COVID-19: Practical Considerations Before Disclosing Information
The effects of the COVID-19 outbreak are being felt globally as countries and communities around the world ramp up efforts to contain and limit the spread of the virus. Information gathering and sharing are crucial steps in the efforts to mitigate the spread of the virus, and great efforts are being made to identify and monitor individuals who may be infected with the virus, or who have been in contact with infected persons.
However, such activities inherently involve the collection and potential disclosure of personal information, as well as potentially sensitive information, which may include data relating to a person’s: health, age, race, gender, religion, location and travel, employment, affiliations, lifestyle, income, household, and other revealing aspects about individuals’ private lives.
It is important to keep in mind that, even in the face of a public health emergency, data privacy laws still apply. Some laws may permit certain disclosures of personal information for the public interest, but generally any such permitted disclosures are limited.
Also, while awareness and information are essential tools to combat the spread of COVID-19, the dissemination of misinformation as well as the mishandling of personal information can be harmful to individuals and hurt efforts to protect against the virus. Further, those individuals who are most at risk from COVID-19 may also be more vulnerable to any adverse impacts from the spread of misinformation, or the mishandling of their personal information.
A public health emergency is no time to abandon good information practices. Here are some practical considerations to keep in mind at this time:
- Practice Data Minimization: In a day and age where data breaches are the new normal, and costs and damages resulting from a breach often correlate directly with the number of pieces of personal information involved in the breach, storing more personal information than necessary can be costly. Before collecting additional information from employees, guests, customers, patients, or other consumers, consider the business purpose for which you are collecting the data, and if the collection is necessary to achieve that purpose.
- Understand Your Information Security Obligations in the Face of Increased Disclosure Requests: U.S. consumer and sectoral privacy laws, such as the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), and Gramm–Leach–Bliley Act (GLBA), for example, all include some form of a duty to maintain the confidentiality and security of personal information that falls within the scope of the applicable law(s). During a public health emergency, many businesses will receive requests to share information about individuals as part of efforts to identify and monitor infected individuals, as well as any individuals that may have been in contact with infected individuals.
For example, a final rule issued by the Department of Health and Human Services, requires airlines to collect and provide to the Centers for Disease Control and Prevention (CDC) categories of personal information about airline passengers from certain flights in relation stopping the spread of COVID-19.
In some cases, the disclosure of certain personal information could result in a business violating the security requirements of an applicable privacy law, or could even be considered a data breach under certain state laws. Unfortunately, there will undoubtedly be some bad actors who try to capitalize on COVID-19 uncertainty by making illegitimate requests for personal information in an effort to gain access to individuals’ sensitive information.
Businesses should consult their advisors to make sure they are aware of and understand any information security obligations and responsibilities under applicable laws. Requests to disclose personal information for purposes related to COVID-19 should not be scrutinized any less carefully than the business would normally assess information requests, such as to prevent phishing attempts or ensure any disclosures comply with applicable laws. A business that receives a disclosure request related to COVID-19 should take steps to verify the legitimacy of the source and the request before disclosing any personal or sensitive information in response thereto.
- Be Mindful of the Information You Disclose Related to COVID-19: In certain circumstances a business may be compelled by law or order to disclose personal or sensitive information in relation to efforts to stop the spread of COVID-19. In other circumstances, a business may not be restricted at all from sharing certain information, whether about individuals or the outbreak in general, and so may elect to share information in an effort to help.
No matter the circumstance, before disclosing information related to the outbreak, a business should consider the downstream impact of such disclosure and the risks it could present to the business. For example, disclosures that contain personal information about specific individuals could result in the individual being a target of discrimination, fraud, or other harm stemming from the use or misuse of the information disclosed.
Even well-intentioned disclosures that merely contain tips or information about COVID-19, and do not contain any personal information, could present a risk to the business if they contain misinformation. During this outbreak there is a least one such “fact sheet” which has been determined to contain bad or misleading information about the virus, but claims its source to be a reputable higher education institution, that has gone “viral” on social media as well as been picked up and disseminated across platforms and businesses globally.
The spread of misinformation during a public health crisis hurts efforts to stop the spread of the outbreak, and could pose a danger to individuals and communities. Further, the improper disclosure of personal information or misinformation related to COVID-19 could give rise to the risk of liability for the discloser of the information under theories of negligence, invasion of privacy, or defamation, as well as for violations of any applicable privacy laws or data breach laws.
Businesses should consult with their advisors and work with key stakeholders to understand and develop plans related to their risks, responsibilities, and obligations applicable to the collection, processing, and disclosure for information pertaining to COVID-19.
Please visit Schwabe's COVID-19 resource page for frequent updates.