Data Protection and the COVID-19 Pandemic.
Tuesday 14 September 2021 - A Public Policy Report of the COVID-19 Law and Human Rights Observatory, School of Law, Trinity College Dublin.
In its statement of 19 March 2020 on the processing of personal data in the context of the COVID-19 outbreak, the European Data Protection Board stated that data protection rules, such as the GDPR, did not hinder measures taken in the fight against the coronavirus pandemic and that, even in these exceptional times, data controllers and data processors must ensure the protection of personal data of data subjects.
The COVID-19 pandemic has, however, presented significant challenges for data protection law: not only for data controllers and processors, whether in the public or private sector, but also for data subjects and indeed data protection authorities at national and EU level. By its nature, the management of a major public health emergency, such as COVID-19, has very significant implications for the protection of personal data, involving as it does very widespread and large-scale processing of personal data, including sensitive health data which is the subject of special protection under the GDPR.
Against this backdrop, it is not surprising that data protection has been a prominent feature of public debate around the response to COVID-19, from the early stages of the pandemic to the more recent relaxation of public health restrictions. In this Report, we examine a number of key aspects of the Irish response to the data protection challenges presented by COVID-19.
Chapter 1 provides an overview of mandatory and commonplace data-driven measures adopted in Ireland up until the beginning of July 2021 that have gone under the radar, and consequently eschewed public scrutiny. Sections include contact logging, locator forms for international passengers, the Covid-19 Contact Management Programme and the Vaccine Information System. The chapter appraises the compliance of such data-driven measures with data protection law.
Chapter 2 examines the COVID Tracker App, which was designed and deployed to assist with contact tracing in respect of COVID-19. While questions have been raised about the effectiveness of the App, the App has been heralded as a success on a number of fronts, both in terms of the process leading up to its launch and its relatively high uptake among the population.
Chapter 3 provides an overview of the laws governing data sharing between public bodies in Ireland during the period of Covid-19, with a particular focus on health data and how the Data Sharing and Governance Act 2019 will impact this sharing landscape.
In this dynamic field, where laws, regulations and practices are continually evolving both in response to the public health situation and other developments, the Report is intended to offer a snapshot of the Irish experience in dealing with the data protection challenges presented by COVID-19 as of July 2021.
Data Protection and the COVID-19 Pandemic ReportContributors to this Report
- Maria Grazia Porcedda (Chapter 1) is Assistant Professor in Information Technology Law at the School of Law, Trinity College Dublin. Her research focusses in particular on cybercrime, cybersecurity, data protection, privacy and surveillance in EU law.
- David Fennelly (Chapter 2) is an Assistant Professor at the School of Law, Trinity College Dublin and a barrister practising from the Law Library, Dublin.
- Róisín Á Costello (Chapter 3) is an Assistant Professor of Law at the School of Law and Government at Dublin City University and a barrister. Her research focuses primarily on privacy law and policy, EU law and the interaction of law and linguistic identity.
More information on the COVID-19 Observatory and other Public Policy Reports can viewed here