As the world enters the second wave of COVID, there is a growing risk that the erosion of personal privacy will become another casualty of the pandemic.
Worldwide we have seen governments harness data collected from mobile phones, thermal imaging cameras, drones and facial recognition software to identify at-risk individuals and track their location, movements and other data points, including body temperature. Shelter-in-place orders have forced many families to replace traditional offline activities with online alternatives, leading to the disclosure of personal information and the creation of new digital records that would otherwise not have existed. Voluntary self-disclosure on social media platforms has also increased, resulting in private information that was not typically recorded being captured and stored electronically. More worryingly, forced or late adopters to online tools, such as the elderly, disabled, and lower-income households often lack the knowledge or support to adequately understand the privacy risks inherent in those activities. The risk of exposing sensitive data has also increased as organisations have shifted rapidly to remote working, with employees accessing and transmitting data in locations that may be less secure, accessing corporate data via personal devices and across networks and platforms that may be more vulnerable.
Privacy rights, once relinquished, are rarely regained. Principles of transparency and proportionality are critical during these times and should apply to any organisation using individual personal data to address COVID-related problems. Organisations must be proactive by designing privacy into any technology solutions, with particular care to implement strong privacy protections that safeguard the vulnerable. A good example of this approach is the “exposure notification” tool recently developed jointly by Apple and Google. The two rivals worked together to build an app that uses Bluetooth technology to provide an alert to a user that he or she has been in close proximity to or in contact with someone who had been exposed to the virus. Importantly, the tool was designed so that the data would only stay on the recipient’s phone for 14 days and would then disappear. The tech giants also ensured that the tool would not mark the location where the contact occurred and that the data would not be available to employers, insurers, governments or health authorities.
Data Protection Rights and Obligations
For most European-style data protection regimes, personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual. Personal data holdings should not be excessive in relation to the purposes for which the data was collected and should be securely purged once those purposes have been fulfilled. If personal data are processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so which has been notified to the affected individual.
Data protection laws generally give individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted. Data retention periods vary, but each data controller must determine for how long data should be kept and ascertain how they might be securely deleted once the purposes for holding the data have been satisfied (in this case, this will itself vary from a short timescale (i,e, restaurant collecting a list of diners for “track and trace”) to a longer one (government assessing infection trends and cases)).
Where personal data holdings are shared between parties, contractual or other provisions should be put in place between the data controller and the third party processor to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that incident response plans are in place in the event of a data breach. Use of subcontractors by the service provider without the prior approval of the data controller should be prohibited, particularly where international transfers of data are involved.
Getting the Balance Right
As organisations plan for the new normal, there remains concern among both employers and employees about safety in the workplace. If employers can effectively compel employees to have temperatures monitored or to wear masks, could they also compel them to use apps which provide an early warning of symptoms and indicate the potential to be infectious? For the employer, it is a fine balance between the duty of care for the workforce as a whole, and the duty of care for the individual worker.
Other workplace confrontations may be brewing as well, as employers consider implementing other technologies, such as artificial intelligence, to enforce social distancing and safe work environments. Just as technology can be used to help workers do their jobs remotely, it can also be used to determine whether those same employees are actually working when they are no longer in the office. The news that an online beauty product fulfilment business had been tracking its workers’ hours, keystrokes, mouse movements and viewing screenshots to see what was being done has been met with a significant backlash, for example. As a result, “mission creep” and misuse of data is likely to become an increasing concern.
To ensure the protection of personal data and build trust, organisations need to focus on the following:
- Ensure there’s a clear legal basis for the collection of personal data
Individuals need to understand how their data will be managed, secured, used and deleted when it’s no longer required. Organisations should review and consider their privacy policies to ensure relevance and that they match the activities being carried out. These notices should disclose why the information is being collected, what the organisation will do with it, how long they’ll retain it, when it might be shared with a third party – particularly where that is a government or health agency – and who data subjects can contact if they have any questions.
- Privacy by design
It’s much easier and safer to design privacy into new technology than it is to bolt it on as an afterthought. Crucially, this is also central to many global privacy laws, including the GDPR. Organisations will need to take a similar approach with any new technologies they deploy and underpin those deployments with privacy impact assessments to help demonstrate compliance.
- Be proportionate
Is the information being gathered necessary and proportionate? Personal information should only be shared with those who actually need to access it. For example, if an organisation needs to inform employees or customers about potential exposure to someone who tested positive for COVID-19, then they must only share the information necessary for people to assess their risk. Where possible, organisations should consider adopting pseudonymised or anonymised data sets to reduce the chance of re-identification.
- Train staff
Not only should the business identify the risks, but it should make sure that staff are also aware of them and how to handle data appropriately. A (now former) employee of a London bus tour company recently lost their job after using track and trace contact details to attempt to befriend one of the customers. Not only was it a misuse of the customer’s personal data, but it undoubtedly caused the individual some anxiety. These issues have a real personal impact.
What is clear is that the future of privacy requires a concerted effort to balance appropriate crisis responses with the need to keep personal privacy intact. Faced with constantly changing guidance and opportunities to embrace new technologies, it will be vital for organisations to make decisions through a dynamic, data-driven approach. Given the lack of inter-governmental consensus as to how to handle the pandemic, we cannot expect a unified approach to the data issues arising. Awareness of the local requirements and options is therefore vital.
Appleby has recently launched its Offshore Data Protection Guide. The guide provides a detailed overview of the data protection and cyber security regimes in eight of the world’s leading offshore jurisdictions. As the first dedicated offshore data protection publication, the guide provides quick linked answers to some of the most business-critical issues. You can access the full guide here.
Security Evolution in the New Normal
During the pandemic there has been a huge increase in organisations falling foul of Ransomware. The question could be asked, “Was this due to Covid-19?” Even before the outbreak, 2020 was predicted to see an increase in Ransomware so it is likely that some increase would have occurred without the pandemic. However, it seems that a loosening of security controls to allow staff to work from home quickly contributed to the uptick. Some businesses quickly implemented internet-exposed solutions without sufficient thought to proper security. Some of these may have been used by criminals or state threat actors to gain a foothold on an organisation’s internal network.
As we move into the “new normal” we will see more people opting to work from home in the longer term (either due to the fact that they have realised it is possible to work effectively from home or due to the social distancing requirements in the office space). As a result of the new working practices it is critical that companies assess the risks and implement pragmatic, risk-based controls to maintain the same security levels whether in or out of the office. Companies should already have comprehensive monitoring for computers on the corporate network but now more computers are off the network which means that some of the monitoring is no longer effective. Businesses need to look at ways to protect and monitor computers for malicious activity wherever they are, to protect both the organisation and the user.
Information Security must adapt to this new way of working and ensure that it has appropriate controls to protect the key resources, including people, systems and information and at the same time ensuring that the business operates efficiently and effectively. By working closely with the organisation and staff the aim should be to end up with a “Security Bubble” which extends outside of the environment and encompasses people and computers while they are at home.
Appleby is ISO/IEC27001 certified and our highly respected information security team works closely with the partners, global management and staff of the firm to maintain our own Security Bubble. We encourage all of our clients and contacts to give serious consideration to these issues as we continue to adjust to a rapidly changing working world.