28 May SECOND UPDATE: guidance on the processing of personal data and cybersecurity in the context of the COVID-19 pandemic
In the evolving COVID-19 scenario in which business continuity also depends on adequate data protection and cybersecurity practices on the part of organizations, knowledge mapping of privacy & data protection guidance and cybersecurity best practices has taken on an even more important role. It’s for that very reason that, without the presumption of completeness, ICTLC is continuing to map official resources, from institutions to data protection authorities from across the world, which provide guidance on the correct processing of personal data in the context of COVID-19 and Cybersecurity-related information on working remotely in the context of the pandemic.
You can find an updated version of the list on Paolo Balboni’s personal blog.
Cybersecurity: Information on working remotely in the context of the COVID-19 pandemic
Australian Signals Directorate – Australian Cybersecurity Centre, Cyber security is essential when preparing for COVID-19
Cameron – Cameroon Ministry of Finance, COVID-19 Threats to Organization Information Systems
Danish Center for Cybersecurity – Use of communication and collaboration platforms; Advice for IT security officers concerning remote access; Cybersecurity under COVID-19; Cyber-safe return to the workplace; The Center for Cyber Security and the Social Critical Sector discusses cyber security under COVID-19; Guidance For employees: Points you should pay attention to when returning to the workplace.
European Commission, ENISA, CERT-EU and Europol – COVID-19 Joint Statement
EU Agency for Cybersecurity (ENISA) – Tips for cybersecurity when working from home; Tips for selecting and using online communication tools; Infographic on Cyber secure eCommerce
Europol –Safe Teleworking Tips and Advice; How criminals profit from the COVID-19 pandemic; Make your home a Cyber Safe Stronghold; Beyond the Pandemic: What will the criminal landscape look like after COVID-19?
France – Cybermalveillance.gouv.fr platform, IT security recommendations for teleworking in crisis situations; Commission Nationale de l’Informatique et des Libertés Employees in telework: what are the best practices to follow?; and CNIL’s advice on setting up telework; Publication of the human resources management standard; COVID-19: CNIL’s advice on using videoconferencing tools
Hong Kong – Hong Kong Computer Emergency Response Team Coordination Centre, HKCERT proposes 10 measures to secure Zoom Meetings; Six Security Tips for Home Office; Assessing the Security of Remote Access Services Guideline
Irish Data Protection Commission – Protecting Personal Data When Working Remotely and Staying safe online during a pandemic; Data Protection Tips for Video-conferencing
Italy – Watch out for ransomware: the program that takes your device hostage
Netherlands – Dutch Data Protection Authority, Decision aid for privacy in video calling apps; Working from home safely during the corona crisis
Office of the Australian Information Commissioner – Coronavirus (COVID-19): Understanding your privacy obligations to your staff
Portugal – Guidelines on monitoring of remote work
Spain – Recommendations to protect personal data in teleworking situations
Sri Lanka – Sri Lanka Cybersecurity Emergency Response Team, Work From Home Security Considerations
Switzerland – Home Office: Securing Remote Access; Measures for the safe use of audio and video conferencing systems
UK Information Commissioner’s Office – Data security – a guide to the basics; Video conferencing: what to watch out for; How do I work from home securely?; Stay one step ahead of the scammers- 31 March 2020
UK National Cyber Security Centre (NCSC) –NCSC issues guidance as home working increases in response to COVID-19; Advisory: COVID-19 exploited by malicious cyber actors; Cyber experts step in as criminals seek to exploit Coronavirus fears
United States Cybersecurity and Infrastructure Security Agency – Defending Against COVID-19 Cyber Scams; Risk Management for Novel Coronavirus (COVID-19); Enterprise VPN Security Alert
United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre (NCSC) – COVID-19 Exploited by Malicious Cyber Actors
United States Federal Trade Commission – Seven Coronavirus scams targeting your business; Video conferencing: 10 privacy tips for your business
Uzbekistan Cybersecurity Center – Infosec Recommendations for Remote Working in the Context of COVID-19
Zurich Data Protection Authority – Rules for data protection in the home office
Privacy and Data Protection: Processing of personal data in the context of COVID-19
Statements from the European Commission, Council of Europe, EDPS, EDPB, UN, and OECD
