COVID-19 Privacy & Data Protection Resources

This repository of privacy and data protection resources related to COVID-19 is compiled by the Future of Privacy Forum, and will be updated regularly. We hope these resources will help privacy leaders in local government and beyond provide front-line support to individuals and communities.

If you have additions or suggestions, please contact Kelsey Finch, comments@fpf.org. Last updated Oct. 20, 2020.

US Privacy Resources

State & Local Government

Federal Agency Guidance & Congressional Activities

Other Resources

International Privacy Resources

European Authorities

National Data Protection Authorities

Non-Governmental Resources

    • Baker McKenzie's COVID-19 Data Privacy & Security Survey (April 17, 2020) (surveying employers' data processing abilities related to COVID-19 in 39 countries)

    • Bird & Bird's COVID-19 Data Protection Guidance (Updated January 8, 2021) (a comparative chart using a traffic light system and explanations to answer questions such as whether employers can ask about symptoms, travel history, temperature readings or ask for diagnosis notifications)

    • Canadian Civil Liberties Association et al.'s Letter to Solicitor General (April 23, 2020) (outlining concerns regarding the government's decision to provide a range of first responders, including police services, with the names, addresses, and dates of birth of individuals who have tested positive for COVID-19)

    • Center for Global Constitutionalism's Data Crossing Borders: Data Sharing and Protection in Times of Coronavirus by Christopher Kuner (April 15, 2020) (describing safeguards and approaches to global data sharing under the GDPR, and the future of data transfer regulation and protections)

    • Covington and Burling's Coronavirus/COVID-19 Data Privacy Guidance (overview of guidance documents issued by regulators with corresponding blog posts from Covington and Burling’s Inside Privacy Blog)

    • European Law Blog's The Coronavirus Crisis and EU Adequacy Decisions for Data Transfers by Christopher Docksey and Christopher Kuner (April 3, 2020) (considering the implications of COVID-19 measures taken in non-EU countries on future EU adequacy determinations)

    • Future of Privacy Forum (FPF)’s summary of European DPA guidance by Dr. Gabriela Zanfir-Fortuna (March 10, 2020) (noting DPAs’ advice to organizations against “systematic and generalized” monitoring and collection of data related to health of their employees outside official requests and measures of public health authorities)

    • FPF's European Union's Data-Based Policy Against the Pandemic, Explained by Dr. Gabriela Zanfir-Fortuna (April 30, 2020) (analyzing the collection of guidelines, opinions, recommendations, and resolutions released by EU authorities related to data processing for COVID-19 response)

    • International Association of Privacy Professional (IAPP)'s COVID-19 Guidance and Resources (a collection of privacy news, resources, guidance and tools covering the COVID-19 global outbreak) and infographic of resources

    • Internet Freedom Foundation's Privacy Prescriptions for Technology Interventions in India by Sidharth Deb (April 11, 2020) (working paper documenting and comparing technology-driven policy efforts to COVID-19, including analysis of the use and publication of health data, specific development of surveillance technologies around location tracking and the deployment of contact tracing through mobile apps, as well as recommendations premised on the Indian Supreme Court's developing jurisprudence on the fundamental right to privacy)

    • noyb/GDPRHub's Data Protection under SARS-CoV-2 (outlining general conditions for data processing in connection with COVID-19 under GDPR and a collection of DPA-specific guidelines)

    • Paolo Balboni's "Public Health AND Privacy" And "Not Public Health OR Privacy": A Collection of Guidance on COVID-19 by Paolo Balboni (March 26, 2020) (an attempt to map all the official resources providing guidance on the correct processing of personal data and cybersecurity-related information on working remotely in the context of the COVID-19 pandemic)

    • PARIS21's New Policy Brief - Combating COVID-19 with Data: What Role for National Statistical Systems? (April 14, 2020) (introducing a framework that describes the adverse effects of the crisis on national statistical systems in developing countries, and suggesting actions to mitigate them by: focusing data production on priority economic, social, and demographic data; communicating proactively with citizens, academia, private sector, and policymakers; and positioning national statistical offices as advisors and knowledge banks for national governments)

