United States

The Family Educational Rights and Privacy Act (FERPA): 

 

Monitoring Outbreaks: Educational agencies and institutions should prepare consent forms for parents and eligible students to sign in order to allow the potential sharing of personal data if they want the ability to create, or intend to create, a tracking system to identify an outbreak of COVID-19.

 

Disclosure Rules:

  • Data may be disclosed without consent to public health officials, law enforcement, trained medical personnel, and others as directed by public health authorities if "an articulable and significant threat exists...as a result of the virus that causes COVID-19," to  (e.g., FERPA's health or safety emergency exception).

  • May be disclosed to students and parents within the school community, but only in non-personally idenifiable form.

 

Records Management:

  • When making a disclosure under the health or safety emergency provision in FERPA, educational agencies and institutions are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the agency or institution disclosed the information. 34 C.F.R. § 99.32(a)(5). 
  • The record of each request for access to and each disclosure of PII from student education records must be maintained with the education records of each student as long as the records are maintained. 34 C.F.R. § 99.32(a)(2). This requirement enables parents and eligible students who do not provide written consent for disclosure of education records to see the circumstances under which and the parties to whom their information was disclosed.
 

HIPAA:

 

Covered entities can disclose individuals’ personal health information (PHI) that either have COVID-19 or have been exposed to it with law enforcement, paramedics, other first responders and public health authorities without an individual’s authorization.

 

Disclosure Rules: Disclosure is permitted without authorization.

 

1. when needed to provide treatment;

 

2. when required by law;

 

3. to notify a public health authority to prevent or control spread of disease;

 

4. when first responders may be at risk of infection;

 

5. when disclosure to first responders may prevent or lessen serious or imminent threat to health and safety of a person or the public; and

 

6. in response to a request from law enforcement or correctional institution having lawful custody of an individual.

 

7. the Centers for Disease Control and Profesion (CDC)

 

8. Centers for Medicare and Medicaid Services (CMS)

 

Americans With Disabilities Act (ADA):

 

ADA-covered employers can measure employee’s body temperature, ask employees who report feeling ill at work or call in sick about their symptoms to if they have or may have COVID-19. 


Records Management: Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Europe

European Regulations:

The European Data Protection Board (EDPB): The EDPB advises organizations to only collect health data to the extent that it is permitted by law. Furthermore, location data can only be used by Telecom operators and that data can only be transmitted to authorities after it has been anonymized by the provider and with consent from the user.

Learn more here.

Committee of Convention and Council of Europe: If you are required to process employee health data, respect the principles of necessity, proportionality and accountability in order to mitigate risks of processing.

Learn more here.

Click on any of the European countries below for more regulatory detail from each region.

Austria

Collection of data is allowed from people who have been diagnosed with COVID-19 and/or are suspected of being in contact with an infected person or is staying in a risky region.

Learn more here.

Belgium

A health assessment or questionnaire concerning COVID-19 can only be carried out by an occupational physician.

Learn more here.

Croatia

Collection of personal data must be necessary and proportionate to fulfill legal basis.

Learn more here.

Czech Republic

Organizations should only disclose identifying information when necessary to protect employee health. Disclosure of the information may not harm the dignity and integrity of the infected individual. Public health authorities may require telecoms to provide data to identify and track the outbreak. This includes location data from mobile phones. Users must be informed of such disclosures.

Learn more here.

Denmark

 

It is permissible to collect the following information from an employee or visitor:

 

  • whether the employee or visitor has returned from a risk area

  • whether they are under quarantine (without stating the reason)

  • whether they are ill (without stating the reason)

 

Limit details of personal data to only what is necessary.

 

Learn more here.

Estonia

 

It is permissible to ask whether an employee or visitor:

 

  • has been in a risk area

  • has been exposed to infected people

  • is fit to work

 

Personally identifying information should only be disclosed if necessary to protect employees’ lives, health or liberty. Personally identifying information can be disclosed to specific individuals with whom the infected worker has been in contact.

 

Learn more here.

Finland

Organizations can ask whether an employee:

  • is infected by the virus

  • returned from an infected area

  • is in quarantine (without additional information).

 

However, individual identities cannot be disclosed to others.

 

Learn more here.

France

Employees are only required to share data needed to manage the virus.

Learn more here.

Germany

 

It is permissible to ask whether an employee:

  • has been infected

  • has been in contact with an infected person

  • has visited an known infected area

Learn more here.

In workplaces with particularly close contact employers can measure employees’ body temperatures and ask employees if they are experiencing specific symptoms.

Learn more here.

Names and contact details of visitors can be collected and transmitted to health authorities upon request.

