Serious Privacy Podcast: Tech Talk – Innovation during COVID-19

The times of Corona are far from behind us, so this week on Serious Privacy, we discussed a medical topic: what is the relationship between technological innovation and pharma? How can they work together to facilitate new ways of working? And why do innovation and quick thinking really count in a pandemic like we have now? Listen to the new episode now.

Companies that were global in nature and already using virtual practices had to quickly reconsider the tools and partnerships they had in place. In addition, companies strengthened relationships with clients using tech, but are letting clients dictate their critical needs.

“Healthcare professionals are getting more quality information at the time they want, at the place they want, in the way they want.”

Listen to hear Ashley Slavik of Veeva and Jennifer Couture of Alexion discuss the innovation they have seen over the past month – everything from how tech helps companies enhance their business activities to working with colleagues in new ways. Ashley discussed how Europe thanks healthcare workers and Jennifer shares how water cooler conversations can still happen. In this episode of Serious Privacy, we bring profound insights and tricks to make every day better.

If you’re interested in learning more about how COVID-19 has affected privacy, listen to Serious Privacy’s two-part series on COVID-19, where we talk about the virus with a number of guests, discussing employee privacy, the collection of health data and the latest regulator guidance. Listen to part 1 and part 2 here.

Stay informed of COVID-19 updates and how it relates to data privacy with special resources and guidance provided through Research & Alerts – a solution designed to provide complete and instant insight into privacy compliance with global regulatory updates. Contact TrustArc today to see if you qualify for free access to Research & Alerts.

Webinar Recap – US Quarterly Privacy Update: Consumer Privacy Law

As part of the TrustArc Privacy Insight Series, TrustArc Associate General Counsel – Privacy Intelligence K Royal, and TrustArc Privacy Legal Specialist Christina Fratschko presented the webinar “US Quarterly Privacy Update: Consumer Privacy Law” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

In this quarterly session, the panelists provided:

An overview on updates to Consumer Privacy Law for each of the states, and mentioned which legislatures have killed their bills due to substantive issues or slating them for further study. Also discussed were commonalities between bills among states with regards to rights to access, correct and delete personal information, and right to opt-out of sale of personal information.

A review of three federal bills proposing consumer rights: 1) United States House of Representative Draft Law Discussion Bill – new safeguards around how companies can collect and use identifiable consumer data, 2) Consumer Online Privacy Rights Act (“COPRA”) – entities subject to the U.S. Federal Trade Commission jurisdiction must comply with individual rights, and 3) Consumer Data and Security Act – establishing a clear federal standard for data privacy protection, giving businesses a uniform standard rather than a patchwork of confusing state laws.

What employers and educational institutions need to know during this growing pandemic of the novel coronavirus around the world. The panelists recapped several guidances issued by regulatory authorities. The Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act (“HIPAA”)  published an advisory regarding Telehealth in which healthcare providers can communicate to patients and provide Telehealth services through communication technologies. The U.S. Department of Education issued guidance on how and when educational institutions may share student personal information if a student has COVID-19. In addition, the U.S. Equal Employment Opportunity Commission published some guidance on how employers can handle information of a COVID-19 case among their employees and protect their employees from COVID-19.

Watch this on-demand webinar to stay up-to-date on consumer privacy laws in the US. TrustArc also has a robust library of on-demand webinars available here

Join us for the next webinar in the Privacy Insight Series: “COVID-19 – What are the Potential Impacts on Data Privacy?” with TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall on 4/8 at 9am PT. Register for the webinar here.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

TrustArc Recognized as a Leader: Privacy Management Software, Q1 2020

We are excited to announce that TrustArc has been recognized as a Leader by Forrester Research in the Forrester Wave™: Privacy Management Software, Q1 2020! 

According to Forrester, TrustArc’s “Market-leading privacy expertise permeates the product offering and in turn, creates a strong business vision and direction.” Forrester also noted that “leading-edge technology powers the TrustArc Privacy Platform,” which, “offers a customer onboarding experience that delivers highly relevant, customized, and actionable content.” 

Forrester evaluated TrustArc’s Privacy Management Platform along with the offerings of 14 other vendors on over 25 different criteria in three groups: current offering, strategy, and market presence. TrustArc received the highest possible score in 12 criteria including the breadth of software, product strategy, vision, content, planned enhancements, market approach, innovation roadmap, and more. 

The TrustArc Privacy Platform helps enterprises design and build privacy programs, assess and remediate risks, and manage ongoing privacy compliance. Recent platform extensions include automated solutions and partner integrations to further help companies manage privacy, including a first-of-its-kind automated Risk Profile and Privacy Profile

We believe our placement highlights our success developing holistic solutions infused with privacy intelligence for creating ongoing scalable compliance and data protection programs. We thank our customers who provide innovative feedback and utilize our products to drive success in their businesses daily 

Download a free copy of the Forrester Wave™: Privacy Management Software, Q1 2020 ($2,995 value), here.  

Serious Privacy Podcast – “Sharenting”

Sharenting – parents sharing kids’ information – should we care? Should they care? On this week’s episode of Serious Privacy, K Royal and Paul Breitbarth talk with Prof. Dr. Mariea Hoy, DeForrest Jackson Professor at University of Tennessee, and Dr. Alexa K Fox, Assistant Professor of Marketing at The University of Akron, on their recent publication, “Smart Devices, Smart Decisions? Implications of Parents’ Sharenting for Children’s Online Privacy,” in Journal of Public Policy & Marketing. This research explored how parents, specifically mothers, post about their children on social media and how they share their children’s personally identifiable information (PII) in a marketing context. 

