FPF Offers New Resources on Privacy and Pandemics

Today, the Future of Privacy Forum (FPF) released a collection of  new publications and resources  to help governments, educators, researchers, companies, and other organizations navigate essential privacy questions regarding the response to the coronavirus pandemic. Global leaders responding to the coronavirus pandemic are increasingly relying on data from individuals and communities to analyze the virus’ progression, deploy resources, and make policy decisions.

“We want to help organizations make data available for leaders, researchers, and the public without opening the door to lasting or limitless surveillance,” said Jules  Polonetsky, CEO of the Future of Privacy Forum. “The information we have compiled will help decision makers think clearly about – and document – what personal information they will collect or disclose, to whom, and under what conditions.”  

The  resources are accessible on the FPF website at fpf.org/privacy-and-pandemics. They include: 



Nat Wood

[email protected]

(410) 507-7898

Privacy and Pandemics: A Thoughtful Discussion

As the COVID-19 virus spreads, governments, researchers, and healthcare institutions are seeking to obtain and deploy consumer data to track the spread of the virus, deliver emergency supplies, target travel restrictions and quarantines, and develop vaccines and cures. But can data collected from phones, credit cards, and other sources be used in this emergency without opening the door to lasting or limitless surveillance?

Yesterday, FPF convened a Virtual Workshop with a dozen ethicists, academics, government officials, and corporate leaders, and over 100 corporate attendees, to discuss responsible data sharing in times of crisis. It’s the first in a series of events about privacy and pandemics that FPF will use to develop best practices and policy recommendations for decision makers.

Participants discussed how recent “data for good” initiatives have informed data sharing during the crisis, concerns about data sharing in a time of low trust, lessons learned from past pandemics, how to effectively protect privacy and civil liberties, and what the COVID-19 pandemic means for the future of data sharing between companies, academics, and governments. 

A more detailed workshop report is forthcoming, but in the interest of urgency we share the most important advice that arose in the Workshop for companies with data that could be of value to public health:

The Workshop’s participants agreed that it would be better if more companies, non-profits, governments, and academics had been working collaboratively on the technical infrastructure, governance structures, and legal frameworks for data sharing in an emergency before the COVID-19 pandemic hit. 

Some participants recommended ways to strengthen the “data for good” ecosystem over time, including standing up new trust structures. One participant recommended strengthening the “data enablers” in the system, such as institutional or ethical review boards, which can serve as checks on ill-advised data sharing and also facilitate connecting data sources – often, companies that have data with socially beneficial uses – with data users, like researchers and policymakers. 

Participants also agreed that data protection and humanitarian action are completely compatible. While the trade-offs for decisions about sharing data have changed, there still should be a thoughtful and legally justified process for considering what data to share, with whom, for what purposes, and how it should be protected.

Many more insights and details were gathered and will inform FPF’s ongoing work with stakeholders to identify best practices and policy recommendations for decision makers.

A Closer Look at Location Data: Privacy and Pandemics

In this series, Privacy and Pandemics, the Future of Privacy Forum explores the challenges posed by the COVID-19 crisis to existing ethical, privacy, and data protection frameworks, and will seek to provide information and guidance to companies and researchers interested in responsible data sharing to support public health response. Future posts will examine pandemic-tracking mobile apps, regulatory guidance across the world, and more.

Part 1: A Closer Look at Location Data

Principal author: Stacey Gray (Senior Counsel) ([email protected]). Contributors: Chelsey Colbert (Policy Counsel, Mobility and Location); Polly Sanderson (Policy Counsel, Legislative Analysis); Katelyn Ringrose (Policy Fellow); Dr. Sara Jordan (Policy Counsel, Artificial Intelligence and Ethics). Email us at [email protected].

In light of COVID-19, there is heightened global interest in harnessing location data held by major tech companies to track individuals affected by the virus, better understand the effectiveness of social distancing, or send alerts to individuals who might be affected based on their previous proximity to known cases. Governments around the world are considering whether and how to use mobile location data to help contain the virus: Israel’s government passed emergency regulations to address the crisis using cell phone location data; the European Commission requested that mobile carriers provide anonymized and aggregate mobile location data; and South Korea has created a publicly available map of location data from individuals who have tested positive. 

