Maintaining our privacy during a pandemic: are our privacy laws working?


Information is key to handling any crisis, especially in a health emergency such as the current coronavirus pandemic.

Governments need to know who is infected (and infectious) in order to trace potential contacts and allow them to take steps to mitigate the risks. And businesses will want to keep a close watch on their employees and any visitors, to ensure that they can keep their workplaces safe.

In normal times, information about our health is – rightly – seen as particularly sensitive and worthy of additional protection. Medical professionals are expected to treat health information confidentially, whilst data protection and human rights laws only allow this type of information to be used in narrowly defined circumstances. But these are not normal times. So could our privacy laws actually be hindering the response to COVID-19?

Data protection law does not prevent the collection or sharing of heath data, but it does put in place strict rules on the reasons that such data can be used. For instance, health data can usually only be used where it is necessary to protect the vital interests of the individual or for the provision of their treatment.

There is also a specific condition allowing the use of health data where it is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health“. That seems like a pretty good definition of the current situation with COVID-19. In recent days, the ICO and the European Data Protection Board have both issued reassuring statements for employers and public bodies, so it is unlikely that organisations will find themselves in trouble for processing personal information where it is necessary to do so to treat patients or protect their staff.

Human rights law provides similar flexibility. Whilst individuals do have a right to their private life, home and correspondence, this is not an absolute right. That means the right to privacy may be overridden where doing so is in accordance with the law, necessary and proportionate, particularly in extraordinary circumstances.

Public bodies are therefore entitled to interfere with privacy to the extent required to deal with public health emergencies. Any new emergency legislation proposed in the coming days may include specific measures to allow additional data collection and usage in an effort to control the spread of the outbreak.

So governmental bodies and employers will be able to collect and use health data to monitor cases, treat the infected and manage any disruption. Most of us will accept the interference with our privacy as a small price to pay to successfully contain the virus. But what about some of the more innovative responses being considered?

In China and South Korea, apps have been developed that utilise location data to track individuals via their mobile phones. If an individual is later diagnosed with COVID-19, the app will alert everyone they have come into contact with.

This allows those individuals who receive an alert to take steps to either self-isolate or seek further medical advice. Israel has also announced it will be using location data to track its citizens. Whilst all this seems attractive to combat the outbreak, it does have significant implications for privacy. How can individuals be sure that their location data isn’t being used for other purposes?

What happens if the data is leaked or used inappropriately? Other potential technological solutions include creating a database of those self-isolating to allow friends and neighbours to provide support, or providing detailed street-level maps of all new cases so that the authorities can provide targeted support at a very localised level. These suggestions raise even more legitimate concerns about possible unintended consequences, such as increasing crime by allowing vulnerable and isolated people to be identified.

Our privacy laws do not specifically prohibit such novel methods of collecting and using personal information, but they do set out a framework within which organisations must operate. New uses of personal information would only be lawful where there is a clear legal justification and where the use of data is both proportionate and necessary.

Even where these tests are met, legal protections governing personal information do not automatically fall away. Organisations must still tell individuals about what they are doing, keep the data secure, and ensure that it is not used for any other purpose.

The success of any innovative measures may come down to how much we can trust our governments and technology companies, neither of which have a particularly good reputation when it comes to protecting the privacy of our information.

We are currently living through unprecedented times. What seemed completely unthinkable yesterday appears entirely normal today, and may prove to be woefully inadequate tomorrow. Everyone is scrambling to keep up as the pandemic progresses and advice changes at an alarming pace.

Organisations must of course do what is necessary to keep people safe and healthy, but they should remember that privacy remains a basic right, particularly when it comes to people’s health and wellbeing.

Jon Belcher

Jon Belcher

Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.
Jon Belcher

Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.