COVID-19 Privacy & Data Protection Resources
This repository of privacy and data protection resources related to COVID-19 is compiled by the Future of Privacy Forum, and will be updated regularly. We hope these resources will help privacy leaders in local government and beyond provide front-line support to individuals and communities.
If you have additions or suggestions, please contact Kelsey Finch, comments@fpf.org. Last updated Oct. 20, 2020.
US Privacy Resources
State & Local Government
Engaging Local Government Leaders (ELGL)'s Local Government Coronavirus/COVID-19 Resources
GovTech's Resource Guide to Coronavirus for Government Leaders by Dustin Haisler (March 18, 2020)
GovTech's Three Tips for COVID-19 Recovery: Get Your Data House in Order by Oliver Wise (April 14, 2020) (recommending state, local, and community leaders prioritize their data capacity now to ensure recovery, including: know your baseline, open your data, and gather and join data on the recovery targets, especially those most vulnerable)
GovTech's Do Data Releases Based on ZIP Codes Endanger Patient Privacy? by Robin Goist (April 14, 2020) (evaluating the implications for patient privacy as public health departments release information on COVID-19 cases by geographic zones)
Harvard Ash Center’s COVID-19 Resources for City Leaders and COVID-19 Public Sector Resources (March 2020) (including cases, examples, teaching, and policy solutions)
MetroLab Network's COVID-19 Resource Guide (Updated September 22, 2020) (including data collection initiatives, calls to action, and data + information resources on COVID-19)
Minnesota's Emergency Executive Order 20-34: Protecting Minnesota's First Responders by Directing the Commissioner of Health to Share Information with the Department of Public Safety, 911 Dispatchers, and First Responders (April 10, 2020) (requiring that the state health department disclose to first responders any addresses where a positive COVID-19 test result has been obtained and the individual is still contagious, subject to safeguards requiring that: no other identifiable information is shared; only authorized officials receive identifiable information; records are deleted as soon as the person is no longer contagious; data use limitations; data is encrypted in transit and classified as confidential; COVID-19 status may not be used to delay or refuse a call for service; and such data should be accessed only as a last resort/need-to-know measure)
National Association of State Chief Information Officers (NASCIO)’s Planning and Response Guide for State CIOs (including key steps for workforce and cybersecurity management)
New America's Pandemic Response Repository (a collection of open source digital resources to help governments respond to the COVID-19 pandemic, including specific collections on health, information, assistance, tracking, community, and research)
What Works Cities’ COVID-19: Local Government Response and Resource Bank (March 19, 2020)
Federal Agency Guidance & Congressional Activities
Equal Employment Opportunity Commission (EEOC)’s Pandemic Preparedness in the Workplace and the ADA (Updated March 21, 2020) (noting that the ADA and the Rehabilitation Act do not interfere with employers following advice from the CDC and other public health authorities on appropriate steps to take relating to the workplace, including asking employees if they have or may have COVID-19)
Federal Communication Commission (FCC)’s COVID-19 TCPA Declaratory Ruling (March 20, 2020) (assurance that pandemic-related emergency robocalls and texts are legal under the TCPA without prior express consent)
Food and Drug Administration (FDA)'s Enforcement Policy for Telethermographic Systems During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency (April 2020) (seeking to expand the availability of telethermographic systems during the COVID-19 emergency by not objecting to the distribution of such systems without compliance with certain regulatory requirements where: such devices do not create an undue risk, certain performance and labeling elements are met, and elevated body temperature measurements are confirmed by secondary evaluation methods in the context of use)
Federal Trade Commission (FTC)'s Privacy During Coronavirus by Elisa Jillson (June 19, 2020) (providing recommendations to businesses on how to leverage consumer data in a privacy-protective manner during the COVID-19 crisis)
FTC's Coronavirus: What the FTC Is Doing (identifying and providing guidance on avoiding emerging COVID-19 scams)
FTC's COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus by Lisa Weintraub Schifferie (April 9, 2020) (FAQs on protecting students' privacy and safeguarding personal data, including: remote learning, consent, teens, other applicable laws, and general advice)
Department of Health and Human Services (HHS)'s Bulletin: Civil Rights Laws and HIPAA Flexibilities that Apply During the COVID-19 Emergency (March 28, 2020) (ensuring that covered entities do not unlawfully discriminate against people with disabilities when making decisions about their treatment during the COVID-19 health care emergency)
HHS’ Bulletin: HIPAA Privacy and Novel Coronavirus (February 2020) (explaining the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation)
HHS’ COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, and Other First Responders and Public Health Authorities (explaining the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples)
HHS’ Limited Waiver of HIPAA Sanctions and Penalties (waiving penalties for hospitals that deviate from specific provisions of the HIPAA Privacy Rule, and describing generally allowable disclosures in emergency situations)
HHS' Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 (permitting business associates to share COVID-19 related data, including PHI, in good faith without risk of a HIPAA penalty; however, requiring notification to the covered entity within 10 days) and Notification of Enforcement Discretion on Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency (declaring that OCR will not impose penalties for noncompliance with the HIPAA Rules against covered health care providers or their business associates in connection with the good faith participation in the operation of a COVID-19 Community-Based Testing Site (CBTS) during the outbreak)
HHS' Bulletin: HIPAA Privacy in Emergency Situations (2014 - Ebola outbreak) (describing how covered entities and business associates were able to share patient data during the 2014 Ebola outbreak)
Senate Committee on Commerce, Science & Transportation's Paper Hearing: Enlisting Big Data in the Fight Against Coronavirus (April 9, 2020) (examining recent uses of aggregate and anonymized consumer data to identify potential hotspots of coronavirus transmission and to help accelerate the development of treatments and how consumers' privacy rights can be protected, including written statements and Q&A from: Prof Ryan Calo/Univ. Washington, the App Association, Network Advertising Initiative, Future of Privacy Forum, Interactive Advertising Bureau, Center for Democracy and Technology, and Kinsa Smart Thermometers)
Sen. Warren's Equitable Data Collection and Disclosure on COVID-19 Act of 2020 (April 14, 2020) (bill proposing to authorize $50 million in funding to support data collection on racial, ethnic, and other demographic implications of COVID-19 and requiring privacy protection for related data releases by HHS)
U.S. Department of Education (USED)’s FERPA and the Coronavirus Disease 2019 (March 2020) (answering school officials’ questions about disclosing personally identifiable information from students’ education records to outside entities)
USED's FERPA and Virtual Learning (March 2020) (consolidating USED's resources on virtual learning, including requirements for online services, model terms of service, and best practices on security, email, classroom observation, and video recordings)
US Members of Congress' Letter to Zoom on Consumer Privacy (April 3, 2020) (voicing concerns about Zoom's privacy and security safeguards, including a list of specific questions on the company's general data practices, attendee attention tracking, cloud recording, and automatic audio transcripts)
US Senators’ Letter on COVID-19 Website Privacy Concerns (March 18, 2020) (voicing concerns about White House’s plan to collaborate with companies on a virus screening website, including a list of specific questions about privacy and security safeguards)
US Senators' Letter on Health Privacy Surveillance (April 10, 2020) (voicing concerns about a breakdown in public trust around COVID-19 health surveillance and the role of technology firms, including a list of specific questions to identify existing proposals, the entities involved, and their goals and safeguards)
Other Resources
132 Organizations, signing a Statement on Government Coronavirus Emergency Transparency and Public Access (March 20, 2020) (encouraging governments to recommit to public engagement and open government principles, as well as open-meeting and public-records laws, as much as possible during the COVID-19 response)
American Medical Association's H.R. 748, the "Coronavirus Aid, Relief, and Economic Security Act" (CARES Act) Health Care Highlights (describing permanent regulatory changes to the confidentiality and disclosure of records relating to substance use disorders and 42 CFR Part 2)
Bloomberg Law's Insight: Illinois Biometric Privacy Law Has Nationwide Potential in Pandemic by Kenneth D. Walsh & Mary Smigielski (April 24, 2020) (identifying implications of Illinois BIPA on remote school and workplace biometrics during COVID-19)
Center for Democracy and Technology (CDT)'s Schools Do Not Have to Sacrifice Students’ Privacy to Continue Schooling by Elizabeth Laird (March 25, 2020) (identifying equity concerns and resources on privacy policies, model contracts, deletion, and working with parents)
Columbia Law School's Law in the Time of COVID-19 (chapter on privacy & pandemics, discussing the collection of physical location and health status information by authorities to address COVID-19 and the important issues and challenges this poses to information privacy and health privacy law)
Duke Science & Technology Center’s Brief on Information Sharing During an Epidemic by Brian W. Langloss & Sarah Rispin Sedlak (describing existing policies for intra-governmental data sharing during an epidemic, and providing policy recommendations for governments and companies)
Future of Privacy Forum (FPF)’s Student Privacy During the COVID-19 Pandemic: Resources (Updated December 03, 2020) (a list of student privacy and security resources, both those created specifically in response to COVID-19, and previously available resources that may be useful )
FTC Commissioner Christine Wilson's Privacy in the Time of COVID-19 by Christine Wilson (April 15, 2020) (guest blog for Truth on the Market, recommending that organizations: rely on their CPOs and CISOs and make decisions based on established privacy and security programs; strengthen their privacy and data security posture; conduct risk assessments and apply accountability and risk management best practices; engage in comprehensive vendor management; be guided by principles of necessity and proportionality; apply good data hygiene; and know when to lift more dire measures)
