Responding to recent reports that the U.S. Government may send payments by check or direct deposit to Americans in the near future to offset some of the economic damage done by the COVID-19 outbreak, the Federal Trade Commission has offered a list of three important tips consumers should keep in mind to avoid getting scammed.

These are worth reviewing and sharing with employees, family members, and friends.

The logistics of any coronavirus relief package are still being worked out, but here are a few really important things to know, no matter what form it takes, from the FTC:

  1. The government will not ask you to pay anything up front to get this money. No fees. No charges. No nothing.
  2. The government will not call to ask for your Social Security number, bank account or credit card number. Anyone who does is a scammer.
  3. These reports of checks aren’t yet a reality. Anyone who tells you they can get you the money now is a scammer.

This from Jennifer Leach at the FTC: “Look, normally we’d wait to know what the payment plan looks like before we put out a message like this. But these aren’t normal times. And we predict that the scammers are gearing up to take advantage of this.

So, remember: no matter what this payment winds up being, only scammers will ask you to pay to get it. If you spot one of these scams, please tell the Federal Trade Commission: We’re doing our best to stop these scammers in their tracks, and your report will help.”

You can keep up to date with the latest Coronavirus-related scams by visiting or signing up to get these consumer alerts.

Iceland’s data protection authority offers advice on GDPR compliance during the COVID-19 outbreak.

Key takeaways

  • Information that a person is quarantined is generally not considered to be sensitive personal information, but it is appropriate to pay particular attention to the principles of the Data Protection Act on data minimization and fairness.
  • Maintain only the minimum information about the illness or quarantine so that the wage calculation is correct and the collective bargaining rights are guaranteed. No need to mention COVID-19 specifically, can just say illness.
  • Ensure security and stringent access controls. Retain only for as long as necessary.
  • Don’t share the name of an infected employee unless absolutely necessary. You may need to share the names with health authorities.
  • Questionnaires with yes or no questions regarding travel or symptoms are allowed for employees, students and visitors. Questions with open answers require a detailed risk assessment.
  • You may take the employee’s temperature with their consent.

Read the full text here.


This is not the time for strict enforcement of data protection. We are showing agility during this crisis.

  • Information that someone is infected with coronavirus is health information.
  • Information that someone has been quarantined or returned from a so-called “risk area” is not health information.
  • Employers should not disclose information that individual employees are infected or quarantined.
  •  For medical care by video, you must have a data processing agreement in place and conduct a DPIA. To this end, choose a video service which is recognized and can demonstrate that it will adequately protect your privacy.
  • The special regulations that apply to health personnel and protection against infection most likely provide sufficient legal basis under Art. 6 and 9 GDPR . To process health data under Art 9.2(g) [public interest], (h) [preventive or occupational medicine] or (i) [public health per state law] GDPR + additional provision in Norwegian law.
  • Try to ask before using solutions not previously approved by the school.
  • When use is done – delete all unnecessary information.

Read the full text of the guidance.

The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy.

  • Public health messages are not direct marketing.
  • It’s about being proportionate – if some data processing feels excessive, then it probably is.
  • The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account the compelling public interest in the current health emergency.
  • The ICO will take into consideration delays in responses (e.g. to data subject rights) due to diversion of resources to dealing with the virus.

DO: Keep staff informed about cases in your organization…but don’t name names or provide more information than necessary.

  • ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms
  • ask visitors to consider government advice before they decide to come
  • advise staff to call emergency services if they are experiencing symptoms or have visited particular countries

AVOID: Collecting specific health data

HOWEVER: If it is necessary, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Read the full guidance from the ICO.

Coronavirus and GDPR – the Belgian authority weighs in:

  • Public health is paramount and prevention and the right to privacy are not incompatible.
  • Follow the instructions of the competent authorities so that all measures taken are proportionate.
  • Even in the context of taking preventive health measures, the general principle is that any processing of personal data must meet the conditions of article 6.1 of the GDPR (e.g protection of vital interests).
  • Process only the minimum necessary amount to achieve the desired purpose.
  • Be transparent with regard to the measures taken and sufficiently inform their workers and visitors about the purposes of processing and the duration of storage of personal data collected.
  • Generalized and systematic checks by employers are not proportional.
  • Do not send questionnaires about travel history or symptoms.
  • Do not reveal the names of employees who tested positive.

Read the full guidance.

