How the pandemic has impacted on data protection & privacy
It’s been a long 11 months and we’ve spent far too much time discussing Covid.
We all face challenges beyond deciding what box set to watch. Not least figuring out how to navigate the decisions and finely balanced judgements relating to the use of personal data in this new Covid environment.
Whether it’s clinical trials, track and trace, workforce safety or working from home, there’s always a judgement to be made about the use of personal data. This is made more sensitive by the use of Special Category data.
It’s no exaggeration we face existential data protection questions.
- How can we rapidly develop an effective vaccine whilst minimising the use of personal data?
- How can we stop the spread of Covid if we don’t have an effective track and trace scheme?
- How do we protect workforce colleagues if we don’t have a handle on who is ill and who is well?
It’s a minefield and it’s forcing a national conversation about how our personal data is being processed. What has this conversation revealed?
1. Attitudes to personal data does vary at home and worldwide
We look at what has been in achieved in South Korea with a mixture of envy and slight bemusement. The measures taken to suppress Covid have been successful but at what cost in terms of privacy?
The Korean authorities use phone data, surveillance cameras and credit card histories to track and isolate Covid sufferers.
Could that happen here? Unlikely as most Europeans wouldn’t accept that level of intrusiveness.
We know people have different attitudes to privacy and data. Some original research conducted by Alan Westin in 1960’s identified three groups:
a) The Pragmatists – will make trade-offs depending on the service or enhancement of service offered
b) The Fundamentalists – are unwilling to provide personal information even in return for service enhancement
c) The Unconcerned – are unconcerned about the collection and use of personal data
These varied attitudes do need to be accommodated in data and privacy communications. Not everyone is a pragmatist. And this challenge is compounded by social media serving to amplify and polarise some extreme or misinformed points of view.
2. Building trust and transparency is absolutely essential
Trust and transparency is at the heart of Data Protection legislation. There’s a myriad of examples to show that if communication is not crystal clear then trust is eroded, which results in lower levels of engagement. The debate about the original track and trace app is a case in point.
Putting politics to one side – do we trust a politician or a clinician to explain the intricacies of track and trace or the detailed processes followed to develop the vaccine?
I’ve found myself more drawn to Professor Tim Spector at Kings College London rather than Matt Hancock, when they publish their latest updates or opinions. Trust counts and ensuring we get a full explanation without any embellishments or strategic omissions is important.
The first track and trace app left a legacy of distrust relating to the use of personal data because there was ambiguity around the proposed future use of personal data. The appointment of Dido Harding (who was CEO at Talk Talk when they had a huge data breach) to lead track and trace didn’t inspire confidence in some quarters.
In the UK and the rest of Europe establishing track and trace has been a struggle and one of the reasons has been a reluctance by individuals to share personal data. Rumours this data was to be shared with the police did not help.
Latest data shows that it’s been downloaded 20.9m times. Not exactly blanket coverage. Is this a trust issue or an inherent resistance to comply? Likely a bit of both.
I wrote this assessment of the latest track and trace app
3. Sharing data for public health purposes is a good thing
Using data for public health purposes obviously involves a higher level of data protection risk but the research community and NHS know this. The fact is clinicians understand the importance of treating data with care and have been doing so with appropriate safeguards for many years.
It’s worth noting the introduction of the emergency COPI Regulations have allowed the government to share more data than would have been possible in the past. Overall, given the care that NHS takes with personal data and the potential upside in quashing the pandemic, this feels like a good thing.
It’s no co-incidence there are greater levels of trust in Health care providers than other institutions, at 57% whilst trust in social media platforms are at the bottom of the pile at 28%. It’s also interesting that across the board around 25-30% of the population are neutral – they don’t really care. (Source: EY Global Consumer Privacy Survey 2020).
It’s noteworthy that the government has just published the National Data Strategy as well as the Health White Paper which both highlight that they’d like more sharing of data for the greater good.
Intellectually this is sensible, but it will not happen by magic. Trust needs to be built in order to facilitate data sharing. The politicians need to be careful that they don’t pollute that hard earned trust by playing fast and loose with data.
4. Need to risk assess use of employee data
It is self-evidently obvious individual businesses have a duty of care to their workforce and to their customers. This may result in the introduction of measures to manage the Covid risk which could appear intrusive or would disadvantage the employee.
Would you notify HR that you had Covid if there was a need to self-isolate with no pay? How about taking an employee’s temperature when entering the office? Or being asked to take a Covid test?
Where is that data kept, how long is it kept for, who can see that data? Will employees have to disclose whether they have had the vaccine or not?
There have been companies who have stated that employment is contingent on having a vaccine – is this fair? In all these instances, it makes sense for the employer to carry out a risk assessment.
My colleague Simon Blanchard wrote this useful piece: Are you monitoring staff health during Covid-19?
5. Working from home presents data protection and privacy risks
Overnight, large swathes of the workers were asked to work from home. Inevitably the security arrangements in place may not be so robust as the office.
Is your device secure? Is it encrypted? Do you have a secure VPN? Do you use two-step authentication?
Given so many people are no longer in the office and may never go back, Enterprise IT teams have to attempt to replicate the security in the workplace at home.
My colleague Phil Donn has written a comprehensive Covid 19 Data Protection guide.
Julia Porter, February 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.