Recommended Privacy Guidelines for COVID-19 Testing, Contract Tracing and Symptom Screening Data

Notice and Transparency:  Data subjects shall be informed regarding the data handling practices for each component of the program, specifically:

  • What personally identifiable information and/or medical information will be collected from them;
  • The purpose of the data collection;
    • University guidelines and County/State Public Health Orders should be cited when applicable;
  • With whom will the data be shared;
    • Specifically, by department, agency, function and role;
      • For each entity that will receive COVID-19 data, an explanation of why the data will be shared with that organization should be indicated;
  • If the data will be used for research purposes (even in aggregate), this should be delineated,

Consent:     If personally identifiable data will be disclosed for a purpose other than for a Public Health objective (see exceptions to consent requirement below), the data subject’s consent should be obtained:

  • Disclosures Not Requiring Consent:
    • Public Health Disclosures required by law or ordered by a relevant Public Health Authority;
    • Internal disclosures to UC Berkeley organizations for public health, or internal quality improvement purposes;
    • Disclosures of de-identified data, including disclosures for research purposes that are not subject to the Human Subject Research Protections of the Common Rule; unless prohibited by contractual agreement between UC Berkeley and local health care providers.
    • Consent Form Contents:  
      • What information (data elements) will be disclosed?
      • To whom the information will be disclosed (each entity or category of recipient should be listed);
      • The purpose or objective of the disclosure:
      • The term of the consent (when does the consent expire?)
      • A statement indicating that the data subject has the right to revoke their consent at any time, instructions for doing so, and a disclaimer noting that the revocation will only apply to disclosures occurring after the revocation occurs.
      • Contact information for testing subjects to inquire about the use and disclosure of their personal data and to exercise their right of access to their data.

Data Governance:  Prior to the collection of COVID-19 data, a data governance policy shall be implemented that includes the following requirements:

  • Minimum Necessary:  COVID-19 data will only be collected and disclosed when necessary to accomplish the stated Public Health purpose of the data collection;
  • Need to Know: Only individuals with a defined business need will be provided with access to COVID-19 data;
    • Role Based Access:  Controls shall be implemented which include tiered access levels based on business need;
    • Auditing and Monitoring:  Instances of staff access to COVID-19 data shall be monitored at regular intervals and audited periodically for anomalies;
    • Data Subject Access: Written procedures allowing for data subject access rights (e.g., by students, represented staff, and the community), when applicable,  in accordance with applicable law and UC practices shall be developed;
    • Retention: COVID-19 data shall be retained for only as long as required per the UC Retention Schedule; if identifiable data is kept beyond the current COVID-19 testing program’s sunset, further use of the data should be considered a “new use” and additional notice should be provided and relevant consent obtained;
    • Third Party Disclosures:  COVID-19 data should only be provided to third parties (external to the University) if required by law or a Public Health Order; or if the disclosure is essential to the completion of the objectives of the a COVID-19 testing or surveillance program (e.g. to software or electronic health record system suppliers whose services or software are essential to the testing and surveillance program);
      • In the event of disclosures to third parties, all privacy and information security requirements shall be extended to each third party recipient of COVID-19 data, contractually or through a binding data use agreement;

Information Security Requirements

COVID-19 Testing, Contact Tracing and Symptom Screening data has been classified at the P4 data classification level [Per UC Berkeley’s Data Classification Standard] and as such, shall be accessed, stored, transmitted and disposed in accordance with the P4 Level Information Security Requirements, as indicated by UC Berkeley’s Minimum Security Standards for Electronic Information and its Minimum Security Standards for Networked Devices.