Data Privacy and COVID-19: What You Need to Know
Offering personal information today to help eradicate COVID-19 should not result in a loss of data privacy in the future
During the current COVID-19 pandemic, data is the thread that connects everyone everywhere. Most of that data is personal; that’s why it is important to know whether your data is secure. Here is how COVID-19 affects data privacy and security.
- States are gaining the power to expand oversight of our activities and health conditions. For example, take Taiwan and its mandatory blanket monitoring of cellphones to detect quarantined citizens. Spain launched an app for tracking public health, in which individuals were asked to record their daily temperature to help map the spread more accurately and provide support for cases early on.
- Private businesses are using data through apps, including health history, temperature, telephone number and name, to support rapid research in the fight against this disease.
- Individuals are providing personal data to private and public sectors for helping monitor, locate and eradicate COVID-19. Through monitoring our temperature daily, we enable health providers to quickly recognize and address cases that may be positive for coronavirus. This analysis of mass data also allows more precise mapping of the distribution and localization of root causes. But we also share more personal data than usual with our employers to ensure that we can continue to work, as well as with other private companies that contribute to COVID-19 research.
Being humans, we are playing our role, making a trade-off between our safety and data privacy. And that is rightly so. Not sharing your personal data today could lead to deaths, and it seems appropriate not to worry about our privacy because our lives depend on sharing personal data.
However, this is an exceptional circumstance and a clear purpose, neither blanket permission nor an admission of our willingness to give up our privacy rights.
Data Protection During COVID-19
There is rightly a concern that the potential for data privacy loss after this crisis is not being reversed.
Several examples across history have shown that while the state is good at grabbing forces, it is usually prolonged to let them go once they are caught.
To prevent the future loss of data privacy, this exercise for the exchange of personal data across the community needs to be recognized within the barriers of consent.
The consent principle provided for in the General Data Protection Regulation (GDPR) must prevail. We volunteer our data to combat COVID-19 for the SOLE PURPOSE.
The principles outlined in Article 5(1) of the GDPR text must be abridged by. Failure can get companies to huge GDPR penalties. These require that personal data will be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);”
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);”
(c ) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);”
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);”
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
In this particular situation, we provide our data for the sole purpose of combating this virus (“purpose limitation”). We do not expect our data to be used illegitimately and require an understanding of what it is being used for (“lawfulness, fairness and transparency”).
Also, surveillance measures should only collect and analyze data relevant and necessary for this purpose, such as phone GPS tracking and drones. And we expect our data to be protected from unauthorized access at all times (integrity and confidentiality).
We have also seen a huge spike in the use of VPNs and other tools in many countries. This shows that many people want to keep their identity anonymous on the internet.
Work on Data Privacy After COVID-19
After this crisis is resolved, data privacy research must allow individuals to understand who has their data, where it is and why they have it, and to exercise their rights to the data topic.
Some of the work required is:
- Taking stock of which data is stored when the information is shared during the coronavirus crisis, compared to the market exercise that was conducted before GDPR came into practice. Public and private agencies currently collecting data from individuals would need to take inventory of data held by data subjects during the coronavirus outbreak (both structured and unstructured data) to ensure it conforms to the principles of storage limitation, integrity, accuracy and confidentiality.
- Seeking the consent of individuals. Both public and private agents will have to ensure consent is in place for any personal data held and should be collected again where uncertain. At the moment, all government and private corporations are granted tacit permission to access and use the data of individuals to combat COVID-19. In these conditions, exceptional powers given by parliament and the voluntary submission of data by individuals are deemed necessary. Nonetheless, there will be a need in the aftermath to gather explicit consent from users to continue keeping and/or using collated data, particularly when the intent changes.
- Allowing the exercise of data rights by individuals; Individuals should be allowed to exercise their right to erasure, be deleted, rectify, etc. any data obtained during this crisis to combat the coronavirus.
With artificial intelligence technologies proliferating and data being a primary source of profit in the years to come, the security of data privacy and the right of individuals to decide about the use of their own data should be high on everyone’s agenda.
Regardless of the case, we should still ask for mechanisms to recover our data and check our consent. One such example is COVID-19, where our willingness to relax our data privacy requirements is timely and for a given purpose.