Husch Blackwell's U.S. Privacy Law Implications with the Use of No-Contact Temperature Taking Devices by David Stauss, Malia Rogers & Megan Herr (April 27, 2020) (describing three categories of no-contact temperature taking devices currently available, including infrared scanners, facial recognition systems with thermal scanning, and wearables, as well as the US legal implications for each)
The Leadership Conference on Civil and Human Rights' Letter to Attorney General Barr RE: The use of the PATTERN risk assessment in prioritizing release in response to the COVID-19 pandemic (expressing concerns with the use of automated risk assessment tools for determining which currently incarcerated individuals may receive priority treatment in transfer and decisions related to COVID-19)
Network for Public Health's FAQ: COVID-19 and Health Data Privacy (June 22, 2020) (addressing questions of HIPAA compliance and requirements in regards to the COVID-19 pandemic)
Network for Public Health’s Summary of State Laws that Facilitate Data Sharing Among State Agencies (examples of existing state laws that facilitate data sharing among state agencies for public health)
PEW Research Center's Most Americans Don't Think Cellphone Tracking Will Help Limit COVID-19, Are Divided on Whether It's Acceptable by Monica Anderson & Brooke Auxier (April 16, 2020) (surveying U.S. adults about support for the use of location data to limit COVID-19)
UC San Diego's Privacy Considerations during Modified Campus Operations due to COVID-19 (crowdsourced privacy considerations and recommendations to address various issues for US higher education institutions)
International Privacy Resources
Statement by the Global Privacy Assembly (March 17, 2020) (the organization of global data protection authorities, committing to facilitate swift and safe data sharing to fight COVID-19 while still providing the protections the public expects)
UN Special Rapporteurs' statement that States Should Not Abuse Emergency Measures to Suppress Human Rights (March 16, 2020)
UN/DESA' Policy Brief #61: COVID-19: Embracing Digital Government During the Pandemic and Beyond (April 14, 2020) (calling on governments to share information about the crisis; to engage diverse stakeholders, including the public, in managing the pandemic; to establish multi-stakeholder partnerships, with appropriate privacy safeguards for public-private partnerships; and to accelerate the implementation of innovative digital technologies)
European Authorities
European Commission's Recommendation on Apps for Contact Tracing (April 8, 2020) (proposing a coordinated approach for the use of contact tracing apps, for predicting and modeling the spread of the virus through anonymous and aggregated mobile location data, built on principles of: respect for fundamental rights and prevention of stigmatization; preference for least intrusive yet effective means; technical safeguards; cybersecurity requirements; expiration of measures after the pandemic is controlled; anonymous analysis and alerting systems based on proximity data; and transparency about privacy settings)
eHealth Network's Common EU Toolbox for Member States: Mobile Applications to Support Contact Tracing in the EU's Fight Against COVID-19 (April 15, 2020) (evaluating the role of contact tracing and warning in COVID-19 response, inventorying existing initiatives, and detailing essential requirements for national contact tracing apps, including that they be: voluntary, approved by the national health authority, privacy-preserving with personal data securely encrypted, and dismantled as soon as no longer needed)
European Commission's Guidance on Apps Supporting the Fight Against COVID-19 Pandemic in Relation to Data Protection (April 16, 2020) (setting out features and requirements which apps should meet to ensure compliance with EU privacy and data protection legislation, in particular the GDPR and ePrivacy Directive)
European Data Protection Board (EDPB)'s Letter Concerning the European Commission's draft Guidance on Apps Supporting the Fight Against the COVID-19 Pandemic (April 14, 2020) (encouraging the EC to consult with DPAs and to develop apps in an accountable way through DPIAs, privacy by design and default, and open source code, and that the emergency system should not remain in use after the crisis is over and any data erased or anonymized; and encouraging specific measures for contact tracing apps, including that they to be voluntary, secure, and interoperable; for states to consider enacting national laws creating a legal basis for such apps; that they not require location tracking of individual users; that health authorities and scientists develop a strict necessity test to define essential functional requirements of these apps; underlining that decentralized apps are more in line with minimization than centralized ones; and limiting any post-test contacting of individuals by health authorities in ways that are not fully automated; with call-back mechanisms to human agents; and with timely deletion and other measures prevent re-identification of any other persons)
European Commission's Joint European Roadmap Towards Lifting COVID-19 Containment Measures (describing an EU exit strategy, including accompanying measures to create a framework for contact tracing and warning with the use of mobile apps, which respects data privacy)
EU Agency for Fundamental Rights's Coronavirus pandemic in the EU - Fundamental Rights Implications - Bulletin 1 (section 4, outlining the guidance provided by data protection authorities on how to ensure the rights to privacy and data protection are upheld during the pandemic, in particular data processing by employers and the media)
European Data Protection Board (EDPB)’s updated Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak (March 19, 2020) (discussing use of location data, employment, core principles, and lawfulness of processing)
EDPB's Guidelines 04/2020 on the Use of Location Data and Contact Tracing Tools in the Context of the COVID-19 Outbreak (with Annex) (April 21, 2020) (encouraging the development of a common, interoperable European approach to data protection and processing and clarifying the conditions and principles for the proportionate use of location data and contact tracing tools)
EDPB's Guidelines 03/2020 on the Processing of Data Concerning Health for the Purposes of Scientific Research in the Context of the COVID-19 Outbreak (April 21, 2020) (shedding light on the most urgent questions regarding research use of health data, including appropriate legal basis, the implementation of adequate safeguards for such processing, and the exercise of data subject rights)
EDPB’s Statement on the Data Protection Impact of the Interoperability of Contact Tracing Apps (June 16, 2020) (building on Guidelines 04/2020 by providing information on legal bases, key issues, and general considerations/recommendations, including triggering interoperable applications upon a voluntary action of the user; exploring alternatives to interoperable applications; and ensuring the minimal exchange and processing of data through developer agreements on common protocols and compatible data structures)
European Data Protection Supervisor (EDPS)'s comments to DG Connect of the European Commission on Monitoring of COVID-19 spread (underlining the flexibility of current EU data protection rules to address pandemics, and considering safeguards for the use of telecommunications data including anonymization, data security and access, data retention, and public transparency)
National Data Protection Authorities
@JBAGerritsen's Compilation of EU DPA guidance (updated regularly)
Agencia Española de Protección de Datos (AEPD)’s Recommendations for the Deployment of Mobile Applications in the Access of Public Spaces (June 2020) (providing guidelines on the design and use of apps to control access to public places and social distancing including: clearly defined purpose; effective and necessary data processing; voluntary use; and compliance with data protection principles)
Fox Rothschild's Apps Controlling Access in the Age of COVID-19: The Spanish AEPD Weighs In by Odia Kagan (July 12, 2020) (breaking down the AEPD guidelines (in English))
Canadian OPC’s Guidance on Privacy and the COVID-19 Outbreak (March 2020) (providing guidance on the applicability of public and private sector privacy laws, both federal and provincial, with regards to COVID-19)
Canadian OPC's A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 (April 2020) (describing key privacy principles that should factor into any assessment of measures to combat COVID-19, including: legal authority, necessity and proportionality; purpose limitation; de-identification and other safeguarding measures; vulnerable populations; openness and transparency; open data; oversight and accountability; and time limitation)
COVID-19 data protection resources from national DPAs (including US, UN, UK, Switzerland, Spain, Slovakia, San Marino, Poland, Peru, New Zealand, Mexico, Luxembourg, Lithuania, Jersey, Italy, Ireland, Hungary, Hong Kong, Germany, Gibraltar, France, Finland, Canada, Bulgaria, Austria, Australia, Argentina, Albania)
Hong Kong’s press release on Government [adopting] multi-tech approach to support home quarantine (describing Hong Kong’s use of monitoring technologies to enforce quarantines, including disposable wristbands and sharing of real-time location data via WhatsApp or WeChat)
Israeli Privacy Protection Authority's Guidelines on Privacy Aspects of the Coronavirus Epidemic (COVID-19) (March 23, 2020) (collection of guidelines, including privacy aspects of the coronavirus epidemic, data protection aspects of working from home, teaching or studying online, electronic signatures, a hotline and Q&A)
Italian Garante's Hearing through video conference of the President of the Italian DPA Regarding Use of New Technologies and the Internet to Counter the COVID-19 Epidemiological Emergency (April 8, 2020) (describing legal rights, derogation, and restrictions in light of the COVID-19 emergency, and describing specific privacy and data protection considerations relevant to epidemiological mapping and surveillance and contact tracing)(scroll down for English)
Japanese Personal Information Protection Commission's Handling of Personal Data for Preventing the Spread of Novel-Coronavirus (COVID-19) Disease (provisional translation)(permitting secondary use of data without explicit consent in order to prevent the spread of COVID-19 in select circumstances, such as where the request is made by a central government organization)
New Zealand’s FAQ: COVID-19 and Privacy (helping individuals and organizations navigate privacy considerations when there may be a risk of exposure to COVID-19) and op-ed on privacy (highlighting his offices' fundamental questions for tech to respond to COVID-19: Will it work? Is the proposed use of information proportional to the problem? Can it be reversed after the crisis passes?)