Public health agencies and epidemiologists have long been interested in analyzing device location data to track diseases. In general, the movement of devices effectively mirrors movement of people (with some exceptions discussed below). However, its use comes with a range of ethical and privacy concerns. 

In order to help policymakers address these concerns, we provide below a brief explainer guide of the basics: (1) what is location data, (2) who holds it, and (3) how is it collected? Finally we discuss some preliminary ethical and privacy considerations for processing location data. Researchers and agencies should consider: how and in what context location data was collected; the fact and reasoning behind location data being classified as legally “sensitive” in most jurisdictions; challenges to effective “anonymization”; representativeness of the location dataset (taking into account potential bias and lack of inclusion of low-income and elderly subpopulations who do not own phones); and the unique importance of purpose limitation, or not re-using location data for other civil or law enforcement purposes after the pandemic is over.

What is precise location data? 

Precise location data, or “mobility data,” involves information about how devices and people move through spaces over time. Most of this information comes from the devices we carry with us, with smartphones acting as proxies for people (according to Pew, smartphone ownership in 2019 was near-universal at 81% of Americans). 

Why is this the case? Even the most basic connectivity, or the ability to send and receive wireless content on devices, has to involve information about where those devices are located. For example, providers of wireless services know where devices are located because they provide the service through local cell towers and networks. At a more general level, an IP address (an identifier that is freely and openly shared by devices to send and receive Internet traffic) is often sufficient to know a person’s city and state. 

However, most researchers analyzing COVID-19 are interested in highly “precise” information about where devices (and therefore people) are located over time. The fact that an individual is located in “Washington, DC” is not sufficient for tracking an infectious disease, but information such as “works in the same building” or “attended the same restaurant at the same time as a diagnosed person” (precise location) can be very useful. Typically, we think of location data as having privacy implications when it is precise enough to single out an individual with reasonable specificity. This is often GPS-level specificity, and would usually not include information like an IP address. Measuring precise location depends in part on context, such as population density (for example, in a rural or remote area, a lower level of specificity might be more able to identify a person than if that same person were standing in Times Square). Recent legislative proposals have attempted to create strict cut-offs (such as an 1,640 foot radius under the U.S. House and Commerce Discussion Draft, or an 1,850 foot radius under the California Privacy Rights Act ballot initiative of 2020). 

Sometimes mobility or location data is tied to known individuals (such as a name associated with a cell phone subscription), and at other times it is tied to a unique identifier associated with a device. In these cases, individualized data is often referred to as “anonymized.” In other cases, if a dataset has been modified to show movements of groups of people (and not individuals), it is often referred to as “aggregated.”


Who has access to location data? 

Location data is held by a variety of commercial entities that provide different services, including as part of the core functionality of a device (mobile phone carriers and operating systems), as part of a consumer-facing feature (mobile apps), or as part of tracking in physical spaces that relies on device connectivity (Internet of Things):

Left – iOS (Apple), middle and right – Android (Google)


How is location data collected?

When most people think of location data, they think of GPS (Global Positioning System). In fact, GPS is only one of many ways to infer where devices are located, most used in some combination by carriers, OS’s, apps, and others. Commonly used methods include: GPS; Cell Towers; Wi-Fi Networks; and Beacons (among others). Each provides a different level of precision and can be used for different purposes:

Ethical and Privacy Considerations for Location Data

Lawmakers are beginning to navigate whether and how to make use of the many sources of commercial location data. As they do so, we recommend that they consider: how and in what context location data was collected (described above), as well as: the fact and reasoning behind location data being classified as legally “sensitive” in most jurisdictions; challenges to effective “anonymization”; representativeness of the location dataset (taking into account potential bias and lack of inclusion of low-income and elderly subpopulations who do not own phones); and the unique importance of purpose limitation, or not re-using location data for other civil or law enforcement purposes after the pandemic is over.


