We are already seeing a lot of concerns about whether the current coronavirus scare justifies greater surveillance measures by governments. I thought I’d provide one example of how one government is addressing the concerns. From the Personal Data Protection Commission of SIngapore:
Organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the coronavirus disease 2019 (COVID-19).
In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
As organisations may require national identification numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors’ NRIC, FIN or passport numbers for this purpose.
Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.
The PDPC has developed a notice to inform visitors that personal data would be collected during the outbreak of COVID-19 for contact tracing purposes. Organisations that would like to make use of the notice may access it here.
The PDPC would also like to highlight that there have been reports of scammers impersonating MOH contact tracing officers and requesting financial information from individuals. Members of the public are advised to verify the authenticity of the phone calls with the MOH hotline (6325 9220) if they have doubts about the caller’s identity.
How does Singapore’s approach compare to ours in the U.S. Let’s look at part of the recent statement from HHS:
Disclosures to Prevent a Serious and Imminent Threat Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j). Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. See 45 CFR 164.512(j).
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient). See 45 CFR 164.508 for the requirements for a HIPAA authorization. Where a patient has not objected to or restricted the release of protected health information, a covered hospital or other health care facility may, upon request, disclose information about a particular patient by name, may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Covered entities may also disclose information if the patient is incapacitated, and if the disclosure is believed to be in the best interest of the patient and consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a).
The full HHS guidance is embedded below.
february-2020-hipaa-and-novel-coronavirus