New Zealand's Civil Defense National Emergencies (Information Sharing) Code 2013 (March 26, 2020) (authorizing agencies to collect, use, or disclose personal information even without individual consent in order to manage or respond to COVID-19)
Polish UODO's Guide for Schools (April 1, 2020) (including good practices that help keep data secure during online lessons and security of personal data during remote learning (in English))
Singapore DPPC’s Statement (authorizing the collection, use, and disclosure of personal data for contract tracing and other response measures, including without consent)
UK ICO's Data Protection and Coronavirus Information Hub (providing guidance on data protection for individuals and organizations, including specific guidance for community groups, FOI, health care professionals, and on the use of mobile phone tracking)
Covington and Burling's ICO Issues COVID-19 Guidance for Employers by Dan Cooper and Miles Lynn (May 17, 2020) (explaining the guidance published by the UK’s Information Commissioner’s Office)
UK ICO's Regulatory Approach During COVID-19 (September 24, 2020) (describing the ICO's regulatory flexibility as it continues to safeguard information rights in an empathetic and pragmatic way that reflects the impact of coronavirus)
UK ICO's Combatting COVID-19 through Data: Some Considerations for Privacy (April 17, 2020) (calling for tech tools to demonstrate how privacy is built into the processor technology; that collection and use of personal data is necessary and proportionate; that users can exercise rights over their data; how much data must be gathered and processed centrally; what ongoing governance and accountability policies are in place; and what happens when the processing is no longer necessary)
UK ICO's Opinion: Apple and Google Joint Initiative on COVID-19 Contact Tracing Technology (April 17, 2020) (finding phase one of the initiative aligned with the principles of data protection and default (and similarly, the proposed DP-3T system))
UK NHS' The Power of Data in a Pandemic by Matthew Gould, Dr. Indra Joshi & Ming Tang (March 28, 2020) (describing NHS' development of a centralized data platform to support national coordination and response, including commitment to GDPR principles and range of private-sector partners)
UK NHS' COVID-19 - Notice Under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 (Updated August 6, 2020) (notification to healthcare organizations, GPs, local authorities, and arm's length bodies that they should share information to support efforts against the coronavirus)
Non-Governmental Resources
Baker McKenzie's COVID-19 Data Privacy & Security Survey (April 17, 2020) (surveying employers' data processing abilities related to COVID-19 in 39 countries)
Bird & Bird's COVID-19 Data Protection Guidance (Updated January 8, 2021) (a comparative chart using a traffic light system and explanations to answer questions such as whether employers can ask about symptoms, travel history, temperature readings or ask for diagnosis notifications)
Canadian Civil Liberties Association et al.'s Letter to Solicitor General (April 23, 2020) (outlining concerns regarding the government's decision to provide a range of first responders, including police services, with the names, addresses, and dates of birth of individuals who have tested positive for COVID-19)
Center for Global Constitutionalism's Data Crossing Borders: Data Sharing and Protection in Times of Coronavirus by Christopher Kuner (April 15, 2020) (describing safeguards and approaches to global data sharing under the GDPR, and the future of data transfer regulation and protections)
Covington and Burling's Coronavirus/COVID-19 Data Privacy Guidance (overview of guidance documents issued by regulators with corresponding blog posts from Covington and Burling’s Inside Privacy Blog)
European Law Blog's The Coronavirus Crisis and EU Adequacy Decisions for Data Transfers by Christopher Docksey and Christopher Kuner (April 3, 2020) (considering the implications of COVID-19 measures taken in non-EU countries on future EU adequacy determinations)
Future of Privacy Forum (FPF)’s summary of European DPA guidance by Dr. Gabriela Zanfir-Fortuna (March 10, 2020) (noting DPAs’ advice to organizations against “systematic and generalized” monitoring and collection of data related to health of their employees outside official requests and measures of public health authorities)
FPF's European Union's Data-Based Policy Against the Pandemic, Explained by Dr. Gabriela Zanfir-Fortuna (April 30, 2020) (analyzing the collection of guidelines, opinions, recommendations, and resolutions released by EU authorities related to data processing for COVID-19 response)
International Association of Privacy Professional (IAPP)'s COVID-19 Guidance and Resources (a collection of privacy news, resources, guidance and tools covering the COVID-19 global outbreak) and infographic of resources
Internet Freedom Foundation's Privacy Prescriptions for Technology Interventions in India by Sidharth Deb (April 11, 2020) (working paper documenting and comparing technology-driven policy efforts to COVID-19, including analysis of the use and publication of health data, specific development of surveillance technologies around location tracking and the deployment of contact tracing through mobile apps, as well as recommendations premised on the Indian Supreme Court's developing jurisprudence on the fundamental right to privacy)
noyb/GDPRHub's Data Protection under SARS-CoV-2 (outlining general conditions for data processing in connection with COVID-19 under GDPR and a collection of DPA-specific guidelines)
Paolo Balboni's "Public Health AND Privacy" And "Not Public Health OR Privacy": A Collection of Guidance on COVID-19 by Paolo Balboni (March 26, 2020) (an attempt to map all the official resources providing guidance on the correct processing of personal data and cybersecurity-related information on working remotely in the context of the COVID-19 pandemic)
PARIS21's New Policy Brief - Combating COVID-19 with Data: What Role for National Statistical Systems? (April 14, 2020) (introducing a framework that describes the adverse effects of the crisis on national statistical systems in developing countries, and suggesting actions to mitigate them by: focusing data production on priority economic, social, and demographic data; communicating proactively with citizens, academia, private sector, and policymakers; and positioning national statistical offices as advisors and knowledge banks for national governments)
VUB Brussels’ Data Protection Law and the COVID-19: An Observatory (providing links to global tracking initiatives; general resources for Europe, including cybersecurity developments; international resources and updates; and European national resources)
Global Response &Trackers
Alston & Bird's Location and Mobile Data in the Fight against COVID-19: An Overview of U.S. and Global Efforts by Amy Mushahwar, Daniel Felz & Jon Knight (April 11, 2020) (summarizing how the US and other nations are leveraging or considering using location and other device data to fight COVID-19)
Hogan Lovells' COVID-19 Exit Strategy: A Global Privacy and Cybersecurity Guide (May 2020) (detailing guidance released by regulators across Europe, the Americas, and Asia Pacific, including: the importance of identifying legal bases, carrying out data protection impact assessments prior to deploying immunity certificates, considering what new processing activities are likely to arise in the context of a COVID-19 exit strategy, and mitigating investigation and litigation risks)
International Center for Not-For-Profit Law (ICNL)'s COVID-19 Civic Freedom Tracker (monitoring government responses to the pandemic that affect civic freedoms and human rights, focusing on emergency laws)
MediaNama's Keeping Track of Surveillance in the Time of Coronavirus by Aditi Agrawal (March 23, 2020) (a list of technical measures taken by governments to contain COVID-19 within and outside India)
OneZero's We Mapped How the Coronavirus is Driving New Surveillance Programs Around the World by Dave Gershgorn (April 9, 2020) (weekly updates on surveillance measures in 28+ countries)
Pandemic Big Brother (monitoring for restrictions of civil rights that are realized with digital technologies)
Privacy International’s Tracking the Global Response to COVID-19 (comprehensive tracking of measures announced by tech companies, governments, and international agencies to help contain the spread of COVID-19)
Top10VPN's COVID-19 Digital Rights Tracker by Samuel Woodhams (Updated October 13, 2020) (documenting new measures introduced in response to COVID-19 that could pose a risk to digital rights around the world)
Privacy Principles, Civil Liberties, & Ethical Best Practices
Humanitarian Guidance (Non-COVID-19)
Harvard Humanitarian Initiative's The Signal Code: A Human Rights Approach to Information During Crisis (2015) (asserting fundamental rights during humanitarian crises, including the right to: information, protection, privacy and security, data agency, and rectification and redress)