As COVID-19 continues to spread, we are facing global challenges to existing norms and best practices for data collection and use. In some cases, location and mobility data might provide one path to better understanding and combatting the pandemic. Governments and researchers seeking to address concerns and risks should ask: how and in what context the location data was collected; whether it is necessary and appropriate to achieving their goals (including whether the data is truly representative of the overall population and takes into account vulnerable populations such as the elderly); whether those goals can be achieved through less invasive means; and how that data will be used, safely stored, retained, or re-purposed following the conclusion of the pandemic.

Image Attribution: “My New York heat map” by matteoc is licensed under CC BY-NC-SA 2.0.

Additional Resources:


FPF and AASA Release Student Privacy Guidance to Help Schools Manage COVID-19 Response

Today, the Future of Privacy Forum (FPF) and AASA, The School Superintendents Association, released a new white paper that offers guidance to help K-12 and higher education administrators and educators protect student privacy during the COVID-19 pandemic.

“There’s no question that schools and institutions are struggling to manage this unprecedented situation and need as much support and information as possible to do their jobs,” said Amelia Vance, FPF’s Director of Youth and Education Privacy. “The Future of Privacy Forum is tracking the situation closely in an effort to anticipate and help address the challenges that schools may encounter as they work to navigate the COVID-19 pandemic, and we expect to release additional resources in the days ahead.”

“As our nation’s public school superintendents navigate through the extraordinary set of circumstance they face in light of COVID-19, AASA remains committed to gathering, creating, and disseminating as many resources as possible to answer, to the best of our ability, the myriad questions they raise,” said Noelle Ellerson Ng, AASA’s Associate Executive Director for Advocacy & Governance. “Through our work with FPF, we are happy to provide this collection of frequently asked questions in the context of student data and privacy and FERPA. Protecting student data and privacy is just one of the many factors they need to consider, and we are pleased to have the opportunity to share this resource today.”

The white paper offers insight into how the health or safety emergency exception under the Family Educational Rights and Privacy Act (FERPA) allows schools to share students’ personally identifiable information (PII) with the community and relevant officials during the COVID-19 pandemic.

According to FPF and AASA, under the FERPA health or safety emergency exception, “if a school determines that there is an articulable and significant threat to the health or safety of a student or other individuals and that someone needs PII from education records to protect the student’s or other individuals’ health or safety, it may disclose that information to the people who need to know it without first gaining the student’s or parent’s consent.” Read more.

The white paper also addresses a number of frequently asked questions, including:

To read the white paper, click here. To learn more about the Future of Privacy Forum’s student privacy work, click here.


Alexandra Sollberger, FPF

[email protected]


Navigating Privacy in a Data-Driven World

“What does it mean for people actually working with data, people monitoring data, people analyzing data, people selling data? What does it mean to actually be thinking about privacy as a human right?” Future of Privacy Forum CEO Jules Polonetsky posed these questions at the beginning of his keynote, Navigating Privacy in a Data-Driven World: Treating Privacy as a Human Right, at RSA Conference 2020 in San Francisco on February 26. 

During the keynote session, Polonetsky discussed the limitations of consumer protection laws in protecting individuals’ privacy and explored how to best safeguard data to protect human rights. He expressed the importance of instituting laws that support de-identification and pseudonymization, and of independent academics being able to access data for the benefit of research and society.

“Are corporations having too much power over individuals because of how much data they have? Are foreign countries interfering in our elections? Are automated decisions being made where I’ll be turned down for healthcare, I’ll be turned down for insurance, my probation will be extended?” asked Polonetsky. “These are not privacy issues, right? These are issues of power. These are issues of human rights at the end of the day.”

Watch the full keynote here.

EU DPAs Issue Green and Red Lights for Processing Health Data During the COVID-19 Epidemic

As Europe is grappling with an exponential increase in COVID-19 cases, some European Data Protection Authorities issued public interest guidance on the limits of collecting, sharing and using personal data relating to health in these exceptional circumstances. Particular areas of concern are related to the breadth of measures that employers can legally take to monitor the health of their employees, as well as the collection of health data by government agencies. Overall, regulators highlight that data protection law is by no means a barrier to public health, but advise organizations against “systematic and generalized” monitoring and collection of data related to health of their employees outside official requests and measures of public health authorities.

