Coronavirus is everywhere, figuratively and literally. It has overtaken our news, social feeds, and nearly every message and exchange. We’re getting a glaring reminder of the importance of strong personal hygiene (wash your hands!). But what about information hygiene? Beyond the devastating impacts on health infrastructure, human life and the economy, this crisis is also exposing new risks to personal data.
During any time of unrest, scammers are quick to exploit individuals and companies. Now, at a time when we’re all understandably vigilant about the news, malicious actors are ramping up phishing scams, malware and ransomware attacks that take advantage of people seeking breaking news, relief and information. The coronavirus is also the first time the GDPR is being tested against a wide-scale health crisis.
The European Data Protection Board recently issued a statement on the importance of protecting personal data in the fight against COVID-19 and flagged specific articles of the GDPR that provide the legal grounds for processing personal data in the context of epidemics. Article 9 for instance, allows the processing of personal data for reasons of public interest in the area of public health, provided such processing is proportionate to the aim pursued, respects the essence of the right to data protection and safeguards the rights and freedoms of the data subject. This does not mean that companies or governments can simply collect all forms of personal data in the name of public health.
Recent debates have sparked around the flurry of apps that have been developed to help track and reduce the development of the virus. It could be the basis for a Hollywood apocalyptic thriller: digital barcodes on mobile apps highlight the health status of individuals, drones harassing individuals who don’t wear face masks. Text messages announcing the whereabouts of the latest infected individual. This tsunami of information has the potential to elevate public hysteria and cause significant personal harm.
An infected New York lawyer had enough personal information released about him that his identity was made public, resulting in him and his family receiving numerous death threats. In South Korea, where personal details including gender, age and location history are broadcasted widely, restaurant owners are being blackmailed by individuals threatening to falsely link their infection with the establishment. In Poland, a quarantine application requires people to take geo-located selfies of themselves within 20 minutes of receiving the text or risk the police visiting their homes.
These developments underscore the criticality of privacy safeguards to ensuring and maintaining public trust. Without trust, citizens will be less likely to cooperate with government efforts for testing, social distancing and other measures to stem the disease. While some countries have passed emergency legislation to enable local authorities to act swiftly in containment efforts, corporations still need to bear in mind basic privacy principles.
Location information is critical to helping track the spread of the virus. However, if it is to be used, strict policies—to ensure that the individual has consented to such uses, that data sharing is minimized, and sensitive health information is deleted as soon as it is no longer required—must be implemented. When data is anonymized, measures must be put into place to prevent re-identification. For example, Germany’s Deutsche Telekom is providing anonymised swarm data which helps to reduce crowds, whilst ensuring that the data cannot be used to surveille individuals.
Corporations face similar challenges when collecting information on individuals in order to protect the health and well-being of its staff and customers. Employers will need to consider specific privacy obligations for each jurisdiction, ensuring full transparency about what data it is acquiring, and from where, and how it is using that data.
Data analytics also plays an important role in the fight against the disease. Predictive analytics for instance might be able to forecast the disease spread to more effectively service vulnerable groups and optimise limited resources. Regardless of its potential for good, any application or use of personal data must come with clear provisions to decommission and defensibly delete personal data when it is no longer needed.
Digital participation is more important now, more than ever, as is strong data hygiene. Governments and corporations alike must be pragmatic in how they approach sharing and managing data. This is not a carte blanche to disregard privacy legislation. Likewise, fear should not blind us from ignoring the risks of poor data hygiene or personal data protection. Protecting the privacy of personal data is not only critical to being compliant with the law, it might just make the difference between life and death.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.