Article Text

Download PDFPDF

The governance of personal data for COVID-19 response: perspective from the Access to COVID-19 Tools Accelerator
  1. Ciara Staunton1,2,
  2. Emma Hannay3,
  3. Oomen John4,5,
  4. Michael Johnson6,
  5. Rigveda Kadam3,
  6. Rangarajan Sampath3
  7. On behalf of ACT-Accelerator R&D and Digital Working Group
  1. 1Institute for Biomedicine, EURAC Research, Bolzano, Italy
  2. 2School of Law, Middlesex University, London, UK
  3. 3FIND, Geneva, Switzerland
  4. 4George Institute for Global Health, UNSW, New Delhi, Delhi, India
  5. 5Prasanna School of Public Health, Manipal Academy of Higher Education, Manipal, India
  6. 6The Global Fund to Fight AIDS Tuberculosis and Malaria, Grand-Saconnex, Genève, Switzerland
  1. Correspondence to Dr Ciara Staunton; c.staunton{at}

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

Summary box

  • COVID-19 is the world’s first digital pandemic with the use of digital technologies and personal data central to our response.

  • The use of these data must be appropriately governed to ensure its use is in the public interest.

  • The Framework for the Governance of Personal Data for the Access to COVID-19 Tools Accelerator provides a principle-based approach, implemented in a procedural guidance to govern the use of COVID-19 personal data.

COVID-19 is the world’s first digital pandemic. Digital tools and technologies have been developed to track and trace the spread of the virus, screen for infection, and the pandemic has accelerated the use of digital technology in the delivery of healthcare.1 The continued development of these tools and technologies, the monitoring of the virus and the development of new tests, treatments and vaccines are dependent on the collection of and access to vast amounts of personal data. This includes clinical data, epidemiological data and public health data that may be collected from laboratories, medical records, wearables and smartphone apps. Previous public health emergencies (PHEs) have demonstrated the importance in making this data available,2 and early in the COVID-19 pandemic, there were calls for making all kinds of data, including clinical trial data, routine surveillance data, genetic sequencing, and data on the ongoing monitoring of disease control programmes, openly and rapidly available.3 As part of this, personal data on age, race, sex, health, ethnic group, and socioeconomic factors have been shared. This has helped led to the rapid development of COVID-19 interventions. It has also enabled the better understanding of factors contributing to difference in infection rates and effectiveness of tests, treatments, and vaccines. However, the use of this particularly sensitive data can infringe upon individual and group privacy, increase the risks of individual and group stigma and discrimination, and it may negatively impact already vulnerable, marginalised or minority populations.4

During this pandemic, states of emergency have been declared, and many of our fundamental rights including our right to privacy have been limited as part of national COVID-19 responses.5 Such an approach can be appropriate in a democratic society, but policies that relied on public trust have resulted in increased compliance and improved public health outcomes.6 Thus it is not always a binary choice between privacy and an effective public health response. The focus should be on how best to safeguard our privacy interests and foster public trust in the ongoing access to data and use of digital technologies, even when our right to privacy has been limited.7 As we have learnt from previous PHEs, trust is not a concept on which to ground data practices, as this is a breeding ground for exploitation. Rather it is the transparent and accountable governance of data use and digital technologies that can foster this public trust.8

The Access to COVID-19 Tools Accelerator (ACT-Accelerator) was established to respond to the COVID-19 pandemic by scaling up the development and equitable distribution of tests, treatments and vaccines, and strengthening underlying health systems infrastructure. Early in its work, the R&D and Digital Working Group of the ACT-Accelerator Diagnostics Pillar recognised that to achieve this goal, the collection, linking, sharing, and timely access to data is essential, but these data use must be supported by a clear and transparent governance framework rooted in human rights. The Framework for the Governance of Personal Data for the Access to COVID-19 Tools Accelerator was thus developed. It is to promote best practice and the responsible use of personal data by all initiatives funded under the ACT-Accelerator.9