Council of Europe – Joint Statement on the right to data protection in the context of the COVID-19 pandemic; COVID-19 tracing apps: side effects on personal data protection should be avoided; Joint Statement on Digital Contact Tracing by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe
European Commission – Coronavirus: Commission adopts Recommendation to support exit strategies through mobile data and apps; Coronavirus: An EU approach for efficient contact tracing apps to support gradual lifting of confinement measures; Coronavirus: Commission adopts Recommendation to support exit strategies through mobile data and apps; Recommendation on apps for contact tracing
European Data Protection Board – Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak; Statement on the processing of personal data in the context of the COVID-19 outbreak Adopted on 19 March 2020; Twentieth plenary session of the European Data Protection Board – scope of upcoming guidance on data processing in the fight against COVID-19; EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic; Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak; Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak; Twenty-fourth Plenary session: EDPB doubles down on COVID-19 guidance in newly adopted letters; EDPB response to Mrs Ďuriš Nicholsonová and Mr Jurzyca’s letter on common guidance in the fight against the COVID-19 pandemics – 24/04/2020; EDPB response to the US Mission to the EU – 24/04/2020; EDPB Response to the MEP Sophie in’t Veld’s letter on the use of apps in fight against coronavirus – 24/04/2020
European Data Protection Supervisor – Monitoring the speed of COVID-19, EDPS Comments to DG CONNECT of the European Commission on monitoring of COVID-19 spread; EU Digital Solidarity: a call for a pan-European approach against pandemic’ – Wojciech Wiewiórowski; Introductory remarks before the committee for European Affairs of the senate of the Republic of France – Wojciech Wiewiórowski; Carrying the torch in times of darkness – Wojciech Wiewiórowski; TechDispatch #1/2020: Contact Tracing with Mobile Applications
European Parliament – Resolution of 17 April 2020 on EU coordinated action to combat the COVID-19 pandemic and its consequences (2020/2616(RSP))
Europol – How criminals profit from the COVID-19 Pandemic
OECD – Tracking and tracing COVID: Protecting privacy and data while using apps and biometrics
United Nations Special Rapporteurs – COVID-19: States should not abuse emergency measures to suppress human rights
National Statements and Guidance
Abu Dhabi Global Market – Coronavirus (COVID-19) – Implications for Data Protection Frequently Asked Questions; ADGM launches support measures for registered businesses to counter the impact of COVID-19
Albania – IDP Guidelines on the protection of personal data in the context of the measures taken against COVID-19; Guidelines for the Processing of Personal Data in Specific Sectors Within the Measures Against COVID-19
Andorra – Data Protection Authority of Andorra, Recomanacions sobre tractaments de dades personals en el context actual de pandèmia; Sobre Tractament de fades en la crisi del Covid-19
Argentina – Agencia de Acceso a la Información Pública Tratamiento de datos personales ante el Coronavirus; Argentina Ministry of Health information on reporting framework
Australia – Office of the Australian Information Commissioner (OAIC), Coronavirus (COVID-19): Understanding your privacy obligations to your staff – Agencies; Coronavirus (COVID-19): Understanding your privacy obligations to your staff; Australian Cybersecurity Centre, Cyber security is essential when preparing for COVID-19; Western Australia Emergency Management Amendment (COVID-19 Response) Bill 2020
Austria – Austrian Data Protection Authority, Information on Coronavirus (Covid-19); Coronavirus FAQ; Data security and home office
Belgium – Data Protection Authority of Belgium, COVID-19 and processing of personal data at work; COVID-19 and the use of health apps; Belgian Data Protection Authority, Opinion 34-2020 on a Preliminary Draft Royal Decree to Take Measures to Control the Spread of COVID-19 Using Digital Contact Screening Applications; COVID-19 and processing of personal data in the workplace
Bonaire, Sint Eustatius and Saba – Coronavirus COVID-19
Bosnia and Herzegovina – Data Protection Authority of Bosnia and Herzegovina, Press release regarding the processing of personal data in the context of activities triggered by the Coronavirus pandemic
Brazil – Brazilian Public Ministry of the Federal District and Territories, Follow Up Combating Actions and Prevention of COVID-19; Federal Public Ministry of Brazil, Joint Technical Note on Postponing LGPD Entry into Force Deadline due to the COVID-19 Epidemic; President of Brazil, Provisional Measure No. 959 of 29 April 2020 postponing Law No. 13.709, of 14 August 2018, which establishes the General Law on Personal Data Protection – LGPD