    • VUB Brussels’ Data Protection Law and the COVID-19: An Observatory (providing links to global tracking initiatives; general resources for Europe, including cybersecurity developments; international resources and updates; and European national resources)

Global Response &Trackers

Privacy Principles, Civil Liberties, & Ethical Best Practices

Humanitarian Guidance (Non-COVID-19)

    • Harvard Humanitarian Initiative's The Signal Code: A Human Rights Approach to Information During Crisis (2015) (asserting fundamental rights during humanitarian crises, including the right to: information, protection, privacy and security, data agency, and rectification and redress)

    • International Red Cross’s Handbook on Data Protection in Humanitarian Action (seeking to help humanitarian organizations comply with personal data protection standards, by raising awareness and providing specific guidance on the interpretation of data protection principles in the context of humanitarian action, particularly when new technologies are employed)

    • Public Lab's Introducing the Principles of Equitable Disaster Response by Greg Bloom (March 31, 2020) (recognizing that "something is not necessarily better than nothing," and articulating these principles: ask - and listen; distribute power; collaborate strategically: seek appropriate solutions; and use appropriate technology)

    • Sandvik et al.'s Do No Harm: A Taxonomy of the Challenges of Humanitarian Experimentation (2017) (articulating the notion of 'humanitarian experimentation' and outlining a broad taxonomy of harms, including examining distribution of harm, resource scarcity, and legal liability and reputational damage)

    • Sanfilipo et al.’s article on Disaster Privacy/Privacy Disaster (July 26, 2019) (describing information flows during disasters and governance from Privacy Act of 1974, DHS, and FEMA; exploring the actual practices followed by popular disaster apps (pre-COVID-19); and visually mapping disaster information flows during disasters and around third party and government apps)

    • Santa Clara University’s guidance on Ethical Decision-Making (August 1, 2015) (a step-by-step tool for exploring ethical dilemmas and identifying ethical courses of action)(scroll down for numbered questions)

    • World Health Organization (WHO)'s Guidance for Surveillance During an Influenza Pandemic (2017) (describing the data requirements and surveillance strategies that governments can use throughout the course of a pandemic)

    • WHO's Guidelines on Ethical Issues in Public Health Surveillance (2017) (identifying guidelines for ethical public health surveillance, including data quality, transparency and accountability, special care for vulnerable populations, data security, obligation to share data with appropriate safeguards, and purpose limitations)

COVID-19 Privacy, Civil Liberties, & Ethical Guidance

    • 15 U.S. advocacy groups’ letter to Congress on COVID Response and Privacy Protections (calling for Necessity and Proportionality, Time-limits, Transparency, Data Minimization, Security and Confidentiality, Limited Retention, Use restrictions, and Accountability and Due Process)

    • 55 responsible technologists' Open Letter: Contact Tracking and NHSX (calling for NHSX leadership to urgently: institute a culture of working in the open, with clear, regular public communication about projects being undertaken and the publication of machine readable data and models to build trust and minimize speculation; introduce bold emergency governance measures, including privacy and rights impact assessments and the drafting of an expert governance panel, with public and patient participation, to ensure accountability; develop collective mechanisms for social license, to balance the needs of individuals and the benefit to society, ensure that affected communities and groups have a say, and publish clear terms and conditions for any new applications)

    • 106 global groups' Joint Civil Society Statement: States Use of Digital Surveillance Technologies to Fight Pandemic Must Respect Human Rights (calling for any government surveillance measures to be lawful, necessary, and proportionate; time-bound; limited in purpose; appropriately secured; transparent about any data sharing agreements and with clear separation between pandemic response and partners' business interests; incorporate accountability protections and safeguards against abuse; and include meaningful participation of public health experts and marginalized populations)

    • 170 cybersecurity experts' Joint Statement on NHSX Contact Tracing Plans (expressing concerns about plans by NHSX to deploy a contact tracing application and potential government use of social graphs, and urging that the health benefits of digital solutions be analyzed by specialists from all academic disciplines, that only minimum data necessary to achieve the objectives is collected, that a DPIA be published immediately, and for NHSX to commit that no databases will allow de-anonymization of users)

