We are being challenged by an escalating public health crisis that is having a devastating personal, social and economic impact across the world. Impassioned appeals are being made asking people to stay home, supported by strict restrictions on movement to help slow the spread of COVID-19.
While extraordinary measures are being taken to try and curtail not only the pandemic but an impending economic crisis, we’re also being challenged to decipher what activity and behaviour is appropriate and acceptable given the crisis that we face. Our frames of references are shifting and one area that is being impacted is privacy.
Working with increasing urgency, experts around the world are investigating ways to tackle COVID-19 and data is one of the tools that is being called on to help. By pooling data across borders and healthcare organisations, greater insight may be gleamed to help inform how to act. From sharing clinical data to the tracking of mobile phones to review population movement and ensure quarantine restrictions are being followed, public health needs are unintentionally coming up against personal data privacy. The question that we are faced with is, what are we willing to give up to fight COVID-19 and will those protections be restored after the crisis?
The Global Privacy Assembly (GPA) in a statement said that is “confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects.”
Each country has taken different approaches, guided by their existing laws and in context of the COVID-19 threat in their countries, but surveillance tracking has been common and worrying theme for privacy advocates.
In China, licence plate and facial recognition technology as well as smart phone codes letting people know where they can and can’t go have been used. Singapore launched the Trace Together app, an opt in service that uses short distance Bluetooth signals to help identify people who may have crossed paths with a diagnosed corona virus patient. South Korea has used a combination of credit and debit card transactions, GPS phone data and a comprehensive CCTV network to determine patients’ movements to identify hotspots and has made this information available to everyone. While in Australia, the Government is still investigating digital methods to support COVID-19 and has launched an app and WhatsApp message service that allows individuals to register their self-isolation but it doesn’t include any contact tracing functionality.
In Europe, temporary emergency provision rules in the General Data Protection Regulation (GDPR), the legislation that protects personal data, has been adopted by countries to broaden access to data. These temporary rules remove restrictions to sensitive health and personal information when processing is necessary for reasons of substantial public interest in the area of public health and has been enacted in a variety of ways across European states. The European Data Protection Board has also confirmed that in principle, telecom data such as location data can only be used by the operator when made anonymous or with the consent of individuals, however when this is not possible, Member States are able to introduce legislative measures to safeguard public security.
While all countries have deemed these actions necessary to stop the outbreak, the potential for exposure of personal information is high. Jung Won Sonn, Associate Professor in Urban Economic Development, UCL in an article penned for The Conversation highlights that Governments are having to choose between two type of violations of individuals, that is information exposure obtained via surveillance and movement restriction. He points out that tolerance for surveillance and the means to do it is not created overnight and why movement restriction has been the alternative path chosen by some countries. South Korea has been able to use information exposure to create trust, but only because the people of South Korea already have a certain level of tolerance for surveillance, as well the country having an existing infrastructure to surveil.
How do we press play on privacy again after COVID-19?
Many of us would likely give up a lot to make sure our loved ones stay safe and we all want to do our bit to help end this crisis, but what happens when it ends? Can we be sure temporary measures that compromised privacy are reversed, or that data collected is deleted?
Sensitive data that has been collected through the pandemic will still be governed by data protection regulations such as GDPR and in particular articles like the right to erasure (‘right to be forgotten’) where data subjects can request that their data is deleted. These regulations apply to data whether collected by government or by organisations that have aided governments in pandemic control efforts.
A key responsibility of guaranteeing data privacy is data security. With the pandemic a catalyst for amassing large amounts of sensitive personal information, keeping data safe is paramount. While in some cases data will no longer be necessary to store and should be deleted in line with regulation requirements, in other cases these data may provide valuable insights for future public health challenges. To ensure we can ‘press play’ on privacy again, there will be a crucial role for privacy preserving technologies to keep data safe. These emerging technologies are harnessing advances like homomorphic encryption and secure multi-party computation, that mean data stays encrypted, so data sets can stay private and personal information protected at all times even when being analysed. These measures help provide an additional level of confidence that data can stay secure.
While we remain focussed on fighting this pandemic and concentrating our resources on the critical measures needed today, it’s important that decisions relating to privacy are also considered in context of a post-COVID-19 world. Our privacy legislators are confident that the COVID-19 fight can happen alongside privacy, but central to achieving that is transparency of process and an openness for ongoing conversation as this situation evolves.