International Red Cross’s Handbook on Data Protection in Humanitarian Action (seeking to help humanitarian organizations comply with personal data protection standards, by raising awareness and providing specific guidance on the interpretation of data protection principles in the context of humanitarian action, particularly when new technologies are employed)
Public Lab's Introducing the Principles of Equitable Disaster Response by Greg Bloom (March 31, 2020) (recognizing that "something is not necessarily better than nothing," and articulating these principles: ask - and listen; distribute power; collaborate strategically: seek appropriate solutions; and use appropriate technology)
Sandvik et al.'s Do No Harm: A Taxonomy of the Challenges of Humanitarian Experimentation (2017) (articulating the notion of 'humanitarian experimentation' and outlining a broad taxonomy of harms, including examining distribution of harm, resource scarcity, and legal liability and reputational damage)
Sanfilipo et al.’s article on Disaster Privacy/Privacy Disaster (July 26, 2019) (describing information flows during disasters and governance from Privacy Act of 1974, DHS, and FEMA; exploring the actual practices followed by popular disaster apps (pre-COVID-19); and visually mapping disaster information flows during disasters and around third party and government apps)
Santa Clara University’s guidance on Ethical Decision-Making (August 1, 2015) (a step-by-step tool for exploring ethical dilemmas and identifying ethical courses of action)(scroll down for numbered questions)
World Health Organization (WHO)'s Guidance for Surveillance During an Influenza Pandemic (2017) (describing the data requirements and surveillance strategies that governments can use throughout the course of a pandemic)
WHO's Guidelines on Ethical Issues in Public Health Surveillance (2017) (identifying guidelines for ethical public health surveillance, including data quality, transparency and accountability, special care for vulnerable populations, data security, obligation to share data with appropriate safeguards, and purpose limitations)
COVID-19 Privacy, Civil Liberties, & Ethical Guidance
15 U.S. advocacy groups’ letter to Congress on COVID Response and Privacy Protections (calling for Necessity and Proportionality, Time-limits, Transparency, Data Minimization, Security and Confidentiality, Limited Retention, Use restrictions, and Accountability and Due Process)
55 responsible technologists' Open Letter: Contact Tracking and NHSX (calling for NHSX leadership to urgently: institute a culture of working in the open, with clear, regular public communication about projects being undertaken and the publication of machine readable data and models to build trust and minimize speculation; introduce bold emergency governance measures, including privacy and rights impact assessments and the drafting of an expert governance panel, with public and patient participation, to ensure accountability; develop collective mechanisms for social license, to balance the needs of individuals and the benefit to society, ensure that affected communities and groups have a say, and publish clear terms and conditions for any new applications)
106 global groups' Joint Civil Society Statement: States Use of Digital Surveillance Technologies to Fight Pandemic Must Respect Human Rights (calling for any government surveillance measures to be lawful, necessary, and proportionate; time-bound; limited in purpose; appropriately secured; transparent about any data sharing agreements and with clear separation between pandemic response and partners' business interests; incorporate accountability protections and safeguards against abuse; and include meaningful participation of public health experts and marginalized populations)
170 cybersecurity experts' Joint Statement on NHSX Contact Tracing Plans (expressing concerns about plans by NHSX to deploy a contact tracing application and potential government use of social graphs, and urging that the health benefits of digital solutions be analyzed by specialists from all academic disciplines, that only minimum data necessary to achieve the objectives is collected, that a DPIA be published immediately, and for NHSX to commit that no databases will allow de-anonymization of users)
300 global scientists and researchers' Joint Statement on Contract Tracing (voicing concerns that some “solutions” to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large, calling for principles for contact tracing apps to only support public health measures for the containment of COVID-19, that all solutions be fully transparent including protocols and implementations, use of the most privacy-preserving defaults where possible, and requirement that contact tracing systems be voluntary and based on explicit consent)
Access Now's Recommendations on Privacy and Data Protection in the Fight Against COVID-19 (examining global case studies and providing specific recommendations for protecting digital rights around the collection and use of health data; tracking and geolocation; and public-private partnerships, apps, websites, and services as a response to COVID-19)
Ada Lovelace Institute's Data-Driven Responses to Coronavirus Are Only As Good As the Trust We Place in Them (calling for data partnerships addressing COVID-19 to put the interest of patients and the public first; to provide explanations of how data will be shared, accessed and used, by who, and accountability; to consider health inequalities and account for disparate impacts)
Berkman Klein Center’s note on Applying Core International Human Rights Principles to Coronavirus-Related Privacy Interferences (on the importance of “legality, necessity, and proportionality” principles)
Center for Democracy and Technology (CDT)'s Statement Regarding the Use of Data to Fight COVID-19 (calling for data use to be efficacious, data collection to be voluntary, data to be aggregated, consequences of secondary use to be considered, systems to be transparent, data use to be fair, and measures limited in time)
Centre for International Governance Innovation (CIGI)'s The Digital Response to the Outbreak of COVID-19 by Sean McDonald (March 30, 2020) (describing core use cases for data and technology for COVID-19 response and key risks and issues they raise)
European Digital Rights (EDRi)’s Fundamental Rights-Based Responses to COVID-19 (March 20, 2020) (calling for governments to: Strictly uphold fundamental rights, Protect data for now and the future, Limit the purpose of data for COVID-19 crisis only, Implement exceptional measures only for the duration of the crisis, Keep tools open, Condemn racism and discrimination, Defend freedom of expression and information, & Take a stand against internet shutdowns, and warning Companies should not exploit this crisis for their own benefit)
EDRi's COVID-19: A Commission Hitchhiker's Tech Guide to the App Store (provide insight into European Commission’s proposals and how they fit with civil society views on this subject, including decentralized vs. centralized, use of location data, open source code, and encryption)
Electronic Frontier Foundation (EFF)’s Protecting Civil Liberties During a Public Health Crisis by Matthew Guariglia & Adam Schwartz (March 10, 2020) (calling for principled data collection and digital monitoring based on: privacy intrusions must be necessary and proportionate; data collection based on science, not bias; expiration; transparency; and due process)
Edwards et al.'s The Coronavirus (Safeguards) Bill 2020: Proposed Protections for Digital Interventions and In Relation to Immunity Certificates (model legislation to provide safeguards in relation to the symptom tracking and contact tracing apps that are currently being rolled out in the UK, and anticipating minimum safeguards that will be needed if we move on to a roll out of 'immunity certificates' in the future)
FPF's Privacy and Pandemics: A Thoughtful Discussion (takeaways from multistakeholder workshop, including: understand how your own data sets relate to the needs of health experts; continue to follow your guidelines for data protection during the crisis, and recognize that your standards for sharing have not changed; establish clear boundaries; use data protection safeguards, such as anonymization and aggregation; work with a partner that has controls in place; and be transparent)
GSMA's COVID-19 Privacy Guidelines (April 2020) (recommendations on how the mobile industry may maintain trust while responding to those governments and public health agencies that have sought assistance in the fight against COVID-19, including: compliance with law and consideration of ethics, transparency, insights and aggregated non-identifiable data, metadata, and assurances from governments or agencies)
Human rights advocates' Letter to Australian Federal Health Minister re: Coronavirus Australia app (calling for greater transparency around the app's collection, use, sharing, and protection of personal data)
Israel Tech Policy Institute (ITPI)’s Use of Digital Means to Combat the Coronavirus by Limor Shmerling Magazanik (March 16, 2020) (describing Israel’s approach to data to combat COVID-19, and calling for transparency, time limits, purpose limitations, audit and enforcement mechanisms, and robust data security)(top in Hebrew, scroll down for English)
