Privacy and data sharing

A checklist for building privacy and data security into contact tracing programs


1. Assess the overall process

  • 1.a Consider conducting an initial privacy assessment by asking, for example:
    • who are the people/roles involved in the process,
    • who are the entities,
    • what is the technology,
    • what information will be collected,
    • what privacy and security policies and controls are in place,
    • when and how will private information be deleted or de-identified, and
    • what are the key data flows and data sharing use cases.
  • 1.b With appropriate advice, consider documenting or amending existing policies, in light of the program maturity and the needs of the local jurisdiction.

2. Assess policy simplification

  • Assess policy simplification. Consider the costs and benefits of policies that default to treating information as sensitive, even if not legally required.
    • Sample: Your information is confidential and will be used only for public health purposes. We will collect, use, and share the minimum necessary information appropriate for these purposes and we will not release the name of someone who tests positive to anyone with whom that person has been in contact.

3. Privacy / Communications to contacts

  • In the tracing process, Contacts, who are informed that they may have been exposed, are not told the names or identities of the Cases who may have exposed them.

4. Notification

  • Publish a privacy policy that explains how information is collected, used, shared, and retained in connection with the contact tracing process. Even in the absence of a legal requirement for such a policy, publishing one improves the transparency of the process.

5. Data sharing plan/framework

  • It is important to proactively define data sharing use cases and rules. Consider, with appropriate advice, creating a data sharing plan for your state and local jurisdiction that specifically addresses what data can be shared and with whom. Consider the following questions:
    • What is the data that’s being considered for sharing? Define and map data flows and explain what happens to the data in the privacy notice.
    • How sensitive is the data? Classify data sets into categories, such as: Protected Health Information (PHI), Personally Identifiable Information (PII), Public Health data and Public data.
    • What is the purpose for sharing a particular data set? For example, is the data set:
      • for the Public Health Department’s contact tracing process?
      • for medical treatment?
      • for medical research?
      • for other public purposes?
    • Are data sharing agreements in place and who (what entities) are receiving data?
      • Determine what data sharing, confidentiality and business associates agreements (BAAs) are needed and in place. With legal assistance, proactively prepare standard contract terms.
      • Entities may include for example: Public Health agencies within the jurisdiction, Public Health agencies outside the jurisdiction, clinical providers (such as labs), medical providers, medical researchers, data clearinghouses, other state and local agencies, the media and technology providers
    • Is individual consent required?
      • Determine if individual consent is required to share sensitive data.
      • Assess consent issues, which are fact specific, proactively and with appropriate advice. In general, the rules reflect a balancing of patient and public interests. For example, data can be more freely shared within a public health process for surveillance or for medical treatment, potentially without individual consent or authorization. In other contexts, the data that can be shared may need to be less sensitive and/or individual consent to disclose may be required.

6. Technology

  • When considering technology to enhance a contact tracing process, ensure privacy and security standards, including under HIPAA, are met.
    • The 2 general categories of tracing technologies are (i) “case management” tools to automate the efficiency of case investigation, management, and communications within a human-based tracing process and (ii) “proximity tracking” (by cell phones) which can help automate the identification and follow up communications with contacts.
    • Consider communicating privacy policies to your technology teams to promote cross-functional discussion.

7. Assess and ensure proper data security policies, standards and controls are in place

  • Such policies should reflect applicable legal standards and the public trust.

8. Assess and document data retention, access, deletion, & de-identification policies

  • Such data policies should reflect at least the “minimum necessary” and other applicable legal standards, respect for individuals and the reasonable capabilities of the technology.

9. Train staff

  • Train employees on privacy and security policies, as well as the reasons for the policies (including to build public trust in a process that relies on voluntary community cooperation).

10. Remote working rules

  • If employees work from home, consider implementing controls such as prohibitions on saving information to personal devices and steps to ensure that private conversations are not overheard.

11. Agility

  • Review, revise, iterate, and simplify policies and the process framework based on experience, best practices, and technology developments.
HIPAA and privacy compliance are highly fact-specific. This checklist is not intended as, and should not be treated as, legal advice concerning any particular course of action.

Implementation tools