Bulgaria – Commission for Personal Data Protection, CPDP introduces anti-epidemic measures against the spread of COVID-19
Burkina Faso – National Commission for Informatics and Liberties, Message on Coronavirus Pandemic (COVID-19)
Canada – Office of the Privacy Commissioner of Canada, Announcement: Commissioner issues guidance on privacy and the COVID-19 outbreak; Guidance: Privacy and the COVID-19 outbreak, Office of the Information and Privacy Commissioner of Alberta Privacy in a Pandemic. Province of British Columbia, Ministerial Order No. M085 of the Minister of Citizens Services. Information and Privacy Commissioner of Saskatchewan, Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on COVID-19. Information and Privacy Commissioner of Ontario, Impact of COVID-19. Commission d’accès à l’information du Québec, COVID-19: Protection of personal information and information security. Yukon Information and Privacy Commissioner, Actions being taken by Yukon Ombudsman, Information and Privacy Commissioner and Public Interest Disclosure Commissioner in response to COVID-19. Office of the Information and Privacy Commissioner of the Northwest Territories, Privacy in a Pandemic. Office of the Information and Privacy Commissioner of Newfoundland and Labrador, Don’t Blame Privacy – What To Do and How To Communicate in an Emergency. Manatoba Ombudsman Advisory for trustees about responding to individuals’ access requests under PHIA during the COVID-19 pandemic. Office of the Privacy Commissioner of Canada, A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. Saskatchewan Office of the Information and Privacy Commissioner guidance for public bodies when transporting personal information and personal health information outside of the office
Cayman Islands – Cayman Islands Ombudsman, Ombudsman urges public to keep COVID-19 patient details private
Colombia – Superintendency of Industry and Commerce on the prohibition to collect biometric information (sensitive data) with a view to preventing the spread of COVID-19 through indirect contact; Personal Data and Coronavirus COVID 19: Collection and use of data in cases of medical or health emergency
Czech Republic – For the processing of personal data in the framework of measures against the spread of coronavirus; Office for Personal Data Protection comment on the extraordinary measure of the Ministry of Health in connection with the smart quarantine project; Measurement of temperature at the workplace during a coronavirus pandemic
Denmark – Datatilsynet, How about GDPR and coronavirus? and
Corona virus and digital infection detection
Finland – Office of the Data Protection Ombudsman, Data protection and limiting the spread of coronavirus; Frequently asked questions about the coronavirus and privacy
France – Commission Nationale de l’Informatique et des Libertés, Coronavirus (Covid-19): les rappels de la CNIL sur la collecte de données personnelles; Recherches sur le COVID-19 : la CNIL se mobilise; Crise sanitaire: audition de Marie-Laure DENIS, Présidente de la CNIL, devant la commission des lois; Les relations avec la CNIL pendant l’état d’urgence sanitaire; Publication of the CNIL opinion on the “StopCovid” mobile application project; COVID-19: data processing associated with mask distribution operations; Organization and operation of the health system in the context of COVID-19: publication of the CNIL opinion on a decree; CNIL’s opinion on the draft decree framing the information systems implemented for monitoring patients with COVID-19; Coronavirus (COVID-19): les rappels de la CNIL sur la collecte de données personnelles par les employeurs; French Ministry of Labor, National Protocol for Exiting Confinement in the Context of COVID-19
Gibraltar – Gibraltar Regulatory Authority Data protection and Coronavirus: What you need to know; COVID-19 Temperature Checks
Georgia – Statement Of The State Inspector’s Service, Covid-19
Germany – Office of the Federal Commissioner for Data Protection and Freedom of Information, DSK provides information on data protection and Coronavirus and German Data Protection Supervisory Authorities joint information paper on data protection and the Coronavirus pandemic; Hamburg DPA Datenschutz in Zeiten von Covid-19; German Conference of Independent DPAs of Federal and State Governments, Data protection principles in the management of the Corona pandemic
Hong Kong – Privacy Commissioner for Personal Data, The Use of Information on Social Media for Tracking Potential Carriers of COVID-19 and Privacy Commissioner Responds to Privacy Issues Arising from Mandatory Quarantine Measures and Provides Updates on Doxxing; Fight COVID-19 Pandemic Guidelines for Employers and Employees; PCPD Provides Guidelines on Children’s Privacy during the Pandemic