    • 300 global scientists and researchers' Joint Statement on Contract Tracing (voicing concerns that some “solutions” to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large, calling for principles for contact tracing apps to only support public health measures for the containment of COVID-19, that all solutions be fully transparent including protocols and implementations, use of the most privacy-preserving defaults where possible, and requirement that contact tracing systems be voluntary and based on explicit consent)

    • Access Now's Recommendations on Privacy and Data Protection in the Fight Against COVID-19 (examining global case studies and providing specific recommendations for protecting digital rights around the collection and use of health data; tracking and geolocation; and public-private partnerships, apps, websites, and services as a response to COVID-19)

    • Ada Lovelace Institute's Data-Driven Responses to Coronavirus Are Only As Good As the Trust We Place in Them (calling for data partnerships addressing COVID-19 to put the interest of patients and the public first; to provide explanations of how data will be shared, accessed and used, by who, and accountability; to consider health inequalities and account for disparate impacts)

    • Berkman Klein Center’s note on Applying Core International Human Rights Principles to Coronavirus-Related Privacy Interferences (on the importance of “legality, necessity, and proportionality” principles)

    • Center for Democracy and Technology (CDT)'s Statement Regarding the Use of Data to Fight COVID-19 (calling for data use to be efficacious, data collection to be voluntary, data to be aggregated, consequences of secondary use to be considered, systems to be transparent, data use to be fair, and measures limited in time)

    • Centre for International Governance Innovation (CIGI)'s The Digital Response to the Outbreak of COVID-19 by Sean McDonald (March 30, 2020) (describing core use cases for data and technology for COVID-19 response and key risks and issues they raise)

    • European Digital Rights (EDRi)’s Fundamental Rights-Based Responses to COVID-19 (March 20, 2020) (calling for governments to: Strictly uphold fundamental rights, Protect data for now and the future, Limit the purpose of data for COVID-19 crisis only, Implement exceptional measures only for the duration of the crisis, Keep tools open, Condemn racism and discrimination, Defend freedom of expression and information, & Take a stand against internet shutdowns, and warning Companies should not exploit this crisis for their own benefit)

    • EDRi's COVID-19: A Commission Hitchhiker's Tech Guide to the App Store (provide insight into European Commission’s proposals and how they fit with civil society views on this subject, including decentralized vs. centralized, use of location data, open source code, and encryption)

    • Electronic Frontier Foundation (EFF)’s Protecting Civil Liberties During a Public Health Crisis by Matthew Guariglia & Adam Schwartz (March 10, 2020) (calling for principled data collection and digital monitoring based on: privacy intrusions must be necessary and proportionate; data collection based on science, not bias; expiration; transparency; and due process)

    • Edwards et al.'s The Coronavirus (Safeguards) Bill 2020: Proposed Protections for Digital Interventions and In Relation to Immunity Certificates (model legislation to provide safeguards in relation to the symptom tracking and contact tracing apps that are currently being rolled out in the UK, and anticipating minimum safeguards that will be needed if we move on to a roll out of 'immunity certificates' in the future)

    • FPF's Privacy and Pandemics: A Thoughtful Discussion (takeaways from multistakeholder workshop, including: understand how your own data sets relate to the needs of health experts; continue to follow your guidelines for data protection during the crisis, and recognize that your standards for sharing have not changed; establish clear boundaries; use data protection safeguards, such as anonymization and aggregation; work with a partner that has controls in place; and be transparent)

    • GSMA's COVID-19 Privacy Guidelines (April 2020) (recommendations on how the mobile industry may maintain trust while responding to those governments and public health agencies that have sought assistance in the fight against COVID-19, including: compliance with law and consideration of ethics, transparency, insights and aggregated non-identifiable data, metadata, and assurances from governments or agencies)

    • Human rights advocates' Letter to Australian Federal Health Minister re: Coronavirus Australia app (calling for greater transparency around the app's collection, use, sharing, and protection of personal data)

    • Israel Tech Policy Institute (ITPI)’s Use of Digital Means to Combat the Coronavirus by Limor Shmerling Magazanik (March 16, 2020) (describing Israel’s approach to data to combat COVID-19, and calling for transparency, time limits, purpose limitations, audit and enforcement mechanisms, and robust data security)(top in Hebrew, scroll down for English)

    • The Intercept's Privacy Experts Say Responsible Coronavirus Surveillance Is Possible (recommending that health officials must drive data decisions; coronavirus-related surveillance must be clearly justified against the costs; data collected for COVID-19 purposes should expire; data collected for COVID-19 should be walled off, like the US Census; beware of attempts at reputation laundering; and remember the limitations of surveillance and tech)

    • Lawfare's Security, Privacy and the Coronavirus: Lessons From 9/11 (cautioning policymakers to question whether the data is actually accurate and actionable; be cautious about the capabilities of "data mining"; avoid inaccurate data and false positives; avoid security theater; consider how the actions will look in retrospect; and watch for warrantless wiretaps)

    • Microsoft's Preserving Privacy While Addressing COVID-19 (offering privacy principles, including: obtain meaningful consent by being transparent about the reason for collecting data, what data is collected and how long it is kept; collect data only for public health purposes; collect the minimal amount of data; provide choices to individuals about where their data is stored; provide appropriate safeguards to secure data; do not share data or health status without consent, and minimize the data shared; delete data as soon as it is no longer needed for the emergency)

    • Palantir’s Best Practices for Using Data During a Crisis (encouraging organizations to: focus on decisions to be made, not just insights to be discovered; start with the data you have; invest in management, beware the shiny new object; look beyond the quick wins: have a data strategy; set the rules of engagement from beginning to end; establish safeguards to maximize correct decision-making and human accountability; secure your data before you share it; build a data governance body; and serve the patient and respect their human dignity)

    • pdpEcho's Why Data Protection Law Is Uniquely Equipped to Let Us Fight a Pandemic with Personal Data (exploring the right to data protection vs. right to privacy, and describing key safeguards for digital responses to COVID-19, including: clear dataflows; clear and specific purposes; lawful grounds for processing; data protection by design; clear identification of controls and processors; restrictions on onward transfer; transparency; assess necessity and proportionality; data quality; individual access, correction, and erasure; security; limited retention; and the use of DPIAs)

    • Politico Opinion's The 9/11 Playbook for Protecting Privacy (members of the US Privacy and Civil Liberties Oversight Board (PCLOB) identifying principles for balancing the need to preserve individual rights in times of emergency, including: weigh the benefits of each collection and use of data against the risks; establish clear rules for how data can be used, retained, and shared; decide how long new programs will continue; and transparency is vital)

    • Women Leading in AI's Letter to MPs: Get COVID-19 App Right Now to Avoid Democratic Failure Later (calling on UK leaders to publish the governance framework supporting the deployment of any government app; establish an oversight board which operates in a totally accountable way and reports to MPs and the general public, and frame this as an emergency measure to prevent it from becoming norm)

    • ZwillGen’s advice to companies regarding government data requests (providing a list of questions and issues that companies should consider when governments request data, including the breadth of the request, the type of data sought, the company’s privacy commitments, the authority under which the request is made, and who is making the request)

Telework & Security Guidance

Telework/Online & Video Communications

Emerging Tech Measures (Location & Apps)

Broad Guidance, Features & Initiatives

Exposure Notification (aka "Contact Tracing") & Mobile Apps and Platforms

      • Apple’s Guidance for App Developers (March 14, 2020) (limiting apps related to COVID-19 to developers from recognized entities such as government organizations, health-focused NGOs, companies deeply credentialed in health issues, and medical or educational institutions)

      • Brookings' Contact-Tracing Apps Are Not a Solution to the COVID-19 Crisis by Ashkan Soltani, Ryan Calo & Carl Bergstrom (April 27, 2020) (expressing concerns that contact-tracing apps will serve as vehicles for abuse and disinformation while providing a false sense of security, and urging developers to be candid about the limitations and implications of the technology; to provide explicit best practices on how back-end systems should be secured and how long data should be retained, criteria for what public health entities can qualify to use the technologies, and explicit app store policies for what additional information should be collected; adopt security practices such as auditing, bug bounties, and abusability testing; and make explicit commitments for when these apps and underlying APIs will be sunsetted - also urging policymakers to impose proactive safeguards with respect to the privacy of data, prohibitions on economic and social discrimination, and judicial oversight and sunset provisions to guard against mission creep)

      • Chaos Computer Club (CCC)'s 10 Requirements for the Evaluation of "Contact Tracing" Apps (April 6, 2020) (outlining minimum social and technical requirements for such technologies, including: epidemiological sense and purpose; voluntariness and freedom from discrimination; fundamental privacy; transparency and verifiability; no central entity to trust; data economy; anonymity; no creation of central movement or contact profiles; unlinkability; and unobservability of communication)

      • Coalition's Data Rights for Exposure Notification (describing individual data rights for digital contact tracing, including: defined purpose for collection; informed, express consent that can be withdrawn at any time; anonymity and prohibitions on re-identification and data sharing; aggregate data only for public research purposes; clear retention policies; security; individual data ownership; non-monetization; collaborative development; legal compliance; open protocols)

      • Covington & Burlington's COVID-19 Apps & Websites: Guidance by Supervisory Authorities by Dan Cooper, Kristof Van Quathem & Anna Oberschelp de Meneses (April 2, 2020) (scroll down for guidance on mobile apps by Belgian, Italian, German, Slovenian, and Spanish DPAs)

      • European Commission's Guidance on Apps Supporting the Fight Against COVID-19 Pandemic in Relation to Data Protection (April 16, 2020) (setting out features and requirements which apps should meet to ensure compliance with EU privacy and data protection legislation, in particular the GDPR and ePrivacy Directive)

      • Future of Privacy Forum's Chart on the Role of Mobile Apps in Pandemic Response by Pollyanna Sanderson (April 3, 2020) (a comparison chart contrasting the objectives and methods of specific apps and SDKs aimed at COVID-19 response, including apps from the EU, Israel, Poland, UK, US, and Singapore)

      • Harper Reed's Digital Contact Tracing and Alerting vs. Exposure Alerting (April 22, 2020) (distinguishing between digitally-supported manual contact tracing for epidemiological and public health activities and and app-based exposure alerting/exposure notification, as well as identifying the specific privacy concerns of the latter)

      • Harvard Safra Center for Ethic's Outpacing the Virus: Digital Response to Containing the Spread of COVID-19 while Mitigating Privacy Risks (April 3, 2020) (describing contact tracing methods, their techniques and trade-offs, the necessary rate of adoption, and critical security and privacy controls and concerns for an information system that can accelerate medical response)

      • Imperial College London/Tech-Computational Privacy Group’s Evaluating COVID-19 Contact Tracing Apps? Here are 8 Privacy Questions We Think You Should Ask (April 2, 2020) (asking key questions of contact tracing apps, including: how is data collection limited; how is anonymity of all users protected; does the app reveal users' identities to authorities; could your app reveal who is infected or at risk to its users; does your app allow users to learn personal information about others; could external parties exploit your system to learn about users; are there additional protections in place for infected and at-risk users; and how transparent and verifiable is the system)

      • Inria's Proximity Tracing Applications: The Misleading Debate about Centralized Versus Decentralized Approaches (April 18, 2020) (encouraging apps to be evaluated based on privacy risk assessments, rather than ill-defined catchwords such as 'centralized' vs 'decentralized')

      • Institute for Research on Public Policy (IRPP)'s Five Ways a COVID-19 Contact-Tracing App Could Make Things Worse by Jason Millar (April 15, 2020) (highlighting risk that apps could reinforce existing social biases; people may over-trust the app to keep them safe; notifications could inadvertently overload the healthcare system; apps could do psychological harm to users; and apps could contribute to desensitizing users to other public health messaging)

      • Joint Statement on Contract Tracing by Scientists and Researchers from 27 Countries (April 19, 2020) (voicing concerns that some “solutions” to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large, calling for principles for contact tracing apps to only support public health measures for the containment of COVID-19, that all solutions be fully transparent including protocols and implementations, use of the most privacy-preserving defaults where possible, and requirement that contact tracing systems be voluntary and based on explicit consent)

      • Korea Centers for Disease Control and Prevention's Contact Transmission of COVID-19 in South Korea: Novel Investigation Techniques for Tracing Contacts (examining novel data sources for objectively verifying patients' claims about contacts with others used during COVID-19 investigations in South Korea, including medical facility records, GPS, card transactions, and CCTV)

      • Lawfare's The Importance of Equity in Contact Tracing by Susan Landau, Christy E. Lopez & Laura Moy (May 1, 2020) (describing the disparate efficacy and privacy implications of contact tracing apps for vulnerable and underserved communities, and recommending all apps must operate only on an opt-in basis; use of such apps cannot be a condition of access to a public benefit or space, or to commercial, work, or educational spaces; data associated with any contact-tracing technology must be completely off-limits for law enforcement use; and any app must be developed through a process designed to identify and address potential demographic disparities early and continuously)

      • Luciano Floridi's Mind the App - Considerations on the Ethical Risks of COVID-19 Apps (June 13, 2020) (describing the 'minefield of ethical problems' from the use of COVID-19 mobile apps, including equity concerns and the creation of 'biological divide' and concerns about opportunity cost if app-based solutions cannot be validated and verified in a timely fashion)

      • MIT Computational Lab's COVID-19 Contact Tracing Privacy Principles (May 20, 2020) (working draft of principles and sample implementation guidance, including applicability to MIT's SafePaths app, calling for technology to follow the principles of Privacy by Design; data to be protected in accordance with Fair Information Practice Principles; Choice/Consent; Access/Participation; Integrity/Security; and Enforcement/Redress)

      • MIT's Apps Gone Rogue: Protecting Personal Privacy in an Epidemic (March 16, 2020) (outlining technological approaches to mobile-phone based contact tracing, identifying privacy and other risks to a variety of stakeholders, describing advanced security-enhancing approaches to mitigate these risks, and discussing trade-offs)

      • Oxford University's Digital Contact Tracing can Slow or Even Stop Coronavirus Transmission and Ease Us Out of Lockdown (April 16, 2020) (including research papers on transmissions, a conceptual simple mobile contact tracing app, and simulated model of use of digital contact tracing to control COVID-19)

      • Parker et al.'s The Ethics of Instantaneous Contract Tracing Using Mobile Phone Apps in the Control of the COVID-19 Pandemic (setting out ethical considerations relevant to the use of mobile phone apps to enable rapid contact tracing, including: benefits/harms; intelligent/unintelligent physical distancing; privacy; possible conflicts between liberty and privacy; should an app be compulsory; responsibilities of institutions and professionals; managing emergence from lockdown; should data be deleted at the end of an epidemic; well-founded public trust and confidence; equity, fairness, justice; and consistency and case comparison)

      • University of Cambridge Security Group's Contact Tracing in the Real World by Ross Anderson (April 12, 2020) (examining real world limitations of contact tracing, including on anonymity, heterogeneous datasets, lag time in diagnoses, secondary purposes for data, trolling, human factors, infrastructure and decentralized systems, and the interaction between privacy and economics)

      • University of Washington's PACT: Privacy Sensitive Protocols and Mechanisms for Mobile Contact Tracing (May 7, 2020) (suggesting a third-party free approach to assisted mobile contact tracing, in order to mitigate security and privacy risks of requiring a trusted third party, and describing inferential disclosure risks involved in any contact tracing systems)

      • WU Institute for IS & Society's How Privacy-Friendly Is Your National Corona Infection Tracking? (a spreadsheet tool that can challenge the privacy-friendliness of Corona Apps, on the basis of: degree of centralization vs. decentralization of information processing; degree of identification of data subject; surveillance capitalism/does the app leave data with companies engaged in data commercialization; degree of communication security of notifications and data exchange; transparency and control; and could the app be abused for unexpected secondary purposes, such as push messages or mass surveillance)

Location and Mobility Data for COVID-19

Thermal Scans & Biometric Health Screening

Specific Apps/Tools & Privacy Assessments