By Damayanthi Jakubowski (Privacy Consultant and Owner of Privacy101.org)
COVID-19, a novel Coronavirus Disease, has shaken the world to its core. In a matter of weeks, the issue of health has become everyone’s priority, pushing many other essentials to the side. To quickly help curtail the spread of the virus, various mobile technologies are being used by the governments of several countries. Perhaps because of the sense of urgency, the issue of privacy does not always seem to be at the forefront of everyone involved. However, especially in times of crisis, it is of the utmost importance to not abandon our civil liberties. Protecting our privacy should remain a focus for everyone.
Several governments around the world have started using individuals’ geolocation data gathered from local telecommunications providers and from companies such as Google and Facebook to identify how population groups move within a certain region. This data can provide essential information, especially to check whether population groups are obeying a stay-at-home order. However, although an individuals’ name, address, and other identifying information is generally stripped from these types of datasets provided by telecommunications providers, without additional privacy protections, it has been proven to be considerably easy to re-identify the individual. (1)
Governments soon started coming up with other innovative ideas to monitor COVID-19 and its victims. The Chinese government introduced the “health-check app” through which users enter their symptoms and which subsequently displays a red, yellow, or green code. The red code indicates that the individual has a high chance of being infected with COVID-19 and that he or she will have to be quarantined for 14 days. Germany launched an app (Corona Datenspende) which automatically monitors certain symptoms linked to COVID-19. By downloading the app to a Fitbit or an Apple Watch, an individual’s pulse rate, ECG data, stress level, temperature, blood pressure, weight, height, gender, and age are collected. It then provides this data anonymized, but with the users’ zip code, to the German government.
Germany’s neighbor, the Netherlands, is in the process of creating two separate apps. One app will show whether the user was near another individual infected with COVID-19, and through the other app, the user will be able to easily connect with his or her doctor to receive COVID-19 related treatment information. Across the ocean, in the United States, Google and Apple decided to collaborate and develop new technologies aimed at facilitating the sharing of data between healthcare organizations.
When implementing new mobile technologies to fight the COVID-19 pandemic, it’s essential that governments take into consideration their own privacy laws to help protect their citizens’ privacy. However, as of this writing, China does not have a privacy law but focuses on cybersecurity instead. While a cybersecurity law helps protect health data, it does not necessarily also protect the privacy of the individuals whose data are being collected. Those in Europe, on the other hand, benefit from the recent implementation of the General Data Protection Regulation (GDPR), which provides them with comprehensive and thorough data protections. In the U.S., while the Health Insurance Portability and Accountability Act (HIPAA) provides privacy protections to certain health data, there are some important exceptions to the HIPAA Privacy Rule which permit the limited sharing of protected health information for “the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions,” among other reasons. 45 CFR 164.512(b)(1)(i).
Whether there is a privacy law in place, governments and organizations should ask themselves some important questions to ensure they are protecting individuals’ privacy at all times: What personal (health) data is critical to collect when fighting COVID-19? Will we use a central database to store data, and who will have access to this database? How long will we keep data for, and how exactly will we delete it? Is the use of mobile technologies really as secure as assumed? Will app use be mandatory, and if so, how will enforcement take place? What happens if minority groups are disproportionately affected by COVID-19, and how could the app negatively influence relations between people?
Individuals, on the other hand, will have to make their own privacy decisions before they decide to download an app: What if I have COVID-19 symptoms but do not have the actual virus, do I still want to be tracked? Could my health data ever be used against me? What control measures do I have over the data that is being collected? Can I withdraw consent or delete the data myself?
Previous crises have shown that drastic threats can lead to drastic privacy-violating measures, and COVID-19 certainly is a threat the world has never experienced before. However, individuals, governments and organizational leaders now also have a unique opportunity to create a world in which safety, security and individual privacy go hand-in-hand. Asking ourselves the right privacy questions, before using mobile technologies during this COVID-19 crisis, should be an important first step.
(1) Xu, F., Zhang, P., Tu, Z., Fu, X., Li, Y., Jin, D. (2017). Trajectory Recovery from Ash: User Privacy is NOT Preserved in Aggregated Mobility Data. Computers and Society: Cryptography and Security. Retrieved from https://arxiv.org/abs/1702.06270; Narayanan, A., and Shmatikov, V. (2019). Robust de-anonymization of large sparse datasets: a decade later. Princeton.edu. Retrieved from https://www.cs.princeton.edu/~arvindn/publications/de-anonymization-retrospective.pdf
The next webinar in the TrustArc Privacy Insight Series “Data Breach Management – Requirements and Best Practice” is next Wednesday, September 19th at 9am PT / 12pm ET / 4pm GMT. Don’t miss this opportunity to learn more about data breach prevention – register today!
The investigations have begun after Dixons Carphone, a UK firm, reported the first major breach of the GDPR Era impacting up to 5.9 million card payments and 1.2 million customer records. It’s safe to say that no company wants to find themselves on the regulatory radar through an incident or breach.
Being proactive can spare your company from possible reputational damage and regulatory fines down the road. This webinar will review:
- Preventative steps you can take
- Guidance on building an incident response plan
- Comprehensive tools to automate and document these processes ensuring you can meet the potential 72 hour reporting window
The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 15,000 privacy professionals registered for our events in 2017!
Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar!
The GDPR has gained a ton of attention recently as consumers’ inboxes have been packed with emails from companies concerning their privacy policies. While some of these emails may require an action on behalf of the consumer, Hilary noted that most of these emails are simply outlining the new updates to their privacy policies, as a result of the GDPR coming into effect.
On a more general level, Hilary explained that the new regulation requires a number of things: companies will need to ensure they are managing individual rights more broadly (Articles 15-22); companies will need to have much stronger protections in place for being transparent (Articles 5, 12); and they’ll need to inform people about their lawful basis for processing individuals’ data (Articles 13, 14).
So how does this affect companies and consumers in the US? Hilary noted that many of the US companies TrustArc helps are proactively expanding these protections to the US citizens they interact with, even though they are not required to do so under the GDPR. She also explained that it’s unlikely that we will see any large privacy regulations in the US like the GDPR, because of the way our government is structured. The US does not have a single regulator for privacy laws, but instead has sectoral laws, such as healthcare privacy laws, financial privacy laws, and state laws.
Many are asking whether the GDPR is harmful to retail businesses who rely heavily on advertising and marketing. The GDPR allows companies to be innovative in different ways. Businesses should be thinking of privacy as a business strategy instead of just privacy policies or practices. Hilary mentioned the benefits of businesses taking a Privacy by Design (Article 25) approach in the way they interact with customers – making privacy a part of business decision-making and part of technology offerings.
Have additional questions about the changes under GDPR? Schedule a demo of our GDPR Solutions.
Link to video
15 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe
Yesterday, I shared the first lesson I’ve learned “Be a counselor” over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The second lesson I learned first caught me by surprise and then over time convinced me that the methods the business teams I was counseling were seeking to solve their business challenges were in fact the potential answer to a problem I encountered six years into serving as a privacy leader. Before I share my tips on building sustainable solutions, I thought sharing my personal story on how I learned this lesson could provide some helpful context.
I was fortunate to learn how to be a privacy leader from an amazing leader, lawyer, counselor, philosopher and friend. He had the vision and the courage of his convictions to lead us to develop a global privacy and protection policy that would set a baseline standard for governance and protection of data across our business globally. Over two years, he persuaded all areas of the organization on the business value of the approach. Over the next thirteen years, only the proliferation of breach notification laws and a mega-merger would necessitate a few substantive changes to that policy.
The surprise to me was the sustainability of the policy given the frequency with which new privacy laws continued to be enacted. Regardless of how often the laws continued to change, the policy always provided the basis for complying with the substantial majority of any new legal and regulatory requirements. The best evidence of that policy’s sustainability, as evidenced by its ability to address even the latest developments in global privacy standards, is that earlier this year, it ultimately became the basis for the first EU approval of a company’s binding corporate rules (BCRs) that were based on a program previously certified by TRUSTe as compliant with the APEC Cross-Border Privacy Rules (CBPR) system.
While we were able to develop a sustainable policy all of those year ago, we were less fortunate in dealing with the rapidly growing number of initiatives that moved from paper to automation to cloud computing to data analytics. Six years into running a global privacy program primarily off of email, documents and sheets, we made our first attempt at using technology to automating some of our workflows. After piloting a number of approaches over the next five years, we concluded that the only way to really serve the business efficiently and effectively over time was to build an integrated privacy management platform that would allow us and business teams to readily determine the risks of a particular technology or business process at any point in its lifecycle. Put simply – build sustainable solutions. Here are some tips to help you develop your own approach.
2. Build sustainable solutions. Not all organizations are ready to put robust, sustainable solutions in place. Some are only resourced to handle obligations on an initial ad hoc basis. Others are beginning to move up the maturity curve toward repeatable, defined, managed and optimized.
a. Business is not static. Regardless of an organization’s privacy and data governance program maturity, most organizations have data and technology needs that continue to evolve as business needs change and technology improves.
b. Privacy regulation is unlike any other regulatory area. Because data about people can be generated in some many different forms and contexts – from where we go, to what we eat, to how we feel, what we spend and whether we sleep – privacy and data protection requirements can be enforced by many different types of regulators, and in some cases, by private parties as well. In this complex regulatory environment, the privacy leader, as well as others in the business, legal and compliance, need to be able to demonstrate accountability and compliance upon request at any point in time.
c. Good governance and technology solutions. Good governance, clearly documented roles and responsibilities are critical not only to putting a program in place, but also to enabling it to be implemented effectively and to mature over time. Technology solutions support these goals as well. Other business functions that rely on data, such as finance and human resources, have recognized the importance of investments in workflow automation, cloud computing and data analytics. Privacy and data governance programs can be made sustainable through technology solutions that facilitate creating data processing inventory, evaluating of associated risks, documenting mitigating controls, identifying changes, managing potential incidents and demonstrating what is in place and its effectiveness. While this can be a substantial undertaking, investment in modular solutions in ways that are tailored to an individual company’s culture and maturity can enable an organization to manage privacy much more effectively so that the privacy leader can focus on tackling new and emerging issues.
In summary, sustainable solutions such as good governance and technology position the privacy leader well for helping the organization to maximize net data value – a concept we’ll explore further in my final post in this series.