Navigating Data Privacy Regulations During a Worldwide Health Crisis


Join our newsletter!

Receive the latest data collection news in your inbox.

The data privacy landscape is continually evolving, and many new data privacy regulations have emerged all over the world in recent years. Most of these regulations place greater emphasis on consumers’ rights to privacy regarding their personal data, with stringent rules on how that data can be collected and handled.

However, the ongoing COVID-19 crisis has blurred data privacy lines worldwide as many healthcare providers and government agencies turn to data collection in order to study, combat, and limit the impact of the virus. In this blog post, we’ll provide an overview of the complex data privacy landscape in the coronavirus era.

The conflict between data privacy and public health

As the coronavirus pandemic evolves, evidence suggests that less data privacy in some areas may be necessary to promote public health. Countries in Asia are tracking and tracing infected individuals to mitigate the spread of the virus, while researchers worldwide are exchanging crucial health data in order to develop an effective vaccine. Some government agencies are using insights from mobile location tracking to monitor the population’s movement while alerting those who may have crossed paths with an infected individual.

On top of current efforts like the ones listed above, many similar data-focused measures are being proposed and discussed in order to protect the population during health crises in the future. As the situation develops, organizations will need to find the sweet spot between strict data protection and overall public health.

Because mass data collection is being used to fight the pandemic, questions about privacy arise: How far can organizations go in terms of requesting personal health information when it comes to protecting the public? How, where, and when is our sensitive health data being used? Are we vulnerable to data breaches, and should we be concerned about our health information being exploited in the future? It’s important for both individuals and organizations to address these questions to ensure privacy and peace of mind in this uncertain time.

Exceptions to the rules during COVID-19

Europe’s General Data Protection Regulation, or GDPR, is made up of a set of rules designed to protect European citizens’ personally identifiable information. The GDPR is known as the strictest data privacy regulation in the world, and it places restrictions on how organizations can use and transfer personal data. The GDPR’s Article 9, however, includes plans for suspension in case of an emergency or crisis, including details about where data can be stored, who can access the data, and when the data should be purged after the crisis is resolved.

Many countries in Europe are taking advantage of these exceptions in order to adequately promote public health during the coronavirus pandemic, including:

  • Italy: Italy passed the Civil Protection Ordinance No. 630 to grant the Civil Protection Department some flexibility around processing personal information during the coronavirus pandemic. The ordinance is valid through July, with possible extension.
  • France: France passed a similar measure that allows health authorities and their business partners to access sensitive data as long as they collect necessary information only.
  • Germany: Germany’s Federal Data Protection Act allows healthcare organizations to have increased permissions around personal data in the event of an emergency.

In the United States, HIPAA doesn’t allow for suspension of any healthcare data protections, but it does mention that fines and penalties for noncompliance during a crisis will be reviewed by the Office for Civil Rights.

With all of these changes and exceptions in mind, it’s important for organizations in each country to handle suspensions accordingly and follow the resolution requirements.

Moving forward

Although there are some exceptions to data privacy rules worldwide in times of crisis like this, regulations are still in effect, and organizations must remain compliant in order to avoid penalties and keep data safe. To navigate this challenging time, it’s important to understand which regulations and exceptions apply to you and your organization and plan accordingly.

Meanwhile, we also need to consider how personal information will be managed after this crisis passes, and we must work to develop data collection strategies that keep sensitive data safe in the event of a crisis in the future.

Looking for a secure, compliant data collection solution to help you tackle coronavirus-related projects or research? Learn more about FormAssembly!

Don’t just collect data
— leverage it