The Intercept's Privacy Experts Say Responsible Coronavirus Surveillance Is Possible (recommending that health officials must drive data decisions; coronavirus-related surveillance must be clearly justified against the costs; data collected for COVID-19 purposes should expire; data collected for COVID-19 should be walled off, like the US Census; beware of attempts at reputation laundering; and remember the limitations of surveillance and tech)
Lawfare's Security, Privacy and the Coronavirus: Lessons From 9/11 (cautioning policymakers to question whether the data is actually accurate and actionable; be cautious about the capabilities of "data mining"; avoid inaccurate data and false positives; avoid security theater; consider how the actions will look in retrospect; and watch for warrantless wiretaps)
Microsoft's Preserving Privacy While Addressing COVID-19 (offering privacy principles, including: obtain meaningful consent by being transparent about the reason for collecting data, what data is collected and how long it is kept; collect data only for public health purposes; collect the minimal amount of data; provide choices to individuals about where their data is stored; provide appropriate safeguards to secure data; do not share data or health status without consent, and minimize the data shared; delete data as soon as it is no longer needed for the emergency)
Palantir’s Best Practices for Using Data During a Crisis (encouraging organizations to: focus on decisions to be made, not just insights to be discovered; start with the data you have; invest in management, beware the shiny new object; look beyond the quick wins: have a data strategy; set the rules of engagement from beginning to end; establish safeguards to maximize correct decision-making and human accountability; secure your data before you share it; build a data governance body; and serve the patient and respect their human dignity)
pdpEcho's Why Data Protection Law Is Uniquely Equipped to Let Us Fight a Pandemic with Personal Data (exploring the right to data protection vs. right to privacy, and describing key safeguards for digital responses to COVID-19, including: clear dataflows; clear and specific purposes; lawful grounds for processing; data protection by design; clear identification of controls and processors; restrictions on onward transfer; transparency; assess necessity and proportionality; data quality; individual access, correction, and erasure; security; limited retention; and the use of DPIAs)
Politico Opinion's The 9/11 Playbook for Protecting Privacy (members of the US Privacy and Civil Liberties Oversight Board (PCLOB) identifying principles for balancing the need to preserve individual rights in times of emergency, including: weigh the benefits of each collection and use of data against the risks; establish clear rules for how data can be used, retained, and shared; decide how long new programs will continue; and transparency is vital)
Women Leading in AI's Letter to MPs: Get COVID-19 App Right Now to Avoid Democratic Failure Later (calling on UK leaders to publish the governance framework supporting the deployment of any government app; establish an oversight board which operates in a totally accountable way and reports to MPs and the general public, and frame this as an emergency measure to prevent it from becoming norm)
ZwillGen’s advice to companies regarding government data requests (providing a list of questions and issues that companies should consider when governments request data, including the breadth of the request, the type of data sought, the company’s privacy commitments, the authority under which the request is made, and who is making the request)
Telework & Security Guidance
Department of Homeland Security Cybersecurity & Infrastructure Security Agency (DHS CISA)’s Insights: Risk Management for Novel Coronavirus (March 6, 2020) (including actions for infrastructure protection, for supply chains, cybersecurity for organizations, and cybersecurity actions for your workforce and consumers)
FBI's PSA: FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic (March 20, 2020) (advising that individuals and organizations beware COVID-19 scams and identity theft)
National Institute of Standards and Technology (NIST)’s Updated Catalog of Privacy and Security Controls (Draft) (Updated May 18, 2020) (a landmark collection of hundreds of specific measures for strengthening the systems, component products and services that underlie the nation’s businesses, government and critical infrastructure)
Telework/Online & Video Communications
Compilation of EU authorities’ guidance on IT Security when Working Remotely by Dan Cooper, Kristof Van Quathem & Anna Oberschelp de Meneses (March 23, 2020) (including top tips for employees and employers, and warnings about COVID-19 phishing attacks)
DHS CISA's Alert on Enterprise VPN Security (Updated April 15, 2020) (identifying cybersecurity considerations and recommendations for telework VPN use)
Dutch DPA's Privacy Decision-Making Aid: Video App Calls (April 15, 2020) (chart comparing data and privacy practices of 13 leading video apps) (original in Dutch) unofficial translation by Christopher Schmidt/@PiracybyDesign)
EFF’s notes on What You Should Know About Online Tools During the COVID-19 Crisis by Lindsay Oliver (March 19, 2020) (Zoom, slack, telework, and online learning) and Surveillance Self-Defense site (security basics, specific tool guides, and educational materials)
Frontline Defenders' Physical, Emotional, and Digital Protection While Using Home as Office in Times of COVID-19 (June 4, 2020) (guidance from human rights advocates on a variety of threat models and safeguards for remote workers handling sensitive information)
Health and Human Services (HHS)'s list of HIPAA-compliant video and communication tools (discussing video communication and telehealth products that can be used by covered health care providers, as well as those that will enter into HIPAA BAAs)
Irish Data Protection Commission's Data Protection Tips for Video-Conferencing (including tips for individuals and organizations)
NIST Telework Security Resources and Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (including tools for organizations, for teleworkers, and mobile device security)
New Jersey Addressing Cybersecurity Risks During COVID-19 (March 12, 2020) (best practices for remote workforces, including remote access, BYOD, and device security)
noyb's Report on Privacy Policies of Video Conferencing Services (evaluating privacy policies of Zoom, WebEx, Meeting, Skype, Teams, and Wire under the GDPR)
Remote and Telework Resources for Government (including guidance on selecting and using software tools)
Tor Blog's Remote Work and Personal Safety (March 20, 2020) (tips about working from home and retaining your rights to privacy and freedom of expression, including specific free and open source tools)
Emerging Tech Measures (Location & Apps)
Broad Guidance, Features & Initiatives
@PODehaye’s crowdsourced List of privacy considerations/features/requirements for apps and systems enabling contract tracing
Ada Lovelace Institute's Exit through the App Store? A rapid evidence review on the technical considerations and societal implications of using technology to transition from the COVID-19 crisis (April 20, 2020) (examining the potential development and implementation of technical solutions to support symptom tracking, contact tracing and immunity certification, taking into account societal, political, legal and ethical perspectives, and giving findings and recommendations for the transition and rebuild phases that follow containment, delay and mitigation)
European Parliamentary Research Services' Ten Technologies to Fight Coronavirus by Mihalis Kritikos (April 2020) (examining in detail how ten different technological domains are helping the fight against this pandemic disease, and shedding light on their main legal/regulatory and socio-ethical dilemmas - including AI, blockchain, open-source tech, telehealth, 3D printing, gene-editing, nanotech, synthetic biology, drones, and robots)
GovLab’s #DATA4COVID19: Data Collaboratives in Response to COVID-19 (an open repository for data collaboratives seeking to address the spread of COVID-19 and its secondary effects, including ongoing projects; requests for data and expertise; and data challenges)
International Science Council's A Data Ecosystem to Defeat COVID-19 by Bapon Fakhruddin (describing data flows and data sources to strengthen the resilience of health systems for COVID-19)
Kelly Dry's Data Privacy Considerations for Coronavirus Data Tools by Aaron Burstein & Alysa Zeltzer Hutnik (March 28, 2020) (identifying some of the key privacy considerations for contributors to and users of COVID-19 resources)
MyDataCommonS' COVID-19 Initiative (an initiative to collect some personal data, based on consent, to be aggregated into community-based data commons, including evolving documentation on a governance model for COVID-19 projects, an ethical framework for contact tracing, digital ethics reading list, checklist for contact-tracing app, policy brief for policymakers, and contracting data protection framework)
Newspeak House’s crowdsourced Coronavirus Tech Handbook (crowdsourced resources on tech responses to COVID-19, specialist communities, remote working, and other generalist/non-privacy activities)