Hungary – Hungarian National Authority for Data Protection and Freedom of Information, Information on processing data related to the Coronavirus epidemic; Decree 179/2020 – Derogations From Certain Data Protection Provisions During an Emergency
Iceland –Data Protection Authority, COVID-19 and privacy; Instructions on distance education in schools; Use of technical solutions and social media to communicate with nursing home relatives
Ireland – Irish Data Protection Commission, Data Protection and COVID-19;Covid 19 and Subject Access Requests
Indonesia – Indonesian Ministry of Communication and Information Technology, COVID-19 Tracing through app
Israel – Privacy Protection Authority, Privacy protection following the spread of the Corona virus: questions and answers for conduct; Q&A in the Corona Period
Italy – Garante per la protezione dei dati personali, Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA, Italian state – Urgent provisions for the strengthening of the National Health Service in relation to the COVID-19 emergency and Italian state – March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces; Italian DPA Measure of 26 March 2020 – “Distance learning: first indications”. Informal hearing by videoconference of the Italian DPA on the use of new technologies and internet to combat the Coronavirus epidemiological emergency; EU Commission on apps for tracking, Statement by Antonello Soro, President of the Italian DPA; Italian state – 24 April 2020, Update to the Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces; Prime Ministerial Decree of 26 April 2020 (regulating Phase 2); Parere sulla proposta normativa per la previsione di una applicazione volta al tracciamento dei contagi da COVID-19 – 29 aprile 2020; FAQ – Data processing in the context of the health emergency; Italian DPA on Covid-19, on-the-job serological tests. Employers may not directly perform diagnostic tests on employees; Raccolta delle principali disposizioni adottate in relazione allo stato di emergenza epidemiologica da Covid-19 aventi implicazioni in materia di protezione dei dati personali
Isle of Man – Information Commissioner, Coronavirus, Data Protection, and Freedom of Information; Complying with Subject Access Requests & other rights in the context of COVID-19
Jersey – Office of the Information Commissioner, Data Protection and Coronavirus
Liechtenstein – Datenschutzstelle Furstentum Liechtenstein, Data protection during the Corona crisis
Lithuania – State Data Protection Inspectorate, Personal Data Protection and Coronavirus COVID-19
Mexico – Government of Mexico, Guide for workplaces in light of COVID-29. National Institute for Transparency, Access to Information and Personal Data Protection, Ante casos de COVID-19, INAI emite recomendaciones para tratamiento de datos personales, Suspende INAI eventos públicos, por recomendación de la SSA para evitar contagio de COVID-19, and Adoptará INAI como medida de prevención el trabajo a distancia ante COVID-19
Morocco – Moroccan Data Protection Authority, Délibération n°D-97-2020 du 26/03/2020 relative à la prolongation d’un moratoire sur la reconnaissance faciale; CNDP press release on COVID mobile application; CNDP at the disposal of the government to reinforce, in terms of privacy, its proactive policies
Netherlands – De Autoriteit Persoonsgegevens, AP gives organizations more time due to corona crisis; Access to medical files is only permitted with the patient’s consent; Using telecom data against corona is only possible with emergency law; AP: Corona apps only if privacy is guaranteed; Dutch Ministry of Health, Welfare and Sport, the National Attorney for Health, Welfare and Sport-Commissioned Summary privacy analysis contact research apps; Dutch Data Protection Authority, Corona in the workplace; Questions from employers & employees about temperatures during corona
New Zealand – Office of the Privacy Commissioner, Covid-19 and privacy FAQs, Privacy and Covid-19: Hospitality establishment guest registers; Privacy Commissioner briefed on Police contact and trace system for returning travellers; Access in the time of Covid-19; Amendment to Telecommunications Information Privacy Code 2003 – Amendment No 7
North Macedonia – Personal Data Protection Agency of the Republic of Northern Macedonia, Data Protection and Coronavirus
Norway – Datatilsynet, Corona and privacy; New tracking app to prevent coronavirus infections; Norwegian Institute of Public Health has launched the app to stop infection; State Inspector’s Service, Recommendations on personal data protection in the course of fight against Covid-19 (Coronavirus)
