The surreal images of empty streets and planes being turned around mid-air because of COVID-19 casts a dystopian shadow across the world.
Amidst this confusion and worry, scientists are advising governments on best practices in managing the pandemic. This takes data, and lots of it, including sensitive health data; this is essential to feed the models to give us insight into disease transmission and effective management tactics.
During times of emergency, like the current COVID-19, aka Coronavirus, outbreak is it ‘fair enough’ to remove the barriers we have built around data privacy?
Privacy: Lost, Found, Lost Again?
The words from a Joni Mitchell song, “you don’t know what you’ve got till it’s gone”, reverberate with privacy professionals the world over. The work to build awareness of privacy has been long and arduous.
Privacy is delicately balanced against the rights of the individual and the needs of commerce and government.
Organizations, including professional bodies such as the International Association of Privacy Professionals (IAPP) and focus groups like Electronic Privacy Information Centre (EPIC) have been working for many years in education on privacy matters.
Out of this research, careful thought, and, quite honestly, privacy violations by tech giants, has come certain truths:
Individuals have a right to privacy. Privacy, as a concept, is not a new idea. Going back through time, spatial privacy, the right to a private life, and even the idea of ‘group privacy’ has existed. As humans moved into an online data realm, this concept moved with us.
Privacy is a good thing for business. Intrinsic in the development of relationships is trust. Trust is something that is built over time by demonstrating that a relationship is trustworthy.
Respect for individual privacy is a demonstrable way to prove trust. As research by PwC shows, 88 percent of consumers decide on their degree of willingness to share personal data is based on how much they trust a company.
Privacy is a two-way street; you scratch my back and I’ll scratch yours. It has taken a long time for privacy to become normalized as something that is important.
Perhaps one of the reasons why it has taken so long is that privacy and security are often seen as the same thing. Whilst they are intrinsically linked, you need robust security to enable certain aspects of privacy, they are not the same.
It has been major privacy-related events that have tipped the ideology of privacy over from the world of academics to the general public. Privacy violations by Google, for example, have been well-known for many years.
Back in 2004, a letter collated by Privacy Rights Clearing House (PRC) was published asking for the newly released Gmail service to be stopped. The concern being that Gmail was surreptitiously scanning email messages for keywords and phrases to use in targeting ads.
16 years and many privacy violations later and we have legislation such as the EU’s GDPR which uses consent as a legal basis for privacy and allows for large fines to be issued to companies that flaunt the rules.
Which brings us to the unprecedented place we find ourselves in today. Does there need to be a relaxation of privacy rights during emergencies like COVID-19, and if so, how can we ensure our privacy rights once an emergency is over?
What’s Happening Regards Data Privacy and COVID-19
COVID-19 has already started to have an impact on privacy, especially with regard to dealing with sick leave and employee data. The situation re COVID-19, of course, also means that health data is often also linked to travel data of the individual in question.
Spain: The Spanish AEPD has stated in a report on data processing (link in Spanish) that during the COVID-19 pandemic: "data protection should not be used to hinder or limit the effectiveness of the measures taken by the authorities".
The AEPD is using Recital 46 of the GDPR which states that: “The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.”
Norway: Datatilsynet (Norwegian Supervisory Authority (SA)) has deemed data collected from certain individuals, for example, those in quarantine, should not be classified as health data to avoid special data categorization.
The Norwegian SA has attempted to create some privacy for employees who are required to report their circumstances to employers.
Denmark: Has implemented a similar approach to employee data that describes their status regards COVID-19. The Danish SA, however, imposes a strict criterion of justification of data sharing and minimization of data in these circumstances.
Italy: The Italian SA, Garante, whilst facilitating the communication between an employee and employer about the reason for sickness, has put in place restrictions and state that there will be “No do-it-yourself (DIY) data collection”
So far, certainly, in many parts of the world, data collection has remained pragmatic, what we need to keep in mind is, but what if…
What Can Happen If…
COVID-19 or the Coronavirus, has the potential to set a precedent around the relaxation of privacy. The pandemic requires a lot of data to be shared for management of the virus and general business needs.
These data are not just sensitive health data, there is also, tied up in the whole package of the individual the data describes, location data, work practices, even behavioral data. What happens if these data are not protected?
I always like to look back at history as it provides a lens on human behavior. This is especially useful for determining worst case scenarios under conditions such as conflict or emergencies. What happens if, is a useful way to model the misuse and privacy violations that can happen to data in our modern, digital world.
In Nazi German, for example, the Gestapo would use the general public to root out political opponents; The case of the pastor, Paul Schneider, who was reported 12 times for anti-Nazi messages during sermons, and who was finally murdered in 1939, is an example.
The Enabling Act of 1933 which conveyed wide-ranging measures of control over the population was enacted. This included the abolishment of the confidentiality of personal letters and telecommunications.
In East Germany, the Stasi implemented mass public surveillance, including the use of informers. I have listened to the personal tale of a friend from East Germany describing how her father informed on her mother about her wishes to escape to the west. More recently, we have seen similar use of informers in Venezuela.
In the world of digital data, we have seen what happens when privacy is ignored. The Facebook/Cambridge Analytica debacle where data was shared for political purposes is a case in point.
But so, what? If you have nothing to hide you shouldn’t be afraid? Surely, sharing data for the sake of humankind’s health and safety should be welcomed?
Whilst we do need to ensure that scientists have enough data to create accurate predictions, we need to do so in a privacy-respectful manner using appropriate technologies, like anonymization/pseudonymization and/or data minimization.
It may well be too late to enforce this in some cases, but as the pandemic continues, awareness of privacy should not be forgotten.
A Small Case Study in the UK
In the UK, there are a lot of local groups appearing to coordinate volunteers to help out people who are in lockdown. This is amazing and gives me faith in humankind. However, to volunteer, you need to give some personal details. I have seen two types of forms:
Form One:
Required a full gamut of data including name, address, email address, date of birth, telephone number.
No consent to share was offered.
Form Two:
Required a more minimal amount of data: email address, telephone number, and name.
An opt-in consent to share was offered with a warning that data would be shared with third parties:
Both forms represent the same end task. One collected the bare minimum data to take the project to the next step. The other collected a larger data set which would require more work to protect.
I realize that in a situation like this groups will have varying levels of understanding of the sanctity of data privacy; however, this is why education on the matter and understanding that privacy counts is important, even during a pandemic.
It took a long time to reach the privacy tipping point. If we just accept a loss of privacy for our health, let that be a temporary thing and not a choice between privacy and health.