COVID-19:

Privacy & Data Protection Resources

This repository of privacy and data protection resources related to COVID-19 is compiled by the Future of Privacy Forum, and will be updated regularly. We hope these resources will help privacy leaders in local government and beyond provide front-line support to individuals and communities.

If you have additions or suggestions, please contact Kelsey Finch, comments@fpf.org.

US Privacy Resources

Local Government

Largely general repositories, not specific to data privacy

Federal Agency Guidance

Other Resources

International Privacy Resources

National Data Protection Authorities

    • COVID 19 data protection resources from national DPAs (including US, UN, UK, Switzerland, Spain, Slovakia, San Marino, Poland, Peru, New Zealand, Mexico, Luxembourg, Lithuania, Jersey, Italy, Ireland, Hungary, Hong Kong, Germany, Gibraltar, France, Finland, Canada, Bulgaria, Austria, Australia, Argentina, Albania)
    • @JBAGerritsen's Compilation of EU DPA guidance (updated regularly)
    • Canadian OPC’s Guidance on Privacy and the COVID-19 Outbreak (providing guidance on the applicability of public and private sector privacy laws, both federal and provincial, with regards to COVID-19)
    • Hong Kong’s press release on Government [adopting] multi-tech approach to support home quarantine (describing Hong Kong’s use of monitoring technologies to enforce quarantines, including disposable wristbands and sharing of real-time location data via WhatsApp or WeChat)
    • New Zealand’s FAQ: COVID-19 and Privacy (helping individuals and organizations navigate privacy considerations when there may be a risk of exposure to COVID-19)
    • Singapore DPPC’s Statement (authorizing the collection, use, and disclosure of personal data for contract tracing and other response measures, including without consent)

Non-Governmental Resources

    • FPF’s summary of European DPA guidance (noting DPAs’ advice to organizations against “systematic and generalized” monitoring and collection of data related to health of their employees outside official requests and measures of public health authorities)
    • VUB Brussels’ Data Protection Law and the COVID Outbreak (providing links to global tracking initiatives; general resources for Europe, including cybersecurity developments; international resources and updates; and European national resources)

Global Trackers

Civil Liberties & Ethical Best Practices

International Humanitarian Organizations

    • International Red Cross’s Handbook on Data Protection in Humanitarian Action (seeking to help humanitarian organizations comply with personal data protection standards, by raising awareness and providing specific guidance on the interpretation of data protection principles in the context of humanitarian action, particularly when new technologies are employed)
    • WHO Guidance for Surveillance During an Influenza Pandemic (2017) (describing the data requirements and surveillance strategies that governments can use throughout the course of a pandemic)
    • WHO Guidelines on Ethical Issues in Public Health Surveillance (2017) ((identifying guidelines for ethical public health surveillance, including data quality, transparency and accountability, special care for vulnerable populations, data security, obligation to share data with appropriate safeguards, and purpose limitations)

Other Resources

    • 15 U.S. advocacy groups’ letter to Congress on COVID Response and Privacy Protections (calling for Necessity and Proportionality, Time-limits, Transparency, Data Minimization, Security and Confidentiality, Limited Retention, Use restrictions, and Accountability and Due Process)
    • Apple’s guidance for app developers (limiting apps related to COVID-19 to developers from recognized entities such as government organizations, health-focused NGOs, companies deeply credentialed in health issues, and medical or educational institutions)
    • Berkman Klein Center’s note on Applying Core International Human Rights Principles to Coronavirus-Related Privacy Interferences (on the importance of “legality, necessity, and proportionality” principles)
    • EDRi’s Fundamental Rights-Based Responses to COVID-19 (calling for governments to: Strictly uphold fundamental rights, Protect data for now and the future, Limit the purpose of data for COVID-19 crisis only, Implement exceptional measures only for the duration of the crisis, Keep tools open, Condemn racism and discrimination, Defend freedom of expression and information, & Take a stand against internet shutdowns, and warning Companies should not exploit this crisis for their own benefit)
    • EFF’s Preserving Civil Liberties During a Public Health Crisis (calling for principled data collection and digital monitoring based on: privacy intrusions must be necessary and proportionate; data collection based on science, not bias; expiration; transparency; and due process)
    • ITPI’s Use of Digital Means to Combat the Coronavirus (top in Hebrew, scroll down for English)(describing Israel’s approach to data to combat COVID-19, and calling for transparency, time limits, purpose limitations, audit and enforcement mechanisms, and robust data security)
    • Lawfare's Security, Privacy and the Coronavirus: Lessons From 9/11 (cautioning policymakers to question whether the data is actually accurate and actionable; be cautious about the capabilities of "data mining"; avoid inaccurate data and false positives; avoid security theater; consider how the actions will look in retrospect; and watch for warrantless wiretaps)
    • Palantir’s Best Practices for Using Data During a Crisis (encouraging organizations to: focus on decisions to be made, not just insights to be discovered; start with the data you have; invest in management, beware the shiny new object; look beyond the quick wins: have a data strategy; set the rules of engagement from beginning to end; establish safeguards to maximize correct decision-making and human accountability; secure your data before you share it; build a data governance body; and serve the patient and respect their human dignity)
    • Sanfilipo et al.’s article on Disaster Privacy/Privacy Disaster (describing information flows during disasters and governance from Privacy Act of 1974, DHS, and FEMA; exploring the actual practices followed by popular disaster apps (pre-COVID-19); and visually mapping disaster information flows during disasters and around third party and government apps)
    • Santa Clara University’s guidance on ethical decision-making (a step-by-step tool for exploring ethical dilemmas and identifying ethical courses of action)(scroll down for numbered questions)
    • ZwillGen’s advice to companies regarding government data requests (providing a list of questions and issues that companies should consider when governments request data, including the breadth of the request, the type of data sought, the company’s privacy commitments, the authority under which the request is made, and who is making the request)

Security, Technical Tools & Emerging Solutions

Telework/Online Best Practices

On the Use of Location/Mobility Data

Other Resources