Phillipines –National Privacy Commission, NPC PHE BULLETIN No. 3: Collect what is necessary. Disclose only to the proper authority
Poland – Personal Data Protection Office of Poland, Statement by the President of the Personal Data Protection Office on coronavirus; Checking the temperature to prevent the spread of COVID-19
Portugal – Use of technologies to support distance learning; Use of video surveillance and alarm systems by private security entities; Guidelines on disclosure of information relating to Covid-19 infections; Guidelines on the collection of workers’ health data; Guidelines on Collecting Student Health Data
Romania – National Supervisory Authority for Personal Data Processing, Processing of health status data
San Marino – Autorità Garante per la protezione dei dati personali, Public announcement on COVID-19 emergency
Senegal – COVID-19: CDP press release on digital tracing
Singapore – Personal Data Protection Commission, Advisory on Collection of Personal Data for COVID-19 Contact Tracing
Slovakia – Office for Personal Data Protection of the Slovak Republic, Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and Coronavirus and processing of personal data
Slovenia – DPA of Slovenia, Tracking individuals who have COVID-19 via mobile phone applications
South Africa – Information Regulator, Guidance Note on the processing of personal information of data subjects in the management and containment of COVID 19; COVID 19: The importance of the right of access to information and the right to privacy in the management and containment of the virus
Spain – Agencia Española de Protección de Datos, Report from the State Legal Service Department on Processing Activities Relating to the Obligation for Controllers from Private Companies and Public Administrations to Report on Workers Suffering from Covid-19, Covid-19 FAQs, La AEPD publica un informe sobre los tratamientos de datos en relación con el COVID-19, Campañas de phishing sobre el COVID-19;Comunicado de la AEPD sobre apps y webs de autoevaluación del Coronavirus; Catalan DPA Nota en relació amb els tractaments de dades personals relacionats amb les mesures per fer front al COVID-19; AEPD, The Use of Tehnologies in the fight against COVID-19: A Costs and Benefits Analysis; Comunicado de la AEPD en relación con la toma de temperatura por parte de comercios, centros de trabajo y otros establecimientos; AEPD, About the Coronavirus
Sweden – Datainspektionen, Corona virus and personal data
Switzerland – Federal Data Protection and Information Commissioner, Data protection legal framework for the containment of the coronavirus
Thailand – 18 April 2020 Emergency Decree on Electronic Media Conference B.E. 2563
Turkey – Turkish Data Protection Authority KVKK, Public Announcement on COVID-19; Public announcement on What you should know about the processing of location data and tracking in the fight against COVID-19; Public Announcement on Distance Learning Platforms
Ukraine – Ministry for Digital Transformation, We launched a digital coronavirus tool; Ukraine Commissioner for Human Rights on messaging services and the diffusion of personal data of COVID-19 infected persons
United Kingdom – Information Commissioner’s Office (ICO), Data protection and coronavirus: statement for health and care practitioners; COVID-19: general data protection advice for data controllers; The power of data in a pandemic; Blog: Combatting COVID-19 through data: some considerations for privacy; How we will regulate during coronavirus; The ICO’s regulatory approach during the coronavirus public health emergency; Workplace testing – guidance for employers
United States of America – Federal Communications Commission, Declaratory Ruling on COVID; Department of Health and Human Services, HIPAA Privacy and Novel Coronavirus; Department of Health and Human Services, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities; California AG, Attorney General Becerra Reminds Consumers of their Data Privacy Rights During the COVID-19 Public Health Emergency; Financial Crimes Enforcement Network, Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic; What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws; CMS Interoperability and Patient Access final rule; HHS Applicability of Administrative Procedure Act, Enforcement discretion; US Occupational Safety and Health Administration Enforcement Guidance for Recording Cases of Coronavirus Disease 2019 (COVID-19); Revised Enforcement Guidance for Recording Cases of Coronavirus Disease 2019 (COVID-19); Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19); Interim U.S. Guidance for Risk Assessment and Work Restrictions for Healthcare Personnel with Potential Exposure to COVID-19
Uruguay – Recommendations for the processing of personal data in the event of a national health emergency
