How Businesses Should Handle Privacy In Light Of The COVID-19 Outbreak

News ¦ March 18th, 2020, 11:00 pm

Here’s a quick rundown of the most important things you need to know as a business-leader during the COVID-19 pandemic. For example, if an employee, customer or guest tests positive for the virus, which data may be shared, and with whom? How does the CCPA impact these decisions? We will look at the best way to balance the patient’s privacy rights with your legal and moral obligation to share information to protect public health. The virus has already had detrimental impacts on the world economy, and this inevitably will weigh heavily on your business.

Collecting health data on employees (and their families)

Businesses around the globe have developed practices to try to protect their work force. Some check temperatures at the door, others are using surveys to gather information about the health of their employees, and even the people their employees live with. As a rule of thumb, businesses should apply the principle of data minimization, which is at the heart of both the GDPR and the CCPA: If it isn’t absolutely necessary to collect certain information, then you should refrain from asking for it. Especially when asking for data about third persons, businesses should apply caution. It’s recommended to make such questions optional. Businesses should have a strong policy in place about where this additional personal information is being stored, how long for, how broadly it is being shared within the organization and how it can best be protected. 

Sharing personal information for public health and safety

If you learn that an employee, guest or customer has tested positive for the COVID-19 virus, this potentially life-saving information must be shared to protect public health and safety. At the same time, you have to balance this responsibility against the privacy rights of the infected person. 

Disclosing information about an infected employee, guest or customer to government agencies

If a federal, state or local government agency requests disclosure of information about COVID-19 infections, most privacy laws provide exceptions which allow you to provide it. The California Consumer Privacy Act (CCPA) for example states in paragraph 1798.145 (a) that businesses should not be restricted to ‘comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.' If you receive a formal inquiry in the form of a formal inquiry, subpoena or summons from a governmental authority, you are legally obliged to comply. But even in this case, you should aim to minimize any negative impact this data-sharing might have on the infected individual. 

If the request is of an informal nature, it’s wise to ask for an explanation of the legal basis of the request or to ask for a formalized request. 

Especially for businesses operating internationally, it might be difficult to keep track of the many different regional, federal and international privacy and data-sharing obligations. Multinationals should start preparing an incident-response plan and assess the international legal landscape now.

Disclosing information about an infected employee, guest or customer to others

It is advisable to inform other employees, guests or customers in the case of an established COVID-19 infection to avoid further spreading. However, you should limit the personal information shared to the minimum amount of information necessary (ideally not share personal identifiable information at all if possible) for individuals to be able to assess their own health risk. There is no hard-and-fast rule as to where that minimum lies. It needs to be determined on a case-to-case basis and is dependent on many factors, such as the size of your business, it’s number of locations, and more. You should try to avoid sharing personally identifiable information, such as the name of the patient, as much as possible.

Sharing personally identifiable information with third parties: the privacy policy

If your business must share personally identifiable information in order to properly mitigate the health-threat, the privacy policy and the notice at/before collection (CCPA) should be reviewed. Make sure that the disclosure of this type of data has been sufficiently addressed and explained to the data-subject. Check whether the information-category itself is described, and whether your intent of disclosing the data to a government agency, to the media or to other customers is included. If this is not the case, you should update your privacy policy and collection-notice accordingly. You may only share personal information that you collected while the relevant information-categories and purposes for collection and sharing were properly described in the privacy policy and collection-notice. 

It is important to consider whether these data-sharing practices bring your business in scope of the CCPA or change your CCPA-status. To understand whether your company is a ‘business’ or a ‘service provider’, use our ‘Are you in scope of the CCPA’ questionnaire. To understand whether any (new) data-sharing practices make your organization a seller of personal information, have a look at our resource page.

Heightened awareness of phishing scams

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning as a response to an increase in phishing scams capitalizing on the Covid-19 pandemic. Attackers are sending emails with malicious emails or links to fake websites to trick victims into giving access to sensitive information or donating to fraudulent charities. Individuals and businesses alike should be aware of the increased risk of data-breaches during a time of global panic. Now might be a good time for an employee security-awareness training.

Datawallet helps you get compliant with powerful out-of-the box tools in a matter of minutes. We’ve got you covered with our intuitive Data Subject Request web form and DSR-handling workflows, our automated data-exploration and mapping tool, and our Consent Management Platform. If you want to jump right in, start your free trial of our easy-to-use compliance platform here.

Need something tailormade for your organization? Contact us at

Get the Data Digest in your inbox