Open Government Partnership's Open Government Approaches to COVID-19 (May 12, 2020) (a crowdsourced list of examples of open government approaches to tackling COVID-19 by governments, civil society, citizens, or companies)
Organization for Economic Co-operation and Development (OECD)'s Tracking and Tracing COVID: Protecting Privacy and Data While Using Apps and Biometrics (April 23, 2020) (describing technological approaches to COVID-19 response, including contact tracing apps and biometric data, and recommending tools be designed with full transparency, in consultation with major stakeholders, with privacy-by-design protections, and through open source projects where appropriate)
Robert Munro's 5 Ways Data Scientists Can Help Respond to COVID-19 and 5 Actions to Avoid (expert advice on supporting COVID-19 response effort and avoiding unintended consequences)
US Digital Response's Volunteer matching program for local government (matching local governments with 500+ qualified people willing to help and skilled in technology, data, design)
Exposure Notification (aka "Contact Tracing") & Mobile Apps and Platforms
Apple’s Guidance for App Developers (March 14, 2020) (limiting apps related to COVID-19 to developers from recognized entities such as government organizations, health-focused NGOs, companies deeply credentialed in health issues, and medical or educational institutions)
Brookings' Contact-Tracing Apps Are Not a Solution to the COVID-19 Crisis by Ashkan Soltani, Ryan Calo & Carl Bergstrom (April 27, 2020) (expressing concerns that contact-tracing apps will serve as vehicles for abuse and disinformation while providing a false sense of security, and urging developers to be candid about the limitations and implications of the technology; to provide explicit best practices on how back-end systems should be secured and how long data should be retained, criteria for what public health entities can qualify to use the technologies, and explicit app store policies for what additional information should be collected; adopt security practices such as auditing, bug bounties, and abusability testing; and make explicit commitments for when these apps and underlying APIs will be sunsetted - also urging policymakers to impose proactive safeguards with respect to the privacy of data, prohibitions on economic and social discrimination, and judicial oversight and sunset provisions to guard against mission creep)
Chaos Computer Club (CCC)'s 10 Requirements for the Evaluation of "Contact Tracing" Apps (April 6, 2020) (outlining minimum social and technical requirements for such technologies, including: epidemiological sense and purpose; voluntariness and freedom from discrimination; fundamental privacy; transparency and verifiability; no central entity to trust; data economy; anonymity; no creation of central movement or contact profiles; unlinkability; and unobservability of communication)
Coalition's Data Rights for Exposure Notification (describing individual data rights for digital contact tracing, including: defined purpose for collection; informed, express consent that can be withdrawn at any time; anonymity and prohibitions on re-identification and data sharing; aggregate data only for public research purposes; clear retention policies; security; individual data ownership; non-monetization; collaborative development; legal compliance; open protocols)
Covington & Burlington's COVID-19 Apps & Websites: Guidance by Supervisory Authorities by Dan Cooper, Kristof Van Quathem & Anna Oberschelp de Meneses (April 2, 2020) (scroll down for guidance on mobile apps by Belgian, Italian, German, Slovenian, and Spanish DPAs)
European Commission's Guidance on Apps Supporting the Fight Against COVID-19 Pandemic in Relation to Data Protection (April 16, 2020) (setting out features and requirements which apps should meet to ensure compliance with EU privacy and data protection legislation, in particular the GDPR and ePrivacy Directive)
Future of Privacy Forum's Chart on the Role of Mobile Apps in Pandemic Response by Pollyanna Sanderson (April 3, 2020) (a comparison chart contrasting the objectives and methods of specific apps and SDKs aimed at COVID-19 response, including apps from the EU, Israel, Poland, UK, US, and Singapore)
Harper Reed's Digital Contact Tracing and Alerting vs. Exposure Alerting (April 22, 2020) (distinguishing between digitally-supported manual contact tracing for epidemiological and public health activities and and app-based exposure alerting/exposure notification, as well as identifying the specific privacy concerns of the latter)
Harvard Safra Center for Ethic's Outpacing the Virus: Digital Response to Containing the Spread of COVID-19 while Mitigating Privacy Risks (April 3, 2020) (describing contact tracing methods, their techniques and trade-offs, the necessary rate of adoption, and critical security and privacy controls and concerns for an information system that can accelerate medical response)
Imperial College London/Tech-Computational Privacy Group’s Evaluating COVID-19 Contact Tracing Apps? Here are 8 Privacy Questions We Think You Should Ask (April 2, 2020) (asking key questions of contact tracing apps, including: how is data collection limited; how is anonymity of all users protected; does the app reveal users' identities to authorities; could your app reveal who is infected or at risk to its users; does your app allow users to learn personal information about others; could external parties exploit your system to learn about users; are there additional protections in place for infected and at-risk users; and how transparent and verifiable is the system)
Inria's Proximity Tracing Applications: The Misleading Debate about Centralized Versus Decentralized Approaches (April 18, 2020) (encouraging apps to be evaluated based on privacy risk assessments, rather than ill-defined catchwords such as 'centralized' vs 'decentralized')
Institute for Research on Public Policy (IRPP)'s Five Ways a COVID-19 Contact-Tracing App Could Make Things Worse by Jason Millar (April 15, 2020) (highlighting risk that apps could reinforce existing social biases; people may over-trust the app to keep them safe; notifications could inadvertently overload the healthcare system; apps could do psychological harm to users; and apps could contribute to desensitizing users to other public health messaging)
Joint Statement on Contract Tracing by Scientists and Researchers from 27 Countries (April 19, 2020) (voicing concerns that some “solutions” to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large, calling for principles for contact tracing apps to only support public health measures for the containment of COVID-19, that all solutions be fully transparent including protocols and implementations, use of the most privacy-preserving defaults where possible, and requirement that contact tracing systems be voluntary and based on explicit consent)
Korea Centers for Disease Control and Prevention's Contact Transmission of COVID-19 in South Korea: Novel Investigation Techniques for Tracing Contacts (examining novel data sources for objectively verifying patients' claims about contacts with others used during COVID-19 investigations in South Korea, including medical facility records, GPS, card transactions, and CCTV)
Lawfare's The Importance of Equity in Contact Tracing by Susan Landau, Christy E. Lopez & Laura Moy (May 1, 2020) (describing the disparate efficacy and privacy implications of contact tracing apps for vulnerable and underserved communities, and recommending all apps must operate only on an opt-in basis; use of such apps cannot be a condition of access to a public benefit or space, or to commercial, work, or educational spaces; data associated with any contact-tracing technology must be completely off-limits for law enforcement use; and any app must be developed through a process designed to identify and address potential demographic disparities early and continuously)
Luciano Floridi's Mind the App - Considerations on the Ethical Risks of COVID-19 Apps (June 13, 2020) (describing the 'minefield of ethical problems' from the use of COVID-19 mobile apps, including equity concerns and the creation of 'biological divide' and concerns about opportunity cost if app-based solutions cannot be validated and verified in a timely fashion)
MIT Computational Lab's COVID-19 Contact Tracing Privacy Principles (May 20, 2020) (working draft of principles and sample implementation guidance, including applicability to MIT's SafePaths app, calling for technology to follow the principles of Privacy by Design; data to be protected in accordance with Fair Information Practice Principles; Choice/Consent; Access/Participation; Integrity/Security; and Enforcement/Redress)
MIT's Apps Gone Rogue: Protecting Personal Privacy in an Epidemic (March 16, 2020) (outlining technological approaches to mobile-phone based contact tracing, identifying privacy and other risks to a variety of stakeholders, describing advanced security-enhancing approaches to mitigate these risks, and discussing trade-offs)
