While almost every country in the world is struggling to keep up with the consequences of the deadly COVID-19 disease spread, efforts continue to find a cure or a vaccine or, at the least, methods that can limit the uncontrolled multiplication of the virus. The dilemma that many countries face today is twofold – explore every possible solution to contain the COVID-19 spread (and) still not cross the fine line drawn in the protection of data privacy.
A recent study at Oxford University is an addition to the groups of experts advocating the method of ‘contact tracing’ to nip the infectious disease at its bud. In this approach, the location of the infected person is tracked, and anyone who has come in contact with the patient is informed and warned for isolation.
Europe and the US, in collaboration with giants like Facebook and Google, are now looking at similar ways to track down infected people. Few might opine that this is an invasion of privacy.
Several countries in Asia, like China and South Korea, have reportedly relied on surveillance of mobile phones to track the infected individual’s activities and reportedly shared their information with others. Some countries are also building apps that can help patients to enter their test results and make them available to the health officials for tracking them down.
Singapore has taken measures with the aid of the TrackTogether app, which uses Bluetooth technology to tether with other Bluetooth enabled and the app installed devices. The app maintains a log of people who have been within the Bluetooth radius for at least half an hour.
In countries with stringent privacy laws, the data collected through telecom operators is anonymous and aggregated wherein the trends of the congregation of the infection and the
map of the disease spread is tracked.
Although dire times due to COVID-19 call for extreme measures by authorities, the fundamental issue of data privacy is raked up yet again. Although a global pandemic can be a reason enough to use the collected private data for the greater good, the expectations about privacy protections cannot be ignored.
Rights and obligations of the employers pertaining to COVID-19
With the COVID-19 outbreak impacting businesses worldwide, many privacy advocates are warning enterprises against demanding excess information from employees and to adhere to
the privacy laws of their respective countries. Many enterprises have sought travel bans and ordered health tests for their employees as a crucial step to stop the spread of the pandemic. However, these enterprises are walking on a narrow bridge as employees may not be comfortable to share their personal information. For instance, in Europe, as per the General Data Protection Regulation (GDPR), the regulations are clear that the employee data can only be collected for a specific reason (and) can only be obtained with consent.
For the past few weeks, many countries like the Netherlands, France, Italy, Denmark, and a few more issued statements for bidding enterprises from collecting excessive employee data.
Although the pandemic is dangerous, “it does not give a free reason to gather private data”, argue the privacy advocates.
Apart from maintaining employee private information (and sharing it with government agencies when necessary), enterprises are also tasked with the challenges of employees working remotely which presents the danger of exposing organizational data opening a Pandora box of data security concerns.
Within an enterprise network, there are adequate security protocols in place. Working remote adds in local and public network exposing the organization’s IT infrastructure to unprecedented risks. In such situations, taking necessary security enhancing steps – working on Virtual Private Networks (VPN), avoiding the usage of USB sticks, using secure cloud services etc., will come
in handy.
Another challenge for enterprises is to maintain the data from the DSAR (Data Subject Access Requests) forms submitted by consumers whilst ensuring consumers their right to access of
information. While collecting data amidst this chaos can be useful, additional costs of maintaining the data and ensuring easy access to consumers can potentially add billions of dollars of overhead to organizations.
Keeping all these potential problems in view, just taking some necessary steps in ensuring data security will not be sufficient. Having a robust data privacy framework is the way ahead to deal efficiently with significant data privacy concerns during these testing times.
What does the law say?
As more and more nations struggle to keep up with the fight against the COVID-19, many of them are moving towards tracking mobile phone information of consumers, raising widespread privacy alarms across the world. In such situations, the data privacy laws of countries can be a guiding light to businesses, government agencies, and consumers who know their rights and will stand against any breach of privacy.
For instance, in Europe, the General Data Protection Regulation (GDPR) has been in place for a couple of years now. This regulation is directly applicable to all its member states in the
interest of consumer data protection. However, many member states have asked for allowance to move their privacy regulations as well.
Similarly, in the United States, the California Consumer Privacy Act (CCPA) has imposed strict data privacy regulations that allow enterprises to collect and use consumer data only upon consent and also places restrictions on when and how the information can be shared with third parties. Following California, many other states like New York are also in the process of
passing stringent data privacy regulations.
Developing countries like Brazil also have their version of GDPR called the Lei Geral de Proteção de Dados Pessoais or LGPD. This was passed in 2018 and presents a series of regulations to organizations to comply thereby ensuring the protection of private individual information.
In India, the Personal Data Protection Bill was passed in 2019; this bill specifically prohibits the collection or processing of sensitive personal data of people without any specific, explicit, and lawful purpose. The bill stresses important aspects like consent, protection of data, and restricts sharing information among third parties without consent.
With more and more countries around the world moving towards their own privacy regulation bills, it seems that the importance of ensuring privacy through efficient systems and software in place should be considered more than ever by small and big enterprises around the globe.
Road ahead
The COVID-19 crisis has now raised an alarm on many global activities and has significantly changed the approach and working style of many businesses. While tracking of patients and isolating them can be an effective way to ensure the reduction of the virus spread, the question remains on how ethical is it given that one shouldn’t cross the fine line of protection and privacy breach? Should there be relaxations or changes in the privacy regulations like the CCPA or GDPR to fuel up the already slow and hit businesses across the globe?
The enterprises have many challenges ahead of them. Not only do they have to deal with the visible recession but will also have to handle the issue of overhead costs of ensuring robust security and privacy systems providing safe remote working conditions. Recently enforced CCPA timeline puts more pressure on enterprises to respond to the consumers and the regulatory authorities on addressing the following issues:
- What data is being collected
- How enterprises will store this data
- With whom the data is shared (and)
- Where the data processing will take place.
By being prepared with the solutions to this complex challenge will help enterprises build transparency and trust.
What price do enterprises have to pay for this global crisis for further strengthening their IT infrastructure? With the amount of data in terms of health information, travel history, and other employee’s personal information reaching humungous proportions, what measures should enterprises undertake to handle the massive bout of data?
Although there are many apprehensions in the current scenario, one thing is quite clear – having a secure data privacy framework in place can aid enterprises around the world to reduce the burden of ensuring data privacy hugely on their internal infrastructure.