June 3rd 2020
Networks engineer, free speech advocate, political animal
The surreal images of empty streets and planes being turned around mid-air because of COVID-19 casts a dystopian shadow across the world.
Amidst this confusion and worry, scientists are advising governments on best practices in managing the pandemic. This takes data, and lots of it, including sensitive health data; this is essential to feed the models to give us insight into disease transmission and effective management tactics.
During times of emergency, like the current COVID-19, aka Coronavirus, outbreak is it ‘fair enough’ to remove the barriers we have built around data privacy?
Privacy: Lost, Found, Lost Again?
The words from a Joni Mitchell song, “you don’t know what you’ve got till it’s gone”, reverberate with privacy professionals the world over. The work to build awareness of privacy has been long and arduous.
Privacy is delicately balanced against the rights of the individual and the needs of commerce and government.
Out of this research, careful thought, and, quite honestly, privacy violations by tech giants, has come certain truths:
Privacy is a good thing for business. Intrinsic in the development of relationships is trust. Trust is something that is built over time by demonstrating that a relationship is trustworthy.
Privacy is a two-way street; you scratch my back and I’ll scratch yours. It has taken a long time for privacy to become normalized as something that is important.
Perhaps one of the reasons why it has taken so long is that privacy and security are often seen as the same thing. Whilst they are intrinsically linked, you need robust security to enable certain aspects of privacy, they are not the same.
It has been major privacy-related events that have tipped the ideology of privacy over from the world of academics to the general public. Privacy violations by Google, for example, have been well-known for many years.
Which brings us to the unprecedented place we find ourselves in today. Does there need to be a relaxation of privacy rights during emergencies like COVID-19, and if so, how can we ensure our privacy rights once an emergency is over?
What’s Happening Regards Data Privacy and COVID-19
COVID-19 has already started to have an impact on privacy, especially with regard to dealing with sick leave and employee data. The situation re COVID-19, of course, also means that health data is often also linked to travel data of the individual in question.
Norway: Datatilsynet (Norwegian Supervisory Authority (SA)) has deemed data collected from certain individuals, for example, those in quarantine, should not be classified as health data to avoid special data categorization.
The Norwegian SA has attempted to create some privacy for employees who are required to report their circumstances to employers.
Denmark: Has implemented a similar approach to employee data that describes their status regards COVID-19. The Danish SA, however, imposes a strict criterion of justification of data sharing and minimization of data in these circumstances.
So far, certainly, in many parts of the world, data collection has remained pragmatic, what we need to keep in mind is, but what if…
What Can Happen If…
COVID-19 or the Coronavirus, has the potential to set a precedent around the relaxation of privacy. The pandemic requires a lot of data to be shared for management of the virus and general business needs.
These data are not just sensitive health data, there is also, tied up in the whole package of the individual the data describes, location data, work practices, even behavioral data. What happens if these data are not protected?
I always like to look back at history as it provides a lens on human behavior. This is especially useful for determining worst case scenarios under conditions such as conflict or emergencies. What happens if, is a useful way to model the misuse and privacy violations that can happen to data in our modern, digital world.
In the world of digital data, we have seen what happens when privacy is ignored. The Facebook/Cambridge Analytica debacle where data was shared for political purposes is a case in point.
But so, what? If you have nothing to hide you shouldn’t be afraid? Surely, sharing data for the sake of humankind’s health and safety should be welcomed?
Whilst we do need to ensure that scientists have enough data to create accurate predictions, we need to do so in a privacy-respectful manner using appropriate technologies, like anonymization/pseudonymization and/or data minimization.
It may well be too late to enforce this in some cases, but as the pandemic continues, awareness of privacy should not be forgotten.
A Small Case Study in the UK
In the UK, there are a lot of local groups appearing to coordinate volunteers to help out people who are in lockdown. This is amazing and gives me faith in humankind. However, to volunteer, you need to give some personal details. I have seen two types of forms:
Required a full gamut of data including name, address, email address, date of birth, telephone number.
No consent to share was offered.
Required a more minimal amount of data: email address, telephone number, and name.
An opt-in consent to share was offered with a warning that data would be shared with third parties:
Both forms represent the same end task. One collected the bare minimum data to take the project to the next step. The other collected a larger data set which would require more work to protect.
I realize that in a situation like this groups will have varying levels of understanding of the sanctity of data privacy; however, this is why education on the matter and understanding that privacy counts is important, even during a pandemic.
It took a long time to reach the privacy tipping point. If we just accept a loss of privacy for our health, let that be a temporary thing and not a choice between privacy and health.