Learn more here.

Hungary

Employee questionnaires are permitted based on risk assessment. However, they cannot include medical history or health documentation.  In addition, screenings with diagnostic devices (thermometer) are prohibited. Only healthcare professionals can test employees, and share results of exams with employers only.

Learn more here.

Iceland

 

Questionnaires are permitted that ask if an employee:

  • visited a risk area

  • is experiencing symptoms

  • had contact with someone who traveled to a risk area.

 

Temperature measurements are permitted only with employee consent.

 

Learn more here.

Ireland

Organizations can ask whether an employee:

  • visited an affected area

  • is experiencing symptoms

  • has been diagnosed with the virus. 

 

However, employee identities can not be disclosed. 

 

Learn more here.

Italy

Systemic, continuous or generalized collection of symptoms or visits to places outside the workplace is prohibited. Employers can only invite employees to communicate infection, and facilitate procedures for forwarding information to appropriate channels.

 

The investigation into and collection of information on symptoms and recent movements of individuals are the responsibility of healthcare professionals. Employees should inform employers of any danger to health and safety at the workplace.

 

Learn more here.

Latvia

Organizations are permitted to ask employees if they have been abroad in the last 14 days and/or in contact with COVID-19. 

 

Employers are not entitled to disclose information reported from employees.

 

Learn more here.

Lithuania

 

Organizations can ask whether an employee:

  • traveled to a country of risk

  • was in contact with an infected person, or person who traveled to a country of risk

  • is at home due to quarantine (without giving a reason)

  • is ill (without specifying the illness or other reason).

 

Organizations can ask visitors if he/she currently has COVID-19 symptoms or has been diagnosed with the virus. 

 

Collection of medical records or temperature readings of staff or visitors is prohibited.

 

Learn more here.

Luxembourg

Organizations can ask employees and agents to provide information about virus exposure to the employer or competent health authorities. 

 

Organizations do not need to require employees to communicate daily about their body temperatures or fill out medical questionnaires; or for visitors to sign pre-established declarations certifying their health or recent travel.

 

If an employer is informed of an infected employee, they must record:

  • the date and identity of the person

  • the containment measure taken

  • any contact with occupational health services.

 

Communicate information to health authorities upon request.

 

Learn more here.

Netherlands

Employers should not: 

  • process medical data of staff

  • ask employees about their health or to take a test

  • keep track of the reason for absences due to illness.

 

A company doctor may test employees for COVID-19.

 

Learn more here.

Poland

Upon the recommendation of the Chief Sanitary Inspector and the Prime Minister of Poland, employers may take specific preventive or control measures and cooperate with other public administration bodies.

Learn more here.

Romania

The disclosure of the identity and health status of individuals is only permitted with consent. Data subjects must be informed if their data is being processed for COVID-19 purposes.

Learn more here.

Slovakia

The Office for Personal Data Protection of the Slovak Republic (UOOU SR) responds to the most common questions in the processing of personal data.

Learn more here.

Spain

Processing of health data must be exclusively limited to what is necessary for the intended purpose. Furthermore, employees, management and occupational safety personnel must immediately inform superiors of reported cases in the workplace.

Learn more here.

The Catalan Data Protection Authority noted that citizens can communicate information to public health authorities if the facts, data or circumstances may constitute a risk or serious danger to the health of the population.

Learn more here.

Sweden

The collection of body temperature is generally prohibited. Personal data should only be collected if necessary. The individual’s identity should not be disclosed unless necessary to fulfill a legal obligation under labour law.

Learn more here.

Abu Dhabi (UAE)

It is permissible to ask whether an employer or visitor has visited a particular country or whether they are experiencing COVID-19 symptoms. However, it is not permissible to ask whether an individual or their family member or members has or have been diagnosed with COVID-19.

Albania

Controllers can collect the following personal information:

  • name

  • address

  • place of work

  • travel details

  • recorded images

Argentina

The Agency for Access to Public Health Information has stated that consent is required to disclose the name of the patient.

Learn more here.

Australia

The Office of the Australian Information Commissioner has said that the collection of information is allowed from people exposed to a known COVID-19 case, people who have had close contact with someone exposed to a case, and people who have recently traveled overseas.

Australia has also released the COVIDSafe app and so far 6 million people have downloaded it.

Learn more about the privacy implications of the COVIDSafe app here.

Bermuda

The Privacy Commissioner of Bermuda has stated that employers can ask their employees whether they have engaged in international travel or are experiencing certain symptoms.

Learn more here.

