The Australian Information Commissioner and Privacy Commissioner, Angelene Falk has signed a world-wide statement confirming the importance of people’s privacy being maintained in the sharing of health data when people travel during the COVID-19 pandemic.
Launched and signed by the The Global Privacy Assembly (GPA) Executive Committee, Ms Falk said Governments around the world were implementing measures to stop the spread of COVID-19 and for many travellers, this meant sharing health information as a prerequisite of travel.
“The potential sharing of these elements of health data, on a mass scale across borders, and across a range of entities, is unprecedented,” Ms Falk said.
“Whilst such steps may potentially be justifiable on public health grounds, the sharing of this sensitive information can and should be done in a privacy protective manner,” she said.
Ms Falk said that since the start of the pandemic, members of the GPA had advised Governments on the design and development of systems that allowed the processing of personal health data in a manner that best protected privacy.
She said data and technology were important tools to fight the pandemic with but had intrinsic limitations and needed to be part of a of a comprehensive public health strategy.
“The principles of effectiveness, necessity, and proportionality must guide any measure adopted by Government and Authorities that involve processing of personal data to fight COVID-19,” the Commissioner said.
Ms Falk said the GPA were urging Governments to consider key principles in the collection of individuals health data, including that they consider privacy risks at the outset; that privacy by design principles be embedded into any system; personal data collected require a clearly defined purpose; that it operate under relevant and appropriate lawful authority; that data protection rights of vulnerable individuals be protected; and that individuals be informed of how their data were utilised.
She said GPA was also urging Governments to collect the minimum amount of health information necessary; address the risks of directly sharing information from health records; fully assess the cyber security risk of any digital systems; consider how long data should be retained; build sunset clauses into the design of such schemes, foreseeing permanent deletion of data; and periodically review schemes.