Background: the GDPR refers to “monitoring epidemics and their spread”

The GDPR individualizes several avenues to process personal data when the vital interests of individuals are concerned or for important grounds of public interest. Recital 46 specifically refers to the lawfulness of some types of processing that serve these two goals, “including for monitoring epidemics and their spread”. There are provisions in both Article 6 GDPR (the general lawful grounds for processing personal data), and Article 9 (the prohibition to process sensitive data and the exceptional circumstances in which they can be processed) that allow for collection, use and necessary sharing of personal data related to health in the context of an epidemic. 

For example, “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” are specifically mentioned as a permissible use of sensitive data, including data related to health, under Article 9(2)(i) GDPR, if provided by Union or Member State law. At the same time, Recital 52 specifically refers to derogations from the prohibition on processing sensitive data justified for “monitoring and alert purposes” and “the prevention or control of communicable diseases and other serious threats to health”.

Garante: Systematic and generalized collection of health data by employers, discouraged

Italy has been by far the most impacted country by the COVID-19 epidemic in Europe to date, with the government taking yesterday the unprecedented measure of closing the entire country. The Italian data protection supervisory authority – the Garante, highlighted in early guidance issued last week that public health authorities are the organizations mandated to collect and manage data about health related to the virus’ spread. 

“Preventing the spread of Coronavirus is an objective to be pursued by entities that are tasked with discharging this mission in a professional manner. The investigation into and collection of information on the symptoms typical of Coronavirus and on the recent movements of each individual are the responsibility of healthcare professionals and the civil protection system, which are the entities tasked with ensuring compliance with the public health rules that were recently adopted”, wrote the Garante. 

Therefore, the key recommendation made by the Italian DPA was for employers to “refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to individual workers or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside of the work environment”. The Garante recalled that employees are under an obligation to inform their employer of any danger to health and safety at the workplace and encouraged employers to set up specific channels of communication related to this type of information.

The Garante called on all controllers to “comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the Coronavirus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers”.

The Italian Government published yesterday evening a Decree in the Official Journal (No 14/2020) to create a special legal framework for collecting and sharing personal data related to health by public health authorities and by private companies that are part of the national health system for the duration of the state of emergency related to COVID-19. 

Irish DPC: Requesting information about recent travel and symptoms of employees and visitors, potentially justified 

The Irish Data Protection Commissioner clarified from the outset in her guidance that “data protection law does not stand in the way of the provision of healthcare and the management of public health issues”. But at the same time “there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data”. Not only that the processing needs to be necessary and proportionate, but it also “needs to be informed by the guidance and/or directions of public health authorities, or other relevant  authorities.” 

The DPC highlights particularly relevant aspects for compliance, such as transparency about the measures taken, in house confidentiality in handling information about possible infestations with COVID-19 of specific employees, ensuring appropriate data security, processing the minimum amount of personal data to achieve the purpose of implementing measures to prevent or contain the spread of the virus, as well as keeping track of all decisions made with regard to collection of such data and safeguards implemented, as part of accountability obligations.

The Guidance also has a Q&A section that addresses specific scenarios brought up by organizations in their communication with the DPC. For example, can an employer require all staff and visitors to the building to fill out a questionnaire requesting information on their recent travel history concerning countries affected by the virus, and medical information such as temperature? Considering that under Irish law employers also have a legal obligation to protect the health of their employees and maintain a safe place of work, on top of the justifications specific to data protection law mentioned above, “employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”. If such information would be gathered via questionnaires, this would need to have a justification based on necessity and proportionality, taking into account any directions and guidance of public health authorities. 