Coronavirus and GDPR , the Spanish AEPD weighs in:

  • Data protection should not be used to hinder or limit the effectiveness of the measures taken by authorities in the fight against the pandemic.
  • Consent may not be required. Appropriate legal bases for the processing of personal data for the control of epidemics and their spread, include public interest (art. 6.1.e), vital interests of an individual or all susceptible to be infected (art. 6.1.d), or compliance with a legal obligation (employer’s prevention of occupational risks for personnel).
  • Emergency laws provide health authorities the powers to adopt necessary measures. Parties processing personal data must follow these instructions.
  • Subject to the limitations set in labor and workplace safety laws, employers may process data necessary to guarantee the health of personnel and avoid contagion within the company.
  • Processing personal data, even in these situations of health emergency, must continue to be done in accordance with the regulations on the protection of personal data, especially data minimization; and purpose limitation.

Read the full guidance from Agencia Española Proteción Datos.


Employers should NOT:

  • require that employees communicate to them daily a statement of their body temperature or fill out medical sheets or questionnaires
  • have visitors or other external persons sign a declaration by which they certify that they have no symptoms of the coronavirus or that they have not recently traveled to a risk zone, etc.

Employers SHOULD:

  • invite employees/agents to provide information in connection with a possible exposure to them or to the competent health authorities
  • facilitate the transmission of information by setting up, if necessary, dedicated channels to guarantee data security and confidentiality
  • promote remote working methods and encourage the use of occupational medicine


From the Irish Data Protection Commission:

  • Data protection law does not stand in the way of the provision of healthcare or management of public health
  • Measures taken in response to Coronavirus involving the use of personal data, should be necessary and proportionate and informed by the guidance of relevant authorities.
  • You may process  health data, under art 9(2)(i) GDPR once suitable safeguards are implemented (e.g access limitation, strict time limits for erasure, adequate staff training)
  • Employers have a legal obligation to protect their employees. Data may be processed under 9(2) GDPR where necessary and proportionate.
  • You may process personal data to protect the vital interests of an individual where necessary – e.g incapable of giving their consent.
  • An employer should not disclose that an employee has the virus to their colleagues. Instead, inform staff that there has been a case in the organization and request that employees work from home.
  • Principles of transparency, confidentiality, security, data minimization and accountability apply.

Read the full text of Luxembourg’s guideance. 

Read the Irish Data Protection Commission’s guidance.

The California Attorney General has published a third draft of the California Consumer Privacy Act regulations.

Key takeaways:

  • Removes example indicating IP addresses may not be personal information in certain circumstances.
  • Removes suggested opt out logo or button.
  • Privacy notice must include categories of sources from which the personal information is collected and the purpose for which it was collected.
  • When responding to access requests, indicate you have sensitive information (e.g. biometric information) but don’t provide copies of it.
  • Service providers 1: May retain personal information to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services.
  • Service providers 2: May also retain personal information for internal use to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.Read the full text of the draft.

Italy, which is currently dealing with the most serious COVID-19 outbreak in Europe, weighs in on health data and GDPR .

Employers should NOT:

  • systematically collect (e.g. through specific requests to employees or unauthorized investigations) information on the presence of any flu symptoms or travel of employees or closest contacts.
This means do not:
      • collect information on movements and pathologies of employees, suppliers and visitors
      • take employees’ temperature or collect questionnaire answers
      • investigate travel, contacts, and health

Employers SHOULD:

  • give employees information about the disease, steps to take and applicable travel warnings
  • invite employees to report conditions
  • facilitate the procedures for making the reports (e.g. setting up dedicated channels)

Employers MAY:

  • make thermometers available for employees to self check in private
  • provide information for people who have been in high risk areas or exhibit symptoms

Employees SHOULD:

  • report to their employer any situation of danger to health and safety in the workplace
  • self-report if they have been in an area of contact
  • self-report to their healthcare provider
  • not endanger their colleagues if they are experiencing symptoms

Read the full guidance from Garante Per La Protezione Dei Data Personali.

Danish Data Protection Authority Datatilsynet weighs in on the Coronavirus and GDPR:

What an employer can ask the employee to disclose and what the employee is obliged to disclose are issues that are governed by employment law rules and any public law rules on health, etc.

  • Subject to this, and when required, an employer can, if necessary, record and disclose information that is not specific enough to be considered health information. e.g.
    • that an employee has returned from a so-called “risk area”
    • that an employee is in the home quarantine (without stating the reason
    • that an employee is ill (without stating the reason)

There will be circumstances where it would be permissible to record and disclose health information, e.g. that an employee is infected with new coronavirus. However, recording or disclosure must be factual, and limited to what is necessary.  Consider:

  • Is there a good reason to record or disclose the information?
  • Is it necessary to specify the information?
  • Can the purpose be achieved by “telling less?”
  •  Is it necessary to name the person infected and/or in the home quarantine?

Read the full briefing from Datatilsynet.