Canada

Canadian Federal Privacy Regulation:

According to the Office of the Privacy Comissioner of Canada, personal data can be collected, used and disclosed without consent under specific circumstances. For example, this is permissible to make disclosures required by law, in an emergency or if related to a contravention of law.

 

Learn more:

- Privacy and the COVID-19 outbreak

- A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19

Canadian Territories Privacy Regulations:

Alberta: Alberta has three applicable privacy laws that should be kept in mind while collecting data during the COVID-19 pandemic: Freedom of Information and Protection of Privacy Act, Health Information Act, and Personal Information Protection Act.

British Columbia: The Office of the Information & Privacy Commissioner for British Columbia said in a statement that the Provincial Health Officer has broad authority to collect and use personal information in the public interest during the COVID-19 pandemic.

Newfoundland and Labrador: During the COVID-19 pandemic, you should be aware of two regulations when collecting information: The Access to Information and Protection of Privacy Act, 2015, and the Personal Health Information Act.

Northwest Territories: The Northwest Territories has two privacy laws that should be taken into consideration when collecting information during the COVID-19 pandemic: the Access to Information and Protection of Privacy Act (which applies to the public sector) and the Health Information Act (which applies to the health sector).

Ontario: The Information and Privacy Commissioner of Ontario said that public health units and government organizations should provide as much information as is necessary to protect the public’s health without naming individuals.

Saskatchewan: Saskatchewan has three privacy laws that are applicable as information is being collected during the COVID-19 pandemic: the Freedom of Information and Protection of Privacy Act (which applies to government entities), the Local Authority Freedom of Information and Protection of Privacy Act (which applies to local authorities), and the Health Information protection Act (which applies to health trustees).

Québec: Québec declared a state of health emergency on March 13, 2020, which allows the collection and communication of personal information required to protect the public health.

Yukon: There are two privacy laws that apply to the Yukon territory in regards to collecting personal information during the COVID-19 pandemic: the Access to Information and Protection of Privacy Act and the Health Information Privacy and Management Act.

China

 

Consent is required for collection of personal information and only public authorities may collect and use personal information for pandemic-related purposes without consent.

 

Furthermore, information should be limited to:

 

  • diagnosed individuals

  • individuals suspected of infection

  • individuals that have come into close contact with infected individuals

  • other focus groups

Learn more here.

Chile

The CPLT emphasizes the need for decision transparency due to COVID-19 (within the framework of the State of Constitutional Exception of Catastrophe).

Learn more here.

Colombia

Health data may be processed without consent during health and sanitary emergencies. For example, to prevent, treat or control COVID-19 and mitigate the effects of the virus.

Learn more here.

China - Hong Kong S.A.R.

The Privacy Commissioner of Hong Kong has stated that temperature measurements and limited medical symptoms of COVID-19 may be collected. Furthermore, confirmation of an infected individual can be made to other employees, visitors and property management. However, personally identifiable information should not be included.

Learn more here.

Japan

The Personal Information Protection Commission of Japan has declared that the unauthorized use or disclosure of personal data is permitted to prevent the spread of COVID-19.

Learn more here.

Mexico

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) advises that personal data only be collected when necessary during the COVID-19 pandemic including:

 

  • to prevent/contain the spread of COVID-19

  • to provide care, diagnosis and corresponding medical treatment

 

The identity of infected individuals should not be disclosed and the data subjects should be informed of the processing of their data for COVID-19 purposes.

Learn more here.

New Zealand

New Zealand’s Privacy Commissioner has advised that employee and visitor health data may be collected. The Commissioner also advised that people be made aware of possible exposure risks. However, it should be assessed whether the identity of the source of exposure needs to be identified.

Learn more here.

South Africa

Employers are allowed to request the health status of an employee in the context of COVID-19 and for an employee to undergo testing to maintain a safe work environment. Disclosure should not be used to unfairly discriminate against the employee.

Learn more here.

Switzerland

Any collection of health data for the purpose of preventing infection (e.g. collection of body temperatures at the entrance of a building) must be limited to what is necessary to achieve the purpose.

Learn more here.

Turkey

It is permissible to ask employees or visitors if they have traveled to an affected area and/or are experiencing symptoms of COVID-19. However, requests for information must have a strong rationale based on necessity and a risk assessment. Do not disclose the identity of the individual or provide excessive details. Where it is necessary to identify the employee or visitor, inform the infected individual in advance.

Learn more here.

United Kingdom

It is permissible to collect information about employees’ recent visits to particular countries or whether they are experiencing symptoms. Do not name individuals or provide more information than necessary to ensure the health and safety of the employee.

Learn more here.

Uruguay

Personal data related to the national health emergency can be processed without informed consent only where an exception applies.

Learn more here.