The CNIL: Collection of medical files or questionnaires from all employees, likely not justified

The French supervisory authority – the CNIL, reminded organizations that personal data related to health enjoys stronger protections under the GDPR due to its sensitivity. The brief guidance issued on March 6 focused on what employers can do and what they cannot do in relation to data about the health status of their employees. As a rule, any exceptional processing of personal data caused by the epidemic should not go beyond what is necessary for the management of suspected exposure to the virus, especially considering that the Code of Public Health is also applicable to this situation.

On the blacklist of processing activities, the CNIL specifies that “employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee and their relatives”. The CNIL gives examples of unlawful processing:

Admittedly, the questionnaires in this recommendation may refer strictly to the collection of information related to employee’s overall health and not to their recent travel, but this would need to be further clarified.

The CNIL also offers examples of actions that employers can implement lawfully:

Importantly, the CNIL also mentions that employees have an obligation under the Labor Code by all means possible to preserve the health and safety of others and of themselves, which means that “they must inform their employer in the event of suspected contact with the virus”.

The Future of Privacy Technology

Today, FPF is making available a report co-authored by CEO Jules Polonetsky and Policy Fellow Jeremy Greenberg that identifies future directions and requirements of privacy technology from the industry perspective.

With support by the National Science Foundation under Grant No. 1939288, a survey was designed and administered to industry privacy leaders to provide input on the future of privacy technology as relates to their business and policy needs and objectives. In the report, the authors outline three major areas that are especially ripe for investment and development: 

  1. Privacy Enhancing Technical Tools; 
  2. Administrative and Compliance Tools; and 
  3. Self-Regulatory and Policy Tools. 

To learn more, read the full report here. 

Private sector demand and readiness to collaborate is a factor in the launch and groundswell of activities associated with the Privacy Tech Alliance, an initiative established by FPF to advance privacy enhancing technology in commercial, government and not-for-profit sectors. 

A Closer Look at Genetic Data Privacy and Nondiscrimination in 2020

Florida lawmakers recently introduced HB 1189/SB 1564 – a bill that would prohibit life and long-term care insurers from basing coverage and rates or denying coverage based on individuals’ genetic information. Washington State lawmakers are considering a bill, HB 2485, that would prohibit life insurance companies and others from obtaining individuals’ genetic information from direct-to-consumer (DTC) genetic testing services. These are two of many legislative efforts that would fill critical gaps in protections provided by the Genetic Information Nondiscrimination Act (GINA). GINA, a 2008 federal law, bans discrimination based on genetic information in health insurance and employment settings. However, GINA is limited; it does not protect individuals from genetic discrimination by life, long-term care, and disability insurers. Also, GINA does not apply to members of the US military, who recently received a Pentagon warning memo stating that DTC genetic testing results could impact decisions made about US military readiness. 

Some states have stepped in to provide additional protections for individuals. California, for example, provides the most comprehensive protections beyond GINA. CalGINA extends nondiscrimination protections to circumstances related to housing, certain businesses, state-funded agencies, and in the provision of emergency services. 

During recent years, GINA and complementary state laws have seemingly mitigated some concerns about genetic discrimination and provided employers and insurers with clarity regarding their legal obligations. Between 2013 and 2018, less than three cases were brought each year by the Equal Opportunity Employment Coalition (EEOC), the federal agency that enforces Title II of GINA, and a shrinking number of charges citing GINA violations were filed with the EEOC (333 charges filed in 2013 versus 209 cases filed in 2019). 

However, GINA has not eliminated concerns about genetic data privacy and discrimination across the board. Many stakeholders, including legislators, have engaged in efforts to promote access to genetic information for various purposes. Therefore, it is important that policymakers, companies, employees, consumers, and other stakeholders understand GINA’s limits, the privacy risks involved in using genetic information, and the privacy-centric tools and guidance that can mitigate risks in this under-explored territory. 