Oxford University's Digital Contact Tracing can Slow or Even Stop Coronavirus Transmission and Ease Us Out of Lockdown (April 16, 2020) (including research papers on transmissions, a conceptual simple mobile contact tracing app, and simulated model of use of digital contact tracing to control COVID-19)
Ferretti et al.'s Quantifying SARS-CoV-2 Transmission Suggests Epidemic Control with Digital Contact Tracing (May 8, 2020) (concluding that viral spread of COVID-19 is too fast to be contained by manual contact tracing, but could be controlled through a speedier, widely-used digital contact tracing system) and NHS Director's Blog summarizing the paper
Hinch et al.'s Effective Configurations of a Digital Contact Tracing App: A Report to NHSX (presenting simulations that will support the deployment and optimization of digital contact tracing within an established programme of epidemic mitigation and control, and specifically to explore the conditions of success as countries prepare for exit from lockdowns)
Parker et al.'s The Ethics of Instantaneous Contract Tracing Using Mobile Phone Apps in the Control of the COVID-19 Pandemic (setting out ethical considerations relevant to the use of mobile phone apps to enable rapid contact tracing, including: benefits/harms; intelligent/unintelligent physical distancing; privacy; possible conflicts between liberty and privacy; should an app be compulsory; responsibilities of institutions and professionals; managing emergence from lockdown; should data be deleted at the end of an epidemic; well-founded public trust and confidence; equity, fairness, justice; and consistency and case comparison)
University of Cambridge Security Group's Contact Tracing in the Real World by Ross Anderson (April 12, 2020) (examining real world limitations of contact tracing, including on anonymity, heterogeneous datasets, lag time in diagnoses, secondary purposes for data, trolling, human factors, infrastructure and decentralized systems, and the interaction between privacy and economics)
University of Washington's PACT: Privacy Sensitive Protocols and Mechanisms for Mobile Contact Tracing (May 7, 2020) (suggesting a third-party free approach to assisted mobile contact tracing, in order to mitigate security and privacy risks of requiring a trusted third party, and describing inferential disclosure risks involved in any contact tracing systems)
WU Institute for IS & Society's How Privacy-Friendly Is Your National Corona Infection Tracking? (a spreadsheet tool that can challenge the privacy-friendliness of Corona Apps, on the basis of: degree of centralization vs. decentralization of information processing; degree of identification of data subject; surveillance capitalism/does the app leave data with companies engaged in data commercialization; degree of communication security of notifications and data exchange; transparency and control; and could the app be abused for unexpected secondary purposes, such as push messages or mass surveillance)
Location and Mobility Data for COVID-19
American Association for the Advancement of Science (AAAS)'s Article on How Aggregated Mobility Data could Help Fight COVID-19 (April 10, 2020) (arguing that mobile location data is useful to battling the pandemic, but advocating against the use of individual-level data)
American Civil Liberties Union (ACLU)'s The Limits of Location Tracking in an Epidemic by Jay Stanley & Jennifer Stisa Granick (April 8, 2020) (asking key questions for evaluating the likely effectiveness of different uses of cell phone data, and evaluating the limitations of specific proposed use cases, including inaccurate or imprecise data, unreliable algorithms, fragmented and biased data, poor anonymization and aggregation, public pushback and lack of trust)
@ashk4n's crowdsourced list of suggestions for alternatives to GPS, such as "near field" data
Brooking's Enabling Humanitarian Use of Mobile Data by Yves-Alexandre de Montjoye, Jake Kendall & Cameron F. Kerry (November 2014) (exploring case studies using mobile data to understand and address infectious diseases and recommending nuanced approaches to protecting privacy where data may be used to avoid serious harm to people)
Centre for Internet and Society (CIS)'s Ebola: A Big Data Disaster (2016) by Sumandro Chattapadhyay (March 1, 2016) (discussing the legal, privacy, and human rights challenges of using of call detail records (CDR) during the Ebola pandemic)
EFF's Governments Haven't Shown Location Surveillance Would Help Contain COVID-19 by Adam Schwartz & Andrew Crocker (March 23, 2020) (calling for governments to publicly address whether location records sought are sufficiently granular for their stated purposes; whether cellphone location records are representative of the overall population; whether contract tracing is still effective; and whether health-based surveillance will deter people from seeking health care)
EFF's How to Protect Privacy When Aggregating Location Data to Fight COVID-19 by Jacob Hoffman-Andrews & Andrew Crocker (April 6, 2020) (discussing pitfalls and high-level best practices for those who seek to use aggregated location data in the fight against COVID-19)
The Engine Room & AAAS’ Tools for Ethical Decision-Making with Geo-Located Data (including decision tree and case studies) by Laura Guzman (December 18, 2019) (guidelines developed in partnership with humanitarian practitioners, academics, scientists and more, containing important questions and considerations for the entire data lifecycle)
FPF's A Closer Look at Location Data: Privacy and Pandemics by Stacey Gray (March 25, 2020) (a primer on what location data is and where it comes from, and the ethical and privacy considerations for processing it)
Imperial College London/Tech-Computational Privacy Group’s Four Broad Models to Use Mobility Data in Privacy-Conscientious Ways and Can we Fight COVID-19 without Resorting to Mass Surveillance? (describing technical measures for privacy-preserving analysis of mobile phone data)
Jia et al.'s Population Flow Drives Spatio-Temporal Distribution of COVID-19 in China (April 29, 2020) (unedited manuscript)(using mobile phone data to count the number of people egressing or transiting through Wuhan prefecture in January 2020 to document the efficacy of quarantine, predict frequency and distribution of infections across China, develop a risk source model, and develop a benchmark trend and index for assessing COVID-19 community transmission risk over time)
Lawfare's Location Surveillance to Counter COVID-19: Efficacy Is What Matters by Susan Landau (March 25, 2020) (exploring the circumstances in which cell phone location tracking is - and is not - effective for countering COVID-19)
Oliver et al.'s Mobile phone data and COVID-19: Missing an opportunity? (describing how mobile phone data can guide government and public health authorities in the COVID-19 pandemic, specific metrics for data-supported decisions, why use of mobile phone data is not widespread in tackling epidemics, and principles for multidisciplinary teams to leverage this data)
Privacy International's Telecommunications Data and COVID-19 (voicing skepticism and concern about the use of telecommunications data for enforcement rather than direct healthcare, and listing examples of current government use of telecommunications data)
Privacy International's Bluetooth Tracking & COVID-19: A Tech Primer (March 31, 2020) (providing detail on Bluetooth technology's capabilities and limitations)
Wesolowski et al.'s Connecting Mobility to Infectious Diseases: The Promise and Limits of Mobile Phone Data (December 2016) (reviewing opportunities and challenges of mobile phone data, illustrated by analyses of two pathogens in Kenya)
Thermal Scans & Biometric Health Screening
ACLU of Connecticut's Statement Regarding Westport Drone COVID-19 Pilot Program (April 22, 2020) (expressing concern about proposed police drone pilot program to remotely monitor physical distancing and identify health symptoms, including concerns about lack of accuracy and efficacy, as well as surveillance concerns)
Airport Technology's Coronavirus Outbreak: Safety Measures at Major International Airports by Praveen Duddu (March 26, 2020) (describing preventive safety measures by major international airports, including thermal screening)
Bitar et al.'s International Travels and Fever Screening During Epidemics: A Literature Review on the Effectiveness and Potential Use of Non-Contact Infrared Thermometers (February 12, 2009) (summarizing available information circa 2009 on the sensitivity, specificity, and predictive values of non-contact infrared thermometers used with the objective of fever screening in airports or other gathering areas and discussing their potential benefits under the hypothesis of pandemic influenza)
Bloomberg Law's Insight: Illinois Biometric Privacy Law Has Nationwide Potential in Pandemic by Kenneth D. Walsh & Mary Smigielski (April 24, 2020) (identifying implications of Illinois BIPA on remote school and workplace biometrics during COVID-19)
Chan et al.'s Utility of Infrared Thermography for Screening Febrile Subjects (April 2013) (evaluating the utility of remote-sensing infrared thermography as a screening tool for fever, and concluding that forehead infrared thermography readings from a distance should be abandoned for fever screening, especially at border crossings with huge numbers of passengers)
