In the current context of the Covid-19 pandemic, the collection and sharing of employee healthcare data, as well as the contact tracing of people suspected of having the virus, has become one of the key elements of containing its spread. Under these circumstances, it is important to maintain data privacy, particularly considering existing legislation. In the UAE, Federal Law N.2 sets out minimum standards of data privacy for processing health data, including accuracy, security measures, purpose limitation and patient consent.
The law allows medical patients’ data to be used without their consent for public health preventative and treatment procedures (for example, in the case of a public health crisis). However, there are several vital data privacy aspects to bear in mind when establishing contact tracing procedures as part of Covid-19 detection.
Consent must be obtained from the patient at the same time as contact tracing data collection points, such as forms, employee declarations or thermal scans. Controls must be set up to ensure that all healthcare data being collected is accurate and reliable.
Transparency is crucial. As part of the contact tracing process, patients should be informed of how their data will be used and shared. They should be notified that information related to their whereabouts and people that they have been in contact with will be treated in strict confidence and used only to identify potential people that the virus may have spread to, in compliance with government authorities’ requirements. Patients’ privacy rights must be communicated at the same time as contact tracing data is collected from them.
Adequate security measures must be taken to protect personal data from being shared unnecessarily or leaked. Steps should be in place to enable requests from patients to access, modify or delete their data in line with regulatory requirements. It is important to set up processes to manage these types of requests and respond to them in a timely manner.
The retention period of contact tracing data is to be limited to the current crisis and as required by regulatory authorities. In the case of healthcare bodies, this is for a period of at least 25 years. UAE law requires that sharing of any contact tracing data with third parties is to be limited to authorized government authorities. Back-to-back data processing agreements need to be in place with relevant third parties.
All new projects dealing with contact tracing data or any other personal data must have key privacy controls embedded in the organization’s project lifecycle.
Anonymization of data is another element to consider. A good example of best practice when it comes to anonymized contact tracing in the UAE is the TraceCovid application, which performs contact tracing via Bluetooth signals recorded from mobile phones within close range of an infected Covid-19 patient.
Implementing these simple steps will support a secure contact tracing process that helps maintain data privacy, particularly in the sensitive context of Covid-19 personal data collection.