of Canada, personal data can be collected, used and disclosed without consent under specific circumstances. For example, this is permissible to make disclosures required by law, in an emergency or if related to a contravention of law.

 

Learn more:

- Privacy and the COVID-19 outbreak

- A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19

Canadian Territories Privacy Regulations:

Alberta: Alberta has three applicable privacy laws that should be kept in mind while collecting data during the COVID-19 pandemic: Freedom of Information and Protection of Privacy Act, Health Information Act, and Personal Information Protection Act.

British Columbia: The Office of the Information & Privacy Commissioner for British Columbia said in a statement that the Provincial Health Officer has broad authority to collect and use personal information in the public interest during the COVID-19 pandemic.

Newfoundland and Labrador: During the COVID-19 pandemic, you should be aware of two regulations when collecting information: The Access to Information and Protection of Privacy Act, 2015, and the Personal Health Information Act.

Northwest Territories: The Northwest Territories has two privacy laws that should be taken into consideration when collecting information during the COVID-19 pandemic: the Access to Information and Protection of Privacy Act (which applies to the public sector) and the Health Information Act (which applies to the health sector).

Ontario: Public health offices, long-term care facilities, hospitals and other organizations may release non-identifying information related to:

 

  • incidences of infection

  • number of deaths

  • other information to help control the spread of the virus

Saskatchewan: Saskatchewan has three privacy laws that are applicable as information is being collected during the COVID-19 pandemic: the Freedom of Information and Protection of Privacy Act (which applies to government entities), the Local Authority Freedom of Information and Protection of Privacy Act (which applies to local authorities), and the Health Information protection Act (which applies to health trustees).

Québec: Consent is required to:

 

  • collect personal information

  • disclose an individual’s personal information unless the disclosure is made due to an emergency situation endangering the life, health or safety of the person concerned

 

Collection must be limited to that which is necessary and individuals must be informed on how their personal information may be used.

Yukon: There are two privacy laws that apply to the Yukon territory in regards to collecting personal information during the COVID-19 pandemic: the Access to Information and Protection of Privacy Act and the Health Information Privacy and Management Act.

China

 

Consent is required for collection of personal information and only public authorities may collect and use personal information for pandemic-related purposes without consent.

 

Furthermore, information should be limited to:

 

  • diagnosed individuals

  • individuals suspected of infection

  • individuals that have come into close contact with infected individuals

  • other focus groups

Learn more here.

Chile

The CPLT emphasizes the need for decision transparency due to COVID-19 (within the framework of the State of Constitutional Exception of Catastrophe).

Learn more here.

Colombia

Health data may be processed without consent during health and sanitary emergencies. For example, in order to prevent, treat or control COVID-19 and mitigate the effects of the virus.

Learn more here.

China - Hong Kong S.A.R.

The Privacy Commissioner of Hong Kong has stated that temperature measurements and limited medical symptoms of COVID-19 may be collected. Furthermore, confirmation of an infected individual can be made to other employees, visitors and property management. However, personally identifiable information should not be included.

Learn more here.

Gibraltar

Employers are able to collect health data on employees or visitors if they are experiencing symptoms associated with COVID-19 or if they have visited any countries deemed “high risk” by authorities. Employee temperature checks are allowed if they are based on appropriate legal basis and visitors can be checked to comply with legal obligation or maintain the health and safety standards of the workplace. Employers can notify staff and health authorities if an employee has symptoms, but when notifying staff employers can not disclose the identity. A DPIA must be conducted before using a contact tracing app and proximity data should be used instead of tracking individual users.

Learn more here.

Israel

Only the information required by the Activity Restriction Regulation should be collected. Do not prompt individuals to share identifying details. Personal data may only be used for the purpose it was collected for. Real-time collection of heat measurements only and no retaining identifying information given for heat measurement. Disclosure to public health authorities can be made where necessary. If relevant, disclose staff with relevant non personal data. Inform individuals what information will be collected upon entry. After data is no longer needed it should be deleted.

Learn more here.

Japan

In general, consent is required in order to use data collected for a different purpose or to provide it to a third party.

Learn more here.

Jersey

It is permissible to to ask employees and visitors whether they have visited a particular country or are experiencing COVID-19 symptoms. If specific data must be collected, do not collect more than necessary.

Learn more here.

Mexico

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) advises that personal data only be collected when necessary during the COVID-19 pandemic including:

 

  • to prevent/contain the spread of COVID-19

  • to provide care, diagnosis and corresponding medical treatment

 

The identity of infected individuals should not be disclosed and the data subjects should be informed of the processing of their data for COVID-19 purposes.

Learn more here.

New Zealand

New Zealand’s Privacy Commissioner has advised that employee and visitor health data may be collected. The Commissioner also advised that people be made aware of possible exposure risks. However, it should be assessed whether the identity of the source of exposure needs to be identified.

Learn more here.

Peru

Employers may ask about the existence of symptoms, confirmed diagnosis or contact with an infected person. Serological or molecular tests must be administered by health or occupational safety professionals in a job with medium to very high risk of exposure. Employers must measure employee temperatures upon entry into the workplace and notify public health authorities of confirmed cases. Employees must tell their employer if they have suspected or confirmed symptoms of the virus. Employee health information is not to be disclosed to other staff members unless directed by public health authorities or professionals, sharing information without authorization can warrant a fine of up to 215,000 soles (USD $62,939).

Learn more here.

Portugal

Employers can not collect and register information on health status. They are also prohibited from collecting and registering employee body temperatures.

Learn more here.

Republic of Korea

Heads of medical institutions must inform the Fire Commissioner when a patient with an infectious disease is transferred in an ambulance. The fire department must be informed about: the patient’s name, date of infection, and main symptoms.

Learn more here.

Senegal

Only health professionals may carry out methods for identifying and monitoring infected persons or those at risk if infection. Data collection must be limited to only data.

Learn more here.

South Africa

Employers are allowed to request the health status of an employee in the context of COVID-19 and for an employee to undergo testing to maintain a safe work environment. Disclosure should not be used to unfairly discriminate against the employee.

Learn more here.

Uruguay

Health data related to a national health emergency can be processed without informed consent only where an exception applies.

 

Processing and disclosure of health or sensitive data requires prior express consent.

 

Exceptions apply where:

1. authorized by law;

2. the requesting body has a legal mandate to collect the data; or 

3. processing is for statistical or scientific purposes and personal data is dissociated from the individual.

 

Learn more here.