Dutch Data Protection Authority's Measuring Temperature is Prohibited (April 24, 2020) (warning that organizations who conduct temperature scans with thermometers or thermic cameras of employees or visitors are in violation of Dutch law and risk being fined)(in Dutch)
EFF's Thermal Imaging Cameras Are Still Dangerous Dragnet Surveillance Cameras by Matthew Guariglia & Cooper Quintin (April 7, 2020) (voicing concerns about the accuracy and efficacy of thermal imaging cameras and their potential to enable dragnet surveillance, including chilling free expression, movement, and association and opening the door to facial recognition systems)
FDA's Enforcement Policy for Telethermographic Systems During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency (April 2020) (seeking to expand the availability of telethermographic systems during the COVID-19 emergency by not objecting to the distribution of such systems without compliance with certain regulatory requirements where: such devices do not create an undue risk, certain performance and labeling elements are met, and elevated body temperature measurements are confirmed by secondary evaluation methods in the context of use)
Husch Blackwell's U.S. Privacy Law Implications with the Use of No-Contact Temperature Taking Devices by David Stauss, Malia Rogers & Megan Herr (April 27, 2020) (describing three categories of no-contact temperature taking devices currently available, including infrared scanners, facial recognition systems with thermal scanning, and wearables, as well as the US legal implications for each)
McBride et al.'s Investigation of Febrile Passengers Detected by Infrared Thermal Scanning at an International Airport (February 9, 2010) (concluding that public health surveillance of febrile passengers arriving at an international airport should not rely on voluntary passenger participation for the detection of imported contagious diseases)
Nishiura & Kamiya's Fever Screening During the Influenza (H1N1-2009) Pandemic at Narita International Airport, Japan (May 3, 2011) (retrospectively assessing the feasibility of detecting influenza cases based on fever screening as a sole measure, and concluding that reliance on fever alone is unlikely to be feasible as an entry screening measure)
Priest et al.'s Thermal Image Scanning for Influenza Border Screening: Results of an Airport Screening Study (January 5, 2011) (evaluating the effectiveness of infrared thermal image scanners at detecting fever in influenza-infected travelers at airports, and finding that such scans were not much better than chance)
Spain AEPD's Statement Regarding the Taking of Temperature by Shops, Work Centers, and Other Establishments (April 30, 2020) (expressing concerns about temperature scanning in public spaces, recognizing that such activities process sensitive data concerning health and may not be based on consent, and requiring prior determination that these are the least intrusive means by a competent health authority, and discussing the limits of purpose and accuracy of data and rights and guarantees for individuals) (in Spanish)
Strook's EEOC Updates COVID-19 Guidance to Address Return to Work by Howard S. Lavin & Elizabeth E. DiMichele (May 1, 2020) (summarizing EEOC guidance permitting employers to screen for COVID-19 symptoms, body temperature, and to require employees undergo COVID-19 testing)
Specific Apps/Tools & Privacy Assessments
Citizen Matters' Review of COVID-19 Related Mobile Apps (India) (preliminary review of Indian governments' COVID-19 apps conducted based on publicly available information of permissions, privacy policies, and features)
COVI White Paper (July 27, 2020) (overviewing the COVI app by introducing its primary goals and comparing it with other contract tracing approaches before discussing privacy details of the app including: the COVI privacy model, inherent limitations of decentralized contact tracing, and potential risks and mitigations)
Defensive Lab Agency's COVID-19 page (actively tracking new Android applications that are published in response to COVID-19 and analyzing them for security and privacy)
fs0c131y's Covid19 Tracker Apps (list of apps by country)
Gio Baroni's Disease Outbreak Control Strategies: Digital Tools (a running list of existing digital solutions for the control of COVID-19 and other disease outbreaks)
MyData's crowdsourced COVID-19 App List (collection of apps to combat COVID-19)
MyData's Project App Assay for COVID-19 (collecting and analyzing COVID-19 apps and sites, including app features, architecture, development, and data flows)
Oxford HCC's list of COVID-19 Apps and Systems (crowdsourced list organizing the major global COVID-19 app and system efforts)
@PiracyByDesign’s crowdsourced List of Government Apps Related to COVID-19 (assessing potential security vulnerabilities in global COVID-19 apps)
Austrian Red Cross' Stopp Corona App, a decentralized contact tracing app for the containment of new COVID-19 infections in Austria
noyb, Epicenter.Works, and SBA Research's Technical and Legal Review of the Stopp Corona App by the Austrian Red Cross
Apple & Google's Privacy-Preserving Contact Tracing, a partnership with draft technical documentation to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security by design
Apple & Google's Contact Tracing: Cryptography Specification (preliminary documentation of the detailed technical specification for cryptographic key scheduling for a new privacy-preserving Bluetooth protocol to support Contact Tracing)
UK ICO's Opinion: Apple and Google Joint Initiative on COVID-19 Contact Tracing Technology (finding phase one of the initiative aligned with the principles of data protection and default (and similarly, the proposed DP-3T system))
EFF's Apple and Google's COVID-19 Exposure Notification API: Questions and Answers (describing 'how will it work, will it work, and will it be private and secure', then providing recommendations for app developers and Google and Apple)
Canetti et al.'s Anonymous Collocation Discovery: Harnessing Privacy to Tame the Coronavirus, seeking to present a privacy-preserving cellphone-based scheme that provides individuals with information on contagion risk due to collocation with an infected individual or surface
COVID-19 Mobility Data Network, a global network of infectious disease epidemiologists working with technology companies to use aggregated mobility data to support the COVID-19 response
DP3T: Decentralized Privacy-Preserving Proximity Tracing, a proposal for a secure and privacy-preserving decentralized privacy-preserving proximity tracing system
Data Protection Impact Assessment for DP3T (describing privacy issues identified and mitigation approaches taken)
Privacy and Security Risk Evaluation of Digital Proximity Tracing Systems (listing risks inherent to such systems, risks inherent to systems based on Bluetooth Low Energy handshakes between personal smartphones, and additional risks of proposed design variants of the latter))
Enigma's SafeTrace: Privacy-Preserving Contact Tracing for COVID-19, a platform to facilitate voluntary contract tracing and answering 8 privacy questions
FIfF (Forum of Computer Professionals for Peace and Societal Responsibility)'s Data Protection Impact Assessment for the Corona App (overviewing potential/preliminary privacy protections for PEPP-PT, DP-3T, and CCC concepts, finding that voluntariness of these apps is often illusory; without the capacity to intervene and a narrow purpose limitation, the protection of fundamental rights will be at stake; all proposed tracing systems process personal data concerning health; anonymity must be enforced by legal, technical, and organizational measures (full DPIA now available in English)
Inria PRIVATICS team & Fraunhofer AISEC's ROBERT: ROBust and privacy-presERving proximity Tracing, proposing a scheme that relies on a federated server infrastructure and temporary anonymous identifiers with strong security and privacy guarantees
Google's COVID-19 Community Mobility Reports, using differentially private analysis of users' opted-in location histories to provide insights into policies aimed at flattening the curve of this pandemic (including anonymization process description)
MIT’s SafePaths kit, a tool for public health officials and then enable peer-to-peer encrypted sharing of infected patient location history
Ontario's Pandemic Threat Response (PANTHR), a platform developed in consultation with Privacy Commissioner of Ontario to provide researchers with access to de-identified, integrated provincial-wide health data on a secure platform to support health system planning and responsiveness
PEPP-PT: Pan European Privacy Protecting Proximity Tracing, a European team providing standards, technology, and services to enable tracing of infection chains across national borders
France's StopCovid, a contact tracing app based on voluntary use and Bluetooth technology without geolocating individuals
French data protection authority/CNIL's opinion on the StopCovid mobile app project (in English)
Stanford and Waterloo's COVID Watch, an app that uses Bluetooth signals to detect when users are in proximity to each other and alert them anonymously if they were in contact with someone later confirmed to have COVID-19