In the past, sharing photos of your children was familiar but controlled: you pull out the hard copy photo of your child from your wallet, hand it to your coworker who gushes over how adorable your child looks in their school picture. “I can’t believe how much they’ve grown!” the coworker says, as they naturally hand the hard copy photo back to you, and you safely tuck it back into your wallet. The internet changed the ways in which we share information about our children. But are we putting children at risk by oversharing?

This episode of Serious Privacy explores the ramifications of “sharenting” as privacy concerns continue to grow and the brand to consumer relationship blurs. Stream the new episode here. Serious Privacy can be found on all major podcast players (Apple Podcasts, Spotify, Stitcher, etc.). Subscribe and review today! 

If you cannot access the article via the link provided, please contact the researchers directly. They indicated they would be happy to provide you with a copy.

Managing Employee Privacy in the Face of COVID-19

Suddenly, the world came to an almost complete standstill. What few expected to happen in these modern times of continuous global travel and interconnectedness, did happen after all. COVID-19, or the Coronavirus, has caused governments to close national borders, issue ‘shelter at home’ warnings, and cancel public and private group gatherings and events. Many companies have adopted policies and remote work practices requiring or allowing their employees to work from home in situations where their responsibilities can be managed off-premise. 

At TrustArc, we receive a lot of questions about the privacy implications of the COVID-19 pandemic. What are employers allowed to do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees? How do employers ensure good data protection and governance practices for employees working from home? In this blog, we address the most common challenges organizations currently face.

Health Data on the Work Floor 

Even in times of crisis (perhaps particularly in times of crisis), the law still applies. This is the case for labour laws, for medical legislation, and also for privacy and data protection laws. Safeguards cannot just be thrown out of the window. That said, in many jurisdictions, the law permits organizations to process additional data to assist public health efforts by keeping employees safe and healthy, provided that certain safeguards and requirements are met. 

Guidance from the Regulators

One frequently asked question by both governments and employers relates to the collection and use of medical data, like body temperature. Earlier this week, the Executive Committee of the Global Privacy Assembly (GPA), a worldwide consortium of privacy and data protection regulators, released a statement on this issue:

“We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”

The GPA also published a special webpage where guidance from national regulators and other authorities on how to deal with COVID-19 related data issues is posted. This guidance is not limited to specific regions or regulators but rather covers GPA members worldwide. 

What Employers Should Know

Even though we recommend you review the specific guidance available for the country where your organization operates, there are a few general rules that can be deduced from the regulator guidance on COVID-19. 

  • A distinction needs to be made between data that governments can collect and use and data that private entities can collect and use and the permitted legal basis for each. Governments in general will have more room to maneuver when processing personal data in the public interest (e.g. to safeguard public health) or even to process personal data in the vital interest of an individual. Under the GDPR and various other laws, these are identified explicitly as grounds to process personal data. For private entities, collection and use of personal data in the public interest can also be possible, but there needs to be a clear, direct and demonstrable link with the public interest. 
  • When processing medical and other health data data, which includes noting if employees have been diagnosed as infected by or show symptoms of COVID-19, organizations should show restraint in only processing the minimum personal data necessary to carry out their obligations related to safety of the workforce, customers, and the public. In general, data protection and labour laws restrict the amount of detail on employee illnesses that can be registered by employers. When it is necessary and proportional (i.e. if there is no other option but to collect data on (suspicion of) COVID-19 infections in the workplace), as a best practice, data minimization and confidentiality must be respected. This means that as little information as possible should be collected and that this information should only be accessible to specific persons (not departments of groups) with a legitimate need to know it. For example, identifying victims of COVID-19 by name generally should not be allowed. Companies should also show restraint when processing data from visitors to its premises. There might be a good reason to measure the temperature of a visitor before allowing access, but that doesn’t mean the temperature reading or data related to whose temperature was read should be retained following the decision to provide access or not. In many jurisdictions, the processing of medical or other health data may require an organization to complete a privacy or data protection impact assessment and implement additional procedural safeguards and security controls.    
  • Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process for which reasons. Under almost all data protection regulations around the world, the transparency requirement is a key principle. Information should be accessible, easy to understand and include the reasons why (additional) data needs to be processed.

Working from Home 

For many organizations, the Coronavirus crisis is the first time they will allow large groups of employees to work from home. In addition to impacting IT resources, it also requires organizations to consider a renewed approach to their data use and data protection practices. Even for organizations where employees are used to working from home, it is advisable to review and, where relevant, revise policies and procedures to ensure that personal data will remain secure at all times. This review should also include an assessment of the organizational, physical and technical risks involved in working from home and accessing systems and data remotely and the security measures that may be advisable, such as using secure Wifi networks and company-authorized VPNs. Though there may not be an alternative to working from home, conducting a privacy or data protection impact assessment of the working from home processing may help identify the risks to the rights and freedoms of your employees, customers and business partners. It also allows you to identify mitigation steps that your workers at home can implement, like the implementation of certain technical and organizational measures.

We have created two top-10 lists with recommendations for both employers and employees on what to take into consideration when employees are working from home. Download the following tips:

div>