In recent years the rights and protections of the individual as it relates to the collection of personal data - both as a citizen and as a worker - have become far more robust and user-centric. This is in part due to the EU's introduction of GDPR, which set a new standard for data collection and privacy.
Whilst the GDPR is an EU-specific agenda, the impact of its implementation has been felt globally, as international firms wanting to transact with citizens in Europe have also had to fall into line.
And whilst the principles of GDPR clearly still stand (it is still the law), it can't be denied that the COVID-19 pandemic has created a whole new set of use cases for what may be considered "specified, explicit and legitimate" data collection.
For example, just a few months ago it would have seemed wild to many that governments would be openly talking about and pursuing a strategy of creating tracing apps for citizens - and citizens happily accepting that. Or that employers would be collecting data on your health, your family's health, your whereabouts in the workplace, device data and who you come into contact with. Or even having to hand over data and register your details to have a drink in a pub or eat a meal at a restaurant.
However, all of these data collection use cases are not only reality for many, but are being actively encouraged and happily accepted. And that's because the data collection trade off has changed for people.
As freedoms are restricted due to lockdown and as health concerns stay front of mind for people, the willingness to hand over extremely personal data to governments, employers and businesses has no doubt increased. Just a few months ago the idea of giving a bar or restaurant your email address, telephone number, recent health history and personal details to have a drink or meal would have seemed outrageous.
The dynamic has shifted considerably and new precedents are being set for what is ‘appropriate, excessive or lawful'.
Keep data privacy front of mind
The intention of this post isn't to suggest that some of the use cases outlined above aren't appropriate or shouldn't be happening, but rather to outline some considerations for organisations and to flag tensions that may arise down the line.
We all have a role to play in reducing the impact of COVID-19 and some of this will involve the collection of personal data. However, what data is collected should be kept to a minimum, should be used for discrete and specific purposes, and should be regularly reassessed as the situation changes.
If you're in charge of managing data privacy within your organisation, here are some useful tips or questions to ask as new use cases arise. We are considering this within the context of GDPR, given it is the ‘gold standard' at the moment for data protection regulation, but these principles could be applied anywhere. They include:
Carry out a DPIA - To show that your processing of data is compliant according to GDPR, you need to be able to demonstrate your compliance. One way to do this is through a data protection impact assessment (DPIA). Organisations collecting new data for new purposes should consider conducting a DPIA, which sets out (according to the ICO): the activity being proposed; the data protection risks; whether the activity is necessary and proportionate; and mitigating actions that can be put in place to counter the risks.
Be transparent - Whilst there's a level of urgency to put plans in place to continue operating within a ‘new normal', organisations should still be as transparent as possible with employees and/or customers. Make information about what data you're collecting and why easily accessible. Explain how the data is being collected, for what purpose, where it will be obtained, the length of time it will be held and how people can get it erased.
Be careful how the data is shared - Given that some of the new data being collected is likely to be very personal, organisations not only need to consider their own privacy and security practices, but the privacy and security practices of any other organisations that they may be sharing it with. For example, it may be necessary to share the personal data with third parties for processing (such as IT service or cloud providers). This should obviously be limited as much as possible, but when necessary should be done knowing the practices and measures put in place by the third party providers. Don't assume anything.
Just because you can, doesn't mean you should - Whilst consumers and employees may be more willing to share more data than ever before, this doesn't mean that all data that could be collected should be. Think about what your organisation's requirements are to ensure compliance and safety, and then think about what the minimum requirements for data collection are to meet those.
Keep disclosure details to a minimum - Organisations may find it necessary, or be required, to share with employees or customers that someone within their ‘remit' has tested positive for COVID-19. This may be understandable, but the amount of data being shared should be kept to a minimum (don't include names, for example). The person who tested positive for COVID-19, should also be made aware first that some of their details are being shared with others.
Have an exit plan in place - Although we are still very much in the midst of the crisis, with any luck at some point in the not too distant future an exit strategy will become clear. Be transparent with those you're collecting data from what your plan is for once that data collection is no longer necessary. Will you delete the data? When will it be deleted? What needs to happen in relation to the pandemic for your exit strategy to be triggered?
There are likely more points to be considered that I haven't thought of, so this list will be dynamic and updated as and when new advice comes to my attention. However, the whole point of this article isn't to say ‘data collection is bad', but rather that data collection should be proportionate and users should still be protected - despite the extraordinary circumstances. Organisations need to be held accountable for their actions. Being clear, thoughtful and transparent about your actions as an organisation makes that significantly easier for the long-term.