Data privacy implications of the Coronavirus (COVID-19) pandemic

Data privacy law has always tried to strike a balance between individual rights and overwhelming social needs. With the COVID-19 pandemic now sweeping the world, Governments are taking extreme measures to save lives by encouraging social distancing and tracking infected persons. People in democratic countries are simply not used to some of the measures being taken which, for the general good, are putting everyday freedoms into temporary abeyance.

The coronavirus situation abroad

South Korea has experienced very good results in binging down the rates of infection. It may be relevant that the country has followed a policy of texting individuals to alert them of the proximity of infected cases giving out details of where those people have been with information regarding their age and gender. Legislation to allow the government to do this was put in place during the MERS outbreak in 2015. It is not affected by national data protection rules that are analogous to the GDPR. This would not be the case in the United Kingdom.

Singapore has followed closely with similar measures but the personal data it shares with its citizens has not been so extensive.

In Israel, the government recently passed emergency legislation to track the movements of persons and inform them whether they are in close proximity to COVID-19 sufferer. This may result in orders to self-isolate even if physical proximity was not so close, a possibly undue restriction on personal freedom.

Could there be forced self-isolation in the UK?

Publicising personal data on a wide scale and using smartphones as a means of mass-surveillance are drastic steps raise an open question with respect to the maintenance of data protection principles and human rights. However, in Europe, it is accepted that steps can be taken to mitigate the effects of the worst effects of the pandemic within the existing data privacy legislative framework.

Data protection statements by the EDPB and the ICO

The European Data Protection Board (EDPB) issued guidance on 19 March in the context of the pandemic with a timely reminder that data protection rules are not suspended. The Information Commissioner’s Office (ICO) has also issued fairly comprehensive guidance. The EDPB says that there is no reason why location data cannot be used by any EU government if it truly anonymises the data so that individuals can never be identified or if particular individuals give consent. There is undoubtedly a need to employ generalised location data trend analysis. The ICO does not anticipate any problem as long as the data is truly anonymised and aggregated. This would not put personal data of others in the public domain, so it is very limited as a tool for assisting people to practice social avoidance in contrast to the position in South Korea.

All we have seen so far by way of government or NHS communications to individual members of the public are general public health SMS messages. The ICO has said that these do not require recipient consent to be lawful under the Data Protection Act 2018 and do not constitute direct marketing in any event.

Even without further regulations made under the Public Health (Control of Disease) Act 1984, it is possible that even more stringent measures could be justified on the grounds of public interest in promoting public health, or protection of the “vital interests” of persons who may be able to avoid the risk of death or serious illness if the government enforces the pooling of personal data so that healthy individuals can practice avoidance strategies.

ICO advice of sharing personal data for employers

The ICO accepts that additional collection and sharing of personal data may be necessary to help reduce the spread of COVID-19. Any employer, for example, is entitled to pass health information about particular individuals to bodies such as the NHS if it is legitimately requested to do so.

The ICO states that employers may request information from employees or visitors who have experienced potential COVID-19 symptoms or to disclose if they have recently visited certain countries. The ICO says that it is also possible to inform staff about colleagues who have contracted COVID-19 as long as the individuals are not named and no more information is provided than is strictly necessary.


It would appear that drastic legislation that runs counter to data protection principles is unlikely in the United Kingdom and that the COVID-19 crisis can be managed in accordance with existing data privacy laws.