The framework requires that the use of personal data in responding to COVID-19 must be done in a manner that safeguards privacy and the rights of vulnerable groups. This vulnerability may be due to the global context of inequality and asymmetries of power, but equally may arise due to comorbidities, identity, personal circumstances or the use of personal data without due consideration of possible harms. Within this context, the framework identifies key principles that should underpin data use that are implemented in a procedural guideline: six substantive principles (solidarity, respect for persons and communities, equity, non-exploitation, privacy, and data stewardship) are to guide any decisions on data and data use, and three procedural principles (transparency, accountability, and engagement) must guide the process of decision making. These principles must be read together to provide overarching guidance on managing personal data during COVID-19, but also on balancing the collective interests in responding to COVID-19 with our individual rights. To assist in this, the framework provides detailed guidance on data management, including data collection and storage, data retention, data access, and the responsibilities of those processing personal data during COVID-19.

In developing this framework, we were cognisant that the impact of COVID-19 is unequal due to the global context of inequality and asymmetries of power and also that data practices in the past have been exploitative and perpetuate global health inequity.10 We were aware that data practices adopted during COVID-19 will be influential in any pandemic preparedness and future pandemic response and the importance of adopting practices now that drive an equitable global response. Thus, the framework requires the equitable access to data and equitable access to any tests, treatments and vaccines that are developed from this data. Adopting and building on the practices set out in the framework can provide a more equitable response in future digital pandemics.

Experience has taught us that the governance of this personal data must extend to its use in a postpandemic world. We must guard against the unethical and exploitative practices of past PHEs that saw access to data by the local data collectors denied after the pandemic had ended.8 The personal data collected during COVID-19 is essential for our response now, but it will also be a valuable resource for better understanding our response, guiding pandemic preparedness, as well as other research. We must ensure that these personal data are available for research, but be mindful that the conditions under which the data were collected will have changed. We will no longer be in an emergency situation, and decisions on the most appropriate use of these data will need to be made. Such conversations will likely take place at a global level, but it is crucial that they take account of national interests. With this in mind, the framework calls for the establishment of national independent Data Stewardship Oversight Committees for COVID-19. During the pandemic they should monitor the collection and use of personal information and ensure that it is in line with public expectations, human rights and clear and accountable processes. In a post-COVID-19 world, these national committees should be tasked with determining access to COVID-19 data, the conditions for access, but importantly ensure that decisions on access continue to be driven by public and not private or commercial interests.

As we move through this pandemic, we are continually reminded of the importance of pandemic preparedness.11 It is crucial that we learn lessons from this digital pandemic and have appropriate governance to guide the use of personal data in future pandemics. The ACT-Accelerator Data Governance Framework provides a starting point. We therefore welcome all COVID-19 related consortia, research, and other initiatives that are using COVID-19 personal data to adopt and use this framework. This framework is a living document and will be updated and refined based on recommendations and experiences with its implementation and we encourage feedback to be sent to the ACT-Accelerator Diagnostics Pillar ( It is through this sharing of learnt experiences that we will find ourselves better informed and better prepared to respond to our next global pandemic.

Data availability statement

There are no data in this work.


The R&D and Digital Working Group of the Access to COVID-19 Tools Accelerator (ACT-Accelerator) Diagnostics Pillar who initiated the development of this framework, and the ACT-Accelerator Ethics & Governance Working Group who provided substantive feedback throughout the process. We would like to thank the other groups and individuals who provided feedback on earlier drafts of the framework. A full list of the acknowledgments can be found in the framework.



  • Handling editor Seye Abimbola

  • Twitter @ciaralstaunton, @oommen_john

  • Contributors EH conceptualised the project. CS was commissioned to write the Data Governance Framework, under the guidance of all of the authors. CS wrote the first draft of the manuscript. All authors provided comments, feedback and edits. All authors approved the final version of the manuscript.

  • Funding This work was supported by FIND through funding from KfW and UK aid from the British people.

  • Competing interests CS was commissioned by the R&D and Digital Working Group of the ACT-Accelerator Diagnostics Pillar to develop the Framework for the Governance of Personal Data for the Access to COVID-19 Tools Accelerator. EH is a coconvenor of the ACT-Accelerator Diagnostics Pillar on behalf of FIND and the Global Fund.

  • Provenance and peer review Not commissioned; internally peer reviewed.