Employer-Sponsored or Corporate Wellness Programs

In 2017, the US witnessed controversy over H.R.1313 (the “Preserving Employee Wellness Programs Act”). Although the bill did not pass Congress, many viewed the proposal as an attempt to give employers access to employees’ genetic information through corporate wellness programs, a possibility that raised the spectre of employer discrimination against an employee and his/her/their family members. The bill could have permitted employers to access information from tests for genetic diseases with no known cure. H.R. 1313 was strongly opposed by health advocates. Advocates argued that if an employee or beneficiary’s heightened risk of developing a serious disease is revealed to an employer, the employer could use this information to predict and mitigate future healthcare costs. Such use of genetic information would violate GINA. 

Although GINA has deterred employers from engaging in explicit acts of genetic information discrimination, it has not discouraged employers from engaging in the consumer genetics space by partnering with DTC genetic testing companies that offer ‘personalized wellness’ programs to employees. Personalized wellness programs’ stated goal is to help employees understand which exercise programs and diets could work best based on genetic factors. Employers, on the other hand, hope that information gleaned from genetic testing in personalized wellness programs can be used to motivate employees to engage in healthy behaviors, which might lead to overall reduced health care expenditures for the employer. There is broad agreement that genetic information – and other health data used by wellness programs – must not inform decisions regarding hiring and promotion.

Life, Long-Term Care, and Disability Insurers

The fact that GINA excludes life, long-term care, and disability insurers has been unsettling for many since GINA became effective in 2008 because it left an open door for potential discrimination in such settings. Some states like Florida have taken initiatives to fill these protection gaps, although with pushback from these insurance industries. For instance, a recent Florida bill would prohibit life insurers from making coverage decisions based on both clinical and consumer genetic testing results; it is opposed by the life insurance industry. The industry argues that the bill, if passed, could “disrupt Florida’s life insurance market and could harm consumers through higher prices and potentially limited product choices.”

In essence, these industries are concerned about their ability to underwrite and establish pricing or premiums based on genetic information alone or in combination with medical information taken from the Medical Information Bureau (MIB), an insurance underwriting and information exchange organization. MIB members include life and health insurance companies that seek to “assess an individual’s risk and eligibility during the underwriting of life, health, disability income, critical illness, and long-term care insurance policies.” Life, long-term care, and disability insurers argue that genetic information and MIB data improves their ability to accurately estimate risk, underwrite policies, and assess the likelihood of severe or critical illness, premature death, or disability. Individuals fear that the insurers will use information that is inaccurate, incomplete, or would create discriminatory outcomes for individuals or groups.


  1. Direct-to-Consumer genetics companies should consider adopting the best practices described in FPF’s Privacy Best Practices for Consumer Genetic Testing Services.
  2. When employers consider whether to offer personalized wellness programs that involve genetic data, they should analyze vendors’ policies to ensure that vendors will appropriately secure personal information and provide meaningful privacy controls. Employers should not consider genetic data when making hiring or promotion decisions.
  3. When employees weigh the benefits and risks of wellness programs, they should read privacy policies and terms of use agreements to determine whether programs’ policies align with their privacy expectations.
  4. Consumers who are concerned about whether their genetic information has made it into the MIB database typically have the right to request their MIB Consumer File under the Fair Credit Reporting Act (FCRA). 
  5. US military service members should read the recent Pentagon warning memo and, if appropriate, speak with a genetic counselor about whether or not DTC genetic testing is necessary or desirable in individual cases. 
  6. Policymakers interested in genetic discrimination and data protection issues should be aware that the National Human Genome Research Institute (NHGRI) has a Table of State Statutes Related to Genomics that provides the total number of states that have enacted legislation related to genetic information privacy and nondiscrimination. The database is publicly-available and updated regularly. Additional resources suggested by the NHGRI include those offered by the Cornell Legal Information Institute, LawSeqSM Database, and National Society of Genetic Counselors. This search query on Congress.gov is a useful tool for following newly introduced state and federal legislation related to genetic information. 
  7. Researchers interested in genetic discrimination topics should consult the Final Rules for GINA and public comments about past Proposed Rules under GINA hosted by the Federal Register and searchable using the term “Genetic Information Nondiscrimination Act.” 

Subscribe to the FPF mailing list to stay up to date on these issues and check out more of our top stories in health.