Contract Tracing and Personal Data

The COVID-19 pandemic has been a novel experience for everyone.

From stay-at-home orders, mask-wearing, contact tracing, and now the possibility of vaccine passports, everything seems to be on the table to get life back to some sort of “normal,” whatever that may be.  

Over the past year, the courts have heard various COVID-19-related cases dealing with different privacy aspects.

Recently in New York, the Southern District court denied a petition by a children’s advocacy group for an injunction to halt random COVID-19 testing of students in New York public schools.

The court found that students within the school environment have a lesser expectation of privacy than members of the general population, the test itself is not physically invasive, and the testing program is premised on parental consent.

Parents are given two days’ notice, consent can be withdrawn at any time, and no child is tested against their will.

Furthermore, in Canada, a court found that a retirement home COVID-19 policy is reasonable after a labor union challenged the reasonableness of a unilaterally imposed COVID policy, which requires employees to be tested every two weeks.

The policy is reasonable if one weighs the intrusiveness of the test (not very intrusive as it’s not being used as a surveillance tool) against the problem to be addressed, and the outcome of the test is of high value to both the employee and employer.

Also, across the pond, we saw cases assessing the legality of contact tracing and employee monitoring to ensure social distancing measures were being followed. 

Invasion of Individual Right to Privacy

These differing cases all have one thing in common, individuals’ right to privacy is being invaded in pursuit of a greater good.

With the concept of “vaccine passports” becoming more probable, it will be interesting to see how much personal data individuals will be willing to disclose to just live their day-to-day lives.

The idea of vaccine passports is not new.

For example, as individuals traveling to Western Africa were previously required to show proof of vaccines for things like yellow fever, and children in most education settings are required to show proof every year that they are up-to-date with their immunizations.

    • Other than health ministries, who will have access to this information?
    • Airlines, who may not allow unvaccinated individuals to board their planes?
    • Governments, who may not allow unvaccinated individuals to cross their borders?
    • Or the entertainment industry, who may not allow spectators to enjoy their favorite bands or sports?

The UK is set to start a trial of COVID passports, which shows if a person has been vaccinated, had a negative test, or is immune, and will likely be at the forefront of these issues.

Do these public and private sectors know they will be handling copious amounts of what would be considered special categories of personal data under the GDPR? Not just from nationals, but from individuals from around the world?

It remains to be seen whether these privacy invasions are considered legitimate intrusions in light of the benefit to be reaped.

But in their opinion on the EU’s Digital Green Certificate, the European Data Protection Board seems willing to concede the privacy matter as long as the passports are underpinned by principles such as data necessity, effectiveness and proportionality, and supported by a legislative scheme that is clear in scope and contains appropriate safeguards.

What remains for courts to examine will be matters of discrimination.

How should the public and private sectors can treat those individuals who cannot get vaccinated for health reasons, or choose not to for religious reasons?

    • Will individuals not be granted the same access to services or freedom of movement as those that have been vaccinated (such as attending events or traveling abroad)?
    • Will employers be allowed to mandate the disclosure of vaccine information?
    • Will non-vaccinated employees be permitted to work from home, thereby disclosing who has received the vaccine against those employees who have returned to work?

There are many unanswered questions floating around, and we are just at the precipice of the discussion.

Using Nymity Research for COVID-19 updates

Nymity Research powered by TrustArc reduces the time and effort of understanding what regulatory and privacy industry changes, including COVID-19, have happened recently.

Updated daily, Nymity Research eliminates the need for time-consuming internet searches by providing leaders the analysis